We at FDPPI think that PDPSI is a useful framework that can assist the Indian Data Fiduciaries to be compliant to multiple data protection laws.
But what matters is not what we think…but what you think…
It is possible that for many of you, PDPSI is a new term and you have not had an opportunity to study what is it and how does it compare to IS 17428 etc.
Now there is an opportunity to discuss this . Block your calendar today for September 19th, 11.00 am. Let’s meet and discuss.
Naavi
PDPSI or Personal Data Protection Act of India is a compliance framework that is unique. It has been developed by professionals with years of experience in the field of Privacy and Data Protection, as a unified framework for meeting the compliance of multiple data protection laws.
Unlike some of the other frameworks for PIMS (Personal Information Management System) or or DPMS (Data Privacy Management System), PDPSI is a compliance framework for “Personal Data Protection Compliance Management System” (PDP-CMS).
Again unlike the PIMS or DPMS systems which are an extension of other ISMS systems, PDPSI is a standalone system that has a focus on the compliance requirement to a target jurisdiction.
Unlike other PIMS or DPMS systems, PDPSI framework for PDP-CMS extends to calculation of the Data Trust Score (DTS) which is a Trust Seal indicating the level of compliance maturity of an organization.
Naavi, Chairman of FDPPI which is developing a system of Accredited PDP-CMS auditors, Certification Bodies and a system of Certification, will be explaining the salient features of PDPSI and why it is a comprehensive and forward looking compliance model appropriate for Data Controllers and Data Fiduciaries.
The two hour session on 19th September 2021 will be conducted as an Online webinar at 11.00 am and is offered free on registration.
Those interested in registration may complete the following form or send an e-mail to FDPPI.
Naavi
(In continuation of the previous article)
PDPSI is a framework which evolved from the Indian Information Security Framework (IISF-309) which was first developed for compliance of ITA 2000, and published in March 2009.
PDPSI was designed to be of use for “Compliance” of data protection regulations for an organization which is involved in processing of personal data and is subject to the Indian jurisdiction. The primary law of the Indian jurisdiction now is ITA 2000 and is read with PDPB 2019 as the “Due Diligence Requirement” under ITA 2000.
PDPSI takes into account the fact that if the Indian organization is involved in processing personal data originating from abroad, the organization will be required to factor-in compliance of the appropriate law applicable to the “Country of Origin” of the personal data. It is therefore a “Unified Compliance Framework”.
Further PDPSI restricts its objective to “Compliance” of “Data Protection Law applicable to an Indian Data Fiduciary”. The terms such as PIMS or DPMS used in ISO 27701 and IS 17428 indicate that these frameworks provide/attempt to provide a certification on the Personal Information or Personal Data Management system per-se. These standards do not claim to have been designed for “Compliance” but have drawn heavily from the GDPR in identifying the principles of Privacy which the PIMS/DPMS system tries to “manage”.
PDPSI on the other hand is designed for compliance. It is a template for compliance of any data protection law and incorporates many controls which are relevant for Indian requirement under ITA 2000-PDPB 2019 which may not be available in other laws such as GDPR. PDPSI is therefore more comprehensive than the IS 17428.
Also, both ISO 27701 and IS 17428 are not independent standards and have to be read with ISO 27001/2 and will not be certifiable except with ISO 27001 certification. Both ISO 27701 and IS 17428 have to therefore be considered as an augmented ISO 27001 rather than independent standards by themselves.
PDPSI however is an independent certifiable standard and incorporates protection of information through the CIA principle as part of its Implementation Specifications.
PDPSI is a framework which addresses “Management of Personal Information in an organization for the purpose of protecting the privacy of the data principal as indicated in the relevant law”.
This system is better referred to as PDP-CMS or “Personal Data Protection Compliance Management System” instead of PIMS or DPMS.
The primary focus of PDPSI controls are therefore the prescriptions under the target regulation and any generic managerial controls which may be part of the system are meant to/ designed help the compliance in the longer run.
It is therefore possible to develop PDPSI certification as a tightly integrated certification for compliance of a given data protection regulation.
For example PDPSI-In can be considered as near compliance of Indian data protection regulation while PDPSI-EU may be related to compliance of EU GDPR and PDPSI-Sg may be related to compliance of Singapore PDPA 2012. etc.
PDPSI however recognizes that “Compliance” of a law inherently involves “Interpretation” of law and hence even the best interpretation of a professional can only be a second guess on what the Data Protection Authority of the day thinks is the correct interpretation or a third guess on what the Courts may interpret.
While PDPSI attempts to partially address the alignment of compliance with the DPA’s interpretation, it may not be possible to align the compliance with the possible interpretation of a Court in a future judicial proceedings and in that context PDPSI would be a “Good Faith” interpretation of what the Data Protection Jurisprudence could be.
Understanding PDPSI in its full perspective requires a more detailed discussion. FDPPI and Naavi are committed to explain these principles to all interested professionals who would be curious to know why PDPSI is considered as the “Bade Bhai” to IS 17428 which is the “Chote Bhai”.
Naavi is planning to conduct a free introductory webinar shortly to explain PDPSI concept in detail. FDPPI is also separately conducting Certification programs to develop DPOs who can implement the PDPSI in a corporate scenario.
Watch out for the introductory free webinar and book your interest through e-mail with naavi or as a comment here under.
Naavi
Recently, the Bureau of Indian Standards introduced a new standard called IS 17428 as the standard for providing privacy assurance for individuals and for organizations to set up a “DPMS” or data protection Management System.
Obviously there is a need to compare IS 17428 with PDPSI which is already being used to evaluate the Personal Data Protection Compliