Naavi.org

FDPPI (Foundation of Data Protection Professionals in India) is an organization dedicated to the empowerment of the Data Processing community in India.

The four dimensions in which FDPPI is working today are

a) Knowledge enhancement

b) Implementation Support

c) Advisory Services

d) Dispute Resolution

FDPPI started its Certification Courses in end 2019 with a Certification Course covering Privacy and Personal Data Protection Laws in India (Module I). It then introduced a Certification Course covering the Privacy and Personal Data Protection laws at global level by covering GDPR of the EU region, CCPA and HIPAA of the US region along with Singapore PDPA, Dubai DIFC DPL, and Brazil LGPD. (Module G). Towards the beginning of 2021, FDPPI also completed the Certification of Data Audit skills with special focus on the unique PDPSI (Personal Data Protection Standard of India) framework.

Recently FDPPI has embarked on two important activities to provide advisory services. The first was to set up a Data Protection Emergency Response Team (DPERT) which will not only track the data protection incidents world over, but also provide quick guidance to organizations  confronting suspected or confirmed data breach incidents. The second initiative is the development of a “Personal Data Protection Guidance Board” (PGPDP) consisting of experts who can develop “Codes Of Practice” for personal data protection.

The PDP-GB is an ambitious project of FDPPI which should help the community to start adoption of a “Self Regulatory Best Practice Code” without waiting for the Government to pass the Bill and make compliance mandatory. Indian corporate world has an unsavory reputation that unless some thing is made mandatory, they would not be interested in compliance. Once the PDPB 2019 is passed into an Act, compliance would become mandatory and non compliance expensive. But until then Compliance is still under ITA 2000, mandatory but with low prospect of punishment for non compliance.  FDPPI would however wish that the Indian Corporates would prove the sceptics wrong and start adopting the principles of PDPB 2019 as the due diligence under ITA 2000/8 and be compliant before the mandatory provisions kick in.

PDPGB is therefore likely to be a significant contributor to the development of a self regulated Data Processing industry in India.

Both DPERT and PDPGB are recent initiatives which are under development.

The fourth dimension of FDPPI is when disputes arise in the compliance environment and we need to provide dispute resolution support. Such disputes could be between a Data Fiduciary, a Data Processor and a sub contractor or between a Data Principal and the Data Fiduciary.

The Data Principal-Data Fiduciary dispute comes under the powers of adjudication and Appellate Tribunal under PDPB 2019 and hence DDMAC role may be limited in this context to Mediation. But in other cases it may provide arbitration support. Additionally DDMAC would also provide e-Ombudsman services to companies on request.

Under these four different dimensions, FDPPI will be working to serve the PDP community in India in different ways. To support these initiatives, FDPPI also undertakes other ancillary services as may be necessary.

FDPPI is today an aggregation of nearly 200 professionals who work in the space of Privacy, Data Protection and Information Security. As we grow, attempts are being to formalize the operations but it would take some time for FDPPI to come out of its “Start Up” phase and get fully established.

I take this opportunity to invite once again all the professionals who are interested in contributing to the cause of Privacy and Data Protection to join hands with FDPPI and take it forward.

Naavi

This is a continuation of the series of articles

IS 17428-I under para 5.12  states,

Staff handling personal information or activities related to processing personal information shall:
a) Be trained and kept aware about developments depending on their role;
b) Be aware of their responsibility in protecting data;
c) Be traceable to their actions or inactions;
d) Subject to appropriate disciplinary actions when proved to be in violation of responsibility.
The organization shall determine suitable criteria for qualification, competency and evaluate staff before assigning them responsibility related to data privacy.

In the PDPSI the need to equip the employees is handled both at the operative level as well as at the senior level.

Standard 10 under PDPSI states:

“The organization shall establish appropriate strategic and tactical measures to build and maintain a culture of Privacy Protection throug data protection across the entity and covering all stake holders.”

In the detailed explanation of Standard 10, it i stated,

“…Measures are therefore required to be taken by an organization to ensure that the compliance culture is built across all levels of employees, Vendors, business associates as well as the customers, so that every stake holder is aware of and implements the compliance measures as if the responsibility percolates to all.

This requires both incentivization and dis-incentivization strategies to be used for the best impact. Implementation of whistleblower policies and an effective grievance redressal mechanism both for internal and external disputes is also considered essential to maintain the compliance culture across the organization.”

This is further supplemented by the Model implementation specifications that cover “Employee Privacy Management”,  “Work from Home”, “Augmented HR Policy” etc.

Additionally, Standard 9 mentions abut Employee onboarding/Termination policy besides other aspects.

PDPSI goes one more step further and identifies that Data Protection being a “Cross Functional Responsibility”, the DPO is likely to encounter issues of non cooperation or hostility from other senior management professionals and advises appropriate policy  under Implementation specification no 7 that

“The organization shall adopt and implement a suitable policy to ensure harmonious functioning of the DPO with the other senior executives of the organization with an appropriate clarity of roles and responsibilities including measures to resolve differences.”

Thus PDPSI thinks far ahead of frameworks such as IS 17428 and retains its tag line..

Essence of the Essential and yet different by a distance. * meaning  (*सब का सार, फिर भी, अलग…by Far

Naavi

(This is in continuation of the previous article on PDPSI and IS 17428)

IS 17428 has been released as an “Indian Standard” and is the second such standard to be released in India behind PDPSI (Personal Data Protection Standard of India).However, on a deeper perusal IS 17428 appears to be more influenced by the need of Indian organizations to be compliant with GDPR rather than the current or forthcoming data protection law in India.

On the otherhand PDPSI goes deep into the Indian requirement including  even the DTS as part of the mandatory certification process.

PDPSI also has the flexibility built into it so that an Indian Organization processing personal data from across the world can implement this as a Unified Framework for compliance of multiple data protection laws.

IS 17428 (Part I) in para 3.3 defines “Data Controller” with the following notes.

” Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym ‘PII controller’ or ‘data exporter’ or ‘data fiduciary’ can also be used in some countries instead of the term ‘Data controller’.”

India which uses the terminology of “Data Fiduciary” has become “Some Country”.

In the same way the term “Data Subject” is used and not “Data Principal”. Under para 3.10 referring to other country laws, there is no mention of ITA 2000 or PDPB 2019.

It is only when referring to Sensitive Personal Information that the definition included in ITA 2000 has been referred to.

These observations indicate that whoever drafted the document were not able to look at the Indian regulation independently.

The PDPSI thought has been triggered by the proposed Indian Data Protection law. But considering the need of an Indian organization to also be compliant with other laws, it has built in within the Standard and Implementation Specifications, a need to add “Applicable Law” as part of the process of classification of data . Since personal data related to India gets segregated from Personal data related to EU-GDPR or other laws, the next step of implementation specifications will automatically gets fine tuned based on the relevant law.

PDPSI is therefore “Made in India, first for India for the World” . By incorporating principles such as DTS,  PDPSI is taking the Indian law as the lead implementation guideline and in due course can become a guiding force for Personal Data Audits even outside India.

Since PDPSI is inclusive of all requirements under ISO 27701 it can easily absorb the requirements of other countries without forgetting its origin from India.

Naavi

In a comprehensive speaking order , Honourable Justice Anup Jairam Bhambhani of the Delhi High Court has issued a judgement dated 20th April 2021 in the case WP (CRL) 1082/2020 and other petitions, holding light on the rules under Section 79 of ITA 2000.

Some details are available at  lielaw.in in the following article.

Removal Of Offending Content From Internet: Delhi High Court Lays Down Procedure, Guidelines For Intermediaries, Govt.Agencies (livelaw.in)

A copy of the detailed judgement is also available here:

The judgement takes into account even the recent notification of February 25 on Intermediary Guidelines and Digital Media Code of Ethics.

The judgement also contains the submissions of Mr Pavan Duggal the noted Cyber Law expert where a good summary of the applicable law is available. Given the international experience of Mr Pavan Duggal who was the Amicus Curiae in the hearing, the judgement will be a very useful reference document for all students of Cyber Law.

Interestingly the judgement has linked the “Need to remove” the content to the judgement in the case of “Baba Ramdev’s case” where content uploaded from India had to be removed globally from the search engines.

The judgement requires a detailed analysis and may be done in due course on this website. It is to be appreciated that this hearing perhaps took place through the video conferencing system proving that the E Court procedures are effective and can be used as a regular procedure.

The conclusions lead to the following directions being issued:

“….the action of the petitioner’s photographs and images having been taken from her Facebook and Instagram accounts and having been posted on the website www.xhamster.com; and then having been re-posted onto other websites and online platforms, amounts prima facie to an offence under section 67 of the IT Act in addition to other offences under the IPC; and that appropriate directions are required to be issued directing the State and other respondents to forthwith remove and/or disable access to the offending content from the world-wide-web to the maximum extent possible.

….The Delhi Police/CyPAD Cell are directed to remove/disable access to the offending content, the Web URL and Image URL of which would be furnished by the petitioner as above, from all websites and online platforms, forthwith and in any event within 24 hours of receipt of information from the petitioner. It may be recorded that the Delhi Police have stated before this court that the offending content has already been removed from
respondent No. 5 website www.xhamster.com;

….A direction is issued to the search engines Google Search, Yahoo Search, Microsoft Bing and DuckDuckGo, to globally de-index and de-reference from their search results the offending content as identified by its Web URL and Image URL,… and to proactively identify and globally disable access to any content which is exactly identical to the offending content, that may appear on any other websites/online platforms

…Investigating Officer to notify such website/online platform or search engine(s) to comply with such request, immediately and in any event within 72 hours of receiving such written communication from the petitioner;

…It is made clear that non-compliance with the foregoing directions would make the non-compliant party liable to forfeit the exemption, if any, available to it generally under section 79(1) of the IT Act and as specified by Rule 7 of the 2021 Rules; and shall make such entity and its officers liable for action as mandated by section 85 of the IT Act

The judgment is a landmark judgement that will be referred to for a long time though it is not from the Supreme Court.

Naavi

A copy of the detailed judgement is also available here:

(This is in continuation of our discussions on comparison of the  PDPMS under PDPSI with DPMS of Is17428)

PDPSI was the first PDPMS to introduce the concept of “Data Centric Compliance Structure” while most other frameworks focus on the organization.

IS17428 discusses the applicability of the framework under the two heads of Jurisdiction and Classification.

1. Under para 4.1.1.2, (pat 2) it recognizes that “Organizations that collect and process personal information should carefully determine their jurisdiction before determining the Privacy requirements”.
2.  Under para 4.1.4 it speaks of “Data Classification Criteria” stating that “It is important to establish a framework for classifying personal information on its level of  sensitivity”. In a slightly contradictory indication, para 4.1.4(d) states that if an organization already has information classification guidelines such as “Restricted”, “Confidential” and “Public”, personal information may be classified as “Confidential” and “Sensitive personal Information” as “Restricted”.
3.  Additionally under para 1 of Part I, the scope of application is based on the entity as a whole. Further it recognizes the Data Controller and Data Processor status as mutually exclusive. Para 3.5 (Part I) is clear that “For an entity to become data processor, it shall also be a separate entity from Data Controller”

It is worth noting that PDPSI has a more flexible and practical approach to the role definition of a “Controller” and “Processor” which is referred to as “Data Fiduciary” and “Data Processor” according to which the roles will be defined as per the context. For example in one process and organization A may be a Data Controller of B. In another process, organization A may be a Data Processor of C or even B itself.

Further Standard 1 of PDPSI addresses the issue of multiple jurisdictions through “Classification” by stating

“Compliance plan shall be based on specified law applied on an identified Compliance entity”.

The explanatory note on Standard 1 states

When an organization is processing personal data on which laws of multiple jurisdictions are applicable, it is necessary to recognize that one law cannot be applied to the entire processing activity.
Hence scope of compliance program must be defined with reference to the applicable law.
Also since legal compliance is an administrative responsibility, the responsibility of compliance normally rests at the enterprise level.
Hence scope definition cannot ordinarily be restricted to a division or a location.
In certain cases, it will be necessary to restrict the application of compliance to a limited number of processes or people.
In such cases, it is necessary to treat the organization as a “Composite Entity” consisting of multiple sub-units each of which may be exposed to the risk of one data protection law. This is suggested so that some of the other sub-units can be kept out of the compliance without the risk of noncompliance.
This will also enable co-existence of one sub-unit which is GDPR compliant while the second sub-unit is PDPA (India) compliant and the third sub-unit is PDPA (Singapore) compliant etc.
This will simplify the compliance and avoid the errors that may creep in because of overlapping of the laws.

On Data Classification, Standard 5 states

“Appropriate Compliance oriented Data Classification shall be incorporated”

The explanatory  note on the Data Classification  Standard states as follows:

Every data protection law is applicable only to a certain definition of applicability. This is in almost all cases based on the need to protect the Privacy of the citizens of a jurisdiction to which the law belongs, and an organization may simultaneously handle personal data of multiple jurisdictions.
To avoid overlapping of laws and to avoid missing of compliance measures, personal data shall be classified as required for compliance of the specific law, so that a “Virtual Silo” of personal data can be created within an organization. Where personal data from multiple countries of origin are received, the classification may provide creation of multiple virtual silos of personal data, one for each country of origin so that provisions of specific laws may be applied to each silo separately.
Additionally, classification must consider the legal requirement and not based solely on the level of confidentiality which is normally used as a basis of data classification for Information Security purpose.
Hence data classification tags may include personal-non personal, employee-nonemployee, Minor-not a Minor, Sensitive-Not sensitive etc.
Few Countries have regulations where the objective of the data protection laws extend beyond protection of Privacy of an individual to protection of the business entity information or from living persons to deceased persons. These are considered as exceptional situations and classification of such non-personal information is considered as another “Special Category” of information.

The corresponding implementation specification actually goes further and provides a guideline for data classification as indicated below

The classification guideline therefore takes into account both the segregation of data based on applicable law and also in a manner that is relevant for PDPMS. All data which is not  “Individually identifiable” automatically gets classified as corporate data asset or “Non Personal Data”.

If the organization can tweak their technology architecture this classification provides an option to create virtual silos of different kinds of personal data for effective management of controls even when multiple jurisdictional laws are involved.

It is for this reason that PDPSI is referred to as a “Unified ” law.

Additionally PDPSI provides for an ” Aggregation” of people and technology resources to create an “Compliance Entity within a larger Corporate entity” and apply the compliance related to specific law to the specific sub entity.

PDPSI also takes into account the needs of the “Work From Home” situation so that the sub entity can even be created as a “Virtual Entity”.

Thus PDPSI Vision is broader and stands taller than IS 17428.

For those who are not blinded by the aura around “ISO”, PDPSI is a Taller and Broader framework and leaves IS 17428 far behind in terms of futuristic outlook.

Professionals who understand the “Need to be compliant” rather than “Need to be Certified”, PDPSI would be the unmistakable choice.

While it is difficult to reproduce the entire PDPSI framework and compare with the entire IS17428 in these columns, any specific queries may be addressed to Naavi

Some of the FDPPI’s supporting members are already equipped to handle the responsibility as “Consultants” as well as “Auditors” with trained auditors available for providing the consultancy/audit services.

PDPSI audits come with an assurance of “Mentor Support” for a limited consultancy on quarterly basis as a continuing service for the auditee companies which also is a unique support that is made available to increase the confidence of organizations taking up the audits of their PDPMS under the PDPSI framework.

Naavi

(This is a continuation of the earlier article in the series)

One of the hallmarks of rapid development is the ability to learn from others. Hence it is natural that IS17428 could have borrowed some concepts from the pioneering framework of PDPSI.

Though IS 17428 has carefully avoided any reference to PDPB 2019 as if it was non existent,  it could not ignore the need for  recognizing one of the features of PDPSI which is the concept of “Measurability” of a Personal Data Protection Management System. (PDPMS).

Standard 12 of the PDPSI (Refer page 16 Handbook on PDPSI) states

“Appropriate measures amenable for measurability of compliance shall be maintained”.

The explanation to the standard states

PDPSI requires the Data Auditor to assess the compliance not only against the implementation charter adopted by the organization, but also the larger standards expected under the relevant law as per the evaluation of the data auditor.

This assessment is required to be converted into an indicative compliance score such as the Data Trust Score and shall be disclosed to the auditee organization as well as the Certification body where required.

Though computation and disclosure of the measure of compliance is not mandatory in some data protection laws, it is considered a good practice and made part of the PDPSI audit system .

The disclosure of the Data Trust Score as declared by the auditor to the public may depend on the legal requirements and the discretion of the organization.

The Certification system under PDPSI envisages that the auditor will compute the DTS, inform the auditee company and also inform FDPPI. FDPPI will upon receiving consent (if provided) by the auditee company will publish the DTS. 

As a part of the audit training, the auditors have been trained with a detailed system of DTS calculation which incorporates the assessment of the auditor on the PDPMS of the auditee company. 

In the first year of DTS evaluation, one number would represent the DTS score. Additionally, in the subsequent years, DTS Score will be suffixed with a trend indicator such as + or – indicating an improving or declining trend.

We may now see what the Chota bhai IS 17428 has indicated regarding the evaluation of the DPMS.

Para 5.15 of the IS17428 (part 2) states

Measurement and Continuous Improvement

Appropriate Metrics should be developed to track various aspects of DPMS. The metrics could be qualitative or quantitative and need to be chosen among other factors, based on the current maturity of the organization.

5 examples of metrics have been indicated namely

a) Lead time to mitigate privacy risks

b) Number of Critical Privacy Incidents

c) Service level agreement to address and close privacy incidents/breaches

d) Number of changes that were not subjected to PIA

e) Percentage of staff trained on data privacy

The guideline suggests that the triggers for improvement initiatives could be from unfavourable performance as reflected by the measurement program and improvement can be demonstrated broadly in two forms namely

1. Consistent trend in improvement
2. Exceeding set target based on industry standard

IS 17428 however does not go further in defining how the “measurement program” can be developed.

It is left to the discretion of the organization to develop its own measurement program

PDPSI has however covered the last mile requirement of how the DTS can be evaluated and how the qualitative observations of the auditor can be converted into a quantitative assessment as envisaged by the PDPB 2019.

Probably the Chota brother born later missed an opportunity to either follow the big brother or more appropriately design an even better system given the advantage of prior knowledge it had access to.

The DPA when it is formed is expected to come up with its own suggestions on how the DTS may be computed. However the current system of PDPSI is so comprehensive that it can accommodate any variations that may be brought into by DPA.

In case the DPA adopts only a few parameters of measurement such as what Naavi 5X5 DTS system or the IS 17428 has suggested or the more comprehensive 50 parameter evaluation that PDPSI, the PDPSI framework is ready to compute the DTS on its expected level of maturity as well as the DPA expected level of maturity.

The PDPSI-DTS system is therefore “Ready for the Future”.

Naavi