Naavi.org

(This is in continuation of our discussions on comparison of the  PDPMS under PDPSI with DPMS of Is17428)

PDPSI was the first PDPMS to introduce the concept of “Data Centric Compliance Structure” while most other frameworks focus on the organization.

IS17428 discusses the applicability of the framework under the two heads of Jurisdiction and Classification.

1. Under para 4.1.1.2, (pat 2) it recognizes that “Organizations that collect and process personal information should carefully determine their jurisdiction before determining the Privacy requirements”.
2.  Under para 4.1.4 it speaks of “Data Classification Criteria” stating that “It is important to establish a framework for classifying personal information on its level of  sensitivity”. In a slightly contradictory indication, para 4.1.4(d) states that if an organization already has information classification guidelines such as “Restricted”, “Confidential” and “Public”, personal information may be classified as “Confidential” and “Sensitive personal Information” as “Restricted”.
3.  Additionally under para 1 of Part I, the scope of application is based on the entity as a whole. Further it recognizes the Data Controller and Data Processor status as mutually exclusive. Para 3.5 (Part I) is clear that “For an entity to become data processor, it shall also be a separate entity from Data Controller”

It is worth noting that PDPSI has a more flexible and practical approach to the role definition of a “Controller” and “Processor” which is referred to as “Data Fiduciary” and “Data Processor” according to which the roles will be defined as per the context. For example in one process and organization A may be a Data Controller of B. In another process, organization A may be a Data Processor of C or even B itself.

Further Standard 1 of PDPSI addresses the issue of multiple jurisdictions through “Classification” by stating

“Compliance plan shall be based on specified law applied on an identified Compliance entity”.

The explanatory note on Standard 1 states

When an organization is processing personal data on which laws of multiple jurisdictions are applicable, it is necessary to recognize that one law cannot be applied to the entire processing activity.
Hence scope of compliance program must be defined with reference to the applicable law.
Also since legal compliance is an administrative responsibility, the responsibility of compliance normally rests at the enterprise level.
Hence scope definition cannot ordinarily be restricted to a division or a location.
In certain cases, it will be necessary to restrict the application of compliance to a limited number of processes or people.
In such cases, it is necessary to treat the organization as a “Composite Entity” consisting of multiple sub-units each of which may be exposed to the risk of one data protection law. This is suggested so that some of the other sub-units can be kept out of the compliance without the risk of noncompliance.
This will also enable co-existence of one sub-unit which is GDPR compliant while the second sub-unit is PDPA (India) compliant and the third sub-unit is PDPA (Singapore) compliant etc.
This will simplify the compliance and avoid the errors that may creep in because of overlapping of the laws.

On Data Classification, Standard 5 states

“Appropriate Compliance oriented Data Classification shall be incorporated”

The explanatory  note on the Data Classification  Standard states as follows:

Every data protection law is applicable only to a certain definition of applicability. This is in almost all cases based on the need to protect the Privacy of the citizens of a jurisdiction to which the law belongs, and an organization may simultaneously handle personal data of multiple jurisdictions.
To avoid overlapping of laws and to avoid missing of compliance measures, personal data shall be classified as required for compliance of the specific law, so that a “Virtual Silo” of personal data can be created within an organization. Where personal data from multiple countries of origin are received, the classification may provide creation of multiple virtual silos of personal data, one for each country of origin so that provisions of specific laws may be applied to each silo separately.
Additionally, classification must consider the legal requirement and not based solely on the level of confidentiality which is normally used as a basis of data classification for Information Security purpose.
Hence data classification tags may include personal-non personal, employee-nonemployee, Minor-not a Minor, Sensitive-Not sensitive etc.
Few Countries have regulations where the objective of the data protection laws extend beyond protection of Privacy of an individual to protection of the business entity information or from living persons to deceased persons. These are considered as exceptional situations and classification of such non-personal information is considered as another “Special Category” of information.

The corresponding implementation specification actually goes further and provides a guideline for data classification as indicated below

The classification guideline therefore takes into account both the segregation of data based on applicable law and also in a manner that is relevant for PDPMS. All data which is not  “Individually identifiable” automatically gets classified as corporate data asset or “Non Personal Data”.

If the organization can tweak their technology architecture this classification provides an option to create virtual silos of different kinds of personal data for effective management of controls even when multiple jurisdictional laws are involved.

It is for this reason that PDPSI is referred to as a “Unified ” law.

Additionally PDPSI provides for an ” Aggregation” of people and technology resources to create an “Compliance Entity within a larger Corporate entity” and apply the compliance related to specific law to the specific sub entity.

PDPSI also takes into account the needs of the “Work From Home” situation so that the sub entity can even be created as a “Virtual Entity”.

Thus PDPSI Vision is broader and stands taller than IS 17428.

For those who are not blinded by the aura around “ISO”, PDPSI is a Taller and Broader framework and leaves IS 17428 far behind in terms of futuristic outlook.

Professionals who understand the “Need to be compliant” rather than “Need to be Certified”, PDPSI would be the unmistakable choice.

While it is difficult to reproduce the entire PDPSI framework and compare with the entire IS17428 in these columns, any specific queries may be addressed to Naavi

Some of the FDPPI’s supporting members are already equipped to handle the responsibility as “Consultants” as well as “Auditors” with trained auditors available for providing the consultancy/audit services.

PDPSI audits come with an assurance of “Mentor Support” for a limited consultancy on quarterly basis as a continuing service for the auditee companies which also is a unique support that is made available to increase the confidence of organizations taking up the audits of their PDPMS under the PDPSI framework.

Naavi

(This is a continuation of the earlier article in the series)

One of the hallmarks of rapid development is the ability to learn from others. Hence it is natural that IS17428 could have borrowed some concepts from the pioneering framework of PDPSI.

Though IS 17428 has carefully avoided any reference to PDPB 2019 as if it was non existent,  it could not ignore the need for  recognizing one of the features of PDPSI which is the concept of “Measurability” of a Personal Data Protection Management System. (PDPMS).

Standard 12 of the PDPSI (Refer page 16 Handbook on PDPSI) states

“Appropriate measures amenable for measurability of compliance shall be maintained”.

The explanation to the standard states

PDPSI requires the Data Auditor to assess the compliance not only against the implementation charter adopted by the organization, but also the larger standards expected under the relevant law as per the evaluation of the data auditor.

This assessment is required to be converted into an indicative compliance score such as the Data Trust Score and shall be disclosed to the auditee organization as well as the Certification body where required.

Though computation and disclosure of the measure of compliance is not mandatory in some data protection laws, it is considered a good practice and made part of the PDPSI audit system .

The disclosure of the Data Trust Score as declared by the auditor to the public may depend on the legal requirements and the discretion of the organization.

The Certification system under PDPSI envisages that the auditor will compute the DTS, inform the auditee company and also inform FDPPI. FDPPI will upon receiving consent (if provided) by the auditee company will publish the DTS. 

As a part of the audit training, the auditors have been trained with a detailed system of DTS calculation which incorporates the assessment of the auditor on the PDPMS of the auditee company. 

In the first year of DTS evaluation, one number would represent the DTS score. Additionally, in the subsequent years, DTS Score will be suffixed with a trend indicator such as + or – indicating an improving or declining trend.

We may now see what the Chota bhai IS 17428 has indicated regarding the evaluation of the DPMS.

Para 5.15 of the IS17428 (part 2) states

Measurement and Continuous Improvement

Appropriate Metrics should be developed to track various aspects of DPMS. The metrics could be qualitative or quantitative and need to be chosen among other factors, based on the current maturity of the organization.

5 examples of metrics have been indicated namely

a) Lead time to mitigate privacy risks

b) Number of Critical Privacy Incidents

c) Service level agreement to address and close privacy incidents/breaches

d) Number of changes that were not subjected to PIA

e) Percentage of staff trained on data privacy

The guideline suggests that the triggers for improvement initiatives could be from unfavourable performance as reflected by the measurement program and improvement can be demonstrated broadly in two forms namely

1. Consistent trend in improvement
2. Exceeding set target based on industry standard

IS 17428 however does not go further in defining how the “measurement program” can be developed.

It is left to the discretion of the organization to develop its own measurement program

PDPSI has however covered the last mile requirement of how the DTS can be evaluated and how the qualitative observations of the auditor can be converted into a quantitative assessment as envisaged by the PDPB 2019.

Probably the Chota brother born later missed an opportunity to either follow the big brother or more appropriately design an even better system given the advantage of prior knowledge it had access to.

The DPA when it is formed is expected to come up with its own suggestions on how the DTS may be computed. However the current system of PDPSI is so comprehensive that it can accommodate any variations that may be brought into by DPA.

In case the DPA adopts only a few parameters of measurement such as what Naavi 5X5 DTS system or the IS 17428 has suggested or the more comprehensive 50 parameter evaluation that PDPSI, the PDPSI framework is ready to compute the DTS on its expected level of maturity as well as the DPA expected level of maturity.

The PDPSI-DTS system is therefore “Ready for the Future”.

Naavi

The Bureau of Indian Standards has released the IS 17428 part I and Part II as Data Privacy Assurance Requirements and Guidelines.

FDPPI has already released the PDPSI standards which are inclusive of the ISO 27701 which is a GDPR based Personal Information Management Standard (PIMS).

We welcome the release of IS 17428 and ensure that PDPSI would be inclusive of the best practice indications in IS 17428.

However PDPSI will stand out as “Inclusive but Different” and continue to be a unified  “Certifyable Standard” for compliance of data protection  regulations.

PDPSI compliance will therefore be inclusive of the essence of IS17428 compliance while the vice-versa may not be true. However, if there is any conflict between IS17428 and PDPSI, the PDPSI will call out the conflicts.

More information about how the IS 17428 will merge with PDPSI will be provided in due course.

Naavi

FDPPI, the premier Privacy and Data Protection organization in India is offering a single stop Combo certification leading to Certified Global Privacy and Data Protection Consultant. Top performers will have an opportunity to be also accredited as Certified Global Privacy and Data Protection Auditors.

The program is available on tap through online video streaming courses followed by online examinations.

The total cost of three certifications, Module I on Indian Data Protection laws, Module G on Global data protection laws and Module A on Audit skills will be available at a total cost of Rs 30000/-.

Register today at www.fdppi.in.

Naavi

Since 17th September 2018 when FDPPI was born, FDPPI has traversed a long journey in a relatively short time.

In order to keep on record some of the developments for the information of new members who are joining the organization, I try to give below a brief narration of the developments.

Details about FDPPI constitution, membership etc is available at different sections of this website.

In essence, FDPPI is an organization of the Data Protection Professionals, for the Data Protection Community.  The “Supporting Members” are the delivery channels through which FDPPI renders its services to the community.

Individual members are provided with many services for knowledge enhancement, Certification and Career advancement as explained here. Additionally Companies are provided with “Corporates Services”  to help them in implementing Data Protection

Jnaana Vardhini

One of the first objectives of FDPPI was to spread awareness of Privacy and Data protection in India so that India does not lag behind the world in the field of Data Protection. Accordingly, FDPPI started with a series of weekly webinars under the “Jnaana vardhini Series”.

Upto end 2020, 54 webinar sessions had been conducted and in 2021, so far 4 sessions have been conducted. In these 58 sessions, FDPPI has tried to disseminate knowledge about Privacy and Data Protection. Most of these sessions are available as video recordings in YouTube.

Additionally a messaging group “FDPPI Knowledge Group” functions on Telegram and doubles up as a communication between members and other guests who have been admitted to the group and also to spread knowledge through discussions. Since most of the members are themselves experts in the field knowledge acquired by sharing is immeasurable.

In addition to the weekly webinars FDPPI members have been conducting free educative sessions on many other forums and created a treasure house of knowledge for persons who would like to understand the Data Protection and related concepts.

Indian Data Protection Summit 2020

As a further step towards spread of professional knowledge, FDPPI conducted the Indian Data Protection Summit 2020 as a virtual summit along with the Bangalore Tech Summit held by the Government of Karnataka in November 2020.

CDPP Programs

In a further bid to provide professional certification programs, FDPPI created a series of Certification programs namely

a) Certified Data Protection Professional-Module I (Covering Indian Data Protection Law)

b) Certified Data Protection Professional-Module G (Covering Global Data Protection Laws)

c) Certified Data Protection Professional-Module A (Covering Data Audit Skills)

These certifications were offered independently as a part of a 5 module larger program in which modules on Technology and Behavioural Skills are due to be introduced in future.

Each of these programs were conducted as online training followed by an online examination. After the programs were conducted online, recorded sessions were made available through an “On Demand, Video Streaming Facility” so that the certifications can be availed on tap by interested persons.

Those professionals who have completed all the three programs were further recognized as “Certified Global Privacy and Data Protection Consultant” or “Certified Global Privacy and Data Protection Auditor”

The Consultant or Auditor so certified have been considered eligible to provide services related to implementation of data protection compliance in organizations and certification of organizations along with an assessment of DTS (Data Trust Score).

It may be noted that most of the persons who are certified under these schemes have also been professionals who might have the experience of similar certification programs conducted by other international orgnaizations like IAPP which conducts certification programs on GDPR and other international laws and have found the FDPPI certifications extremely valuable.

The objective of FDPPI certifications is to ensure that there is an distinctive knowledge enhancement and evaluation of understanding through examination so that the certified persons can be expected to be useful to their respective organizations. It is not simply experience based nor on mere attendance of training programs. This has been appreciated by all the professionals.

In the event the Indian Data Protection Authority introduces any criteria for accrediting Data Protection Auditors or Data Protection Officers, FDPPI certified professionals are likely to start with an advantage in terms of the knowledge requirements.

FDPPI has guaranteed that all those who have currently undergone the training for Module I on Indian laws will be provided with a one time n additional bridging session when the Personal Data Protection Bill 2019 becomes a full fledged laws.

Subsequently programs for continuing education would be introduced so that Certifications can be kept current.

Since CDPP programs of FDPPI also cover global laws such as GDPR, CCPA, Singapore PDPA, DIFC-DPA, LGPD-Brazil, HIPAA etc., the programs are considered “Made in India for the World” category of service.

PDPSI

The second most important contribution of FDPPI to the Data Protection world has been the introduction of the “Personal Data Protection Standard of India” or PDPSI. A concept which was pioneered by Naavi has been developed and fine tuned into a system which today provides a framework for compliance both as a self implementation mechanism by organizations as well as a Certifiable standard.

The uniqueness of PDPSI is that it is a “Unified” framework that can be used for simultaneous compliance of multiple data protection laws such as Indian PDPA along with GDPR. The sub modules of PDPSI framework provide the adaptability to different data protection laws that can be applied in an organization which has exposure to multiple jurisdictions.

Further PDPSI automatically incorporates the evaluation of the Data Trust Score (DTS) which is a measure of the Data Protection compliance maturity of an organization and is mandatory under the Indian law.

FDPPI has now set up a mechanism for Certifying an Organization through accredited PDPSI auditors.

A Unique feature of the PDPSI audits is that the audits are registered with FDPPI along with DTS and the auditee organization is provided with support subsequent to the completion of the audit through a “Mentoring” program with a limited quarterly consultation to clear any doubts in implementation. Though these are not “Review Audits”, they provide an opportunity for the auditee organizations to tap the experts of FDPPI to get some quick clarifications critical to their implementation of PDPSI compliance suggestions.

PDPSI is another unique “Made in India for the World” contribution of FDPPI. It is an open standard and will relieve the complying organizations from the burden of proprietary international standards.

DPERT

One of the recent services that has been introduced is the setting up of DPERT or Data Protection Emergency Response Team on the lines of the CERT organizations that function in the domain of Cyber Security.

The DPERT would be a team of experts chosen by FDPPI and would provide some quick suggestions for any reference from organizations who report any suspected Personal data breaches.

DPERT will work in close association with the law enforcement authorities and regulators and assist the companies in taking right decisions in times of a crisis.

DPERT will remain a free service to the society and where an in depth consultancy is required, will guide the companies accordingly.

DDMAC

DDMAC or Data Disputes Mediation and Arbitration Center is another unique service that FDPPI is bringing to the society and is in the final stages of introduction.

DDMAC is  a platform which can be used both offline and online for dispute resolution in the Data Processing industry. DDMAC will develop  a set of neutrals who are experts in data related regulations  and also trained in the art of Mediation and Arbitration. It will be available to be used by Data Fiduciaries and Data Principals to redress their grievances through ADR processes including Mediation and Arbitration.

DPJI

In order to ensure that knowledge dissemination to professionals occurs in a formal manner, apart from the information made available through the website of FDPPI, a journal titled “Data Protection Journal of India” has been started by FDPPI in 2021. The journal will be available at www.dpji.in.

Future Developments in pipeline

The above narration captures some of the developments in FDPPI till date. We will update this further. FDPPI is negotiating several collaborations some of which will fructify shortly. FDPPI is also working on additional projects including an award for the “Data Protection Champion” etc.

FDPPI has more than 150 professional members today and each one of them is an expert in his own domain. FDPPI being an aggregation of these professionals it has all the strengths of these professionals within its umbrella. FDPPI’s strength is therefore not limited to its employee force and hence when the full potential of its members is harnessed, it will be one of the biggest Data Protection Consultancy organizations in India.

Let us look forward to glorious days ahead and welcome more members to join this movement.

Naavi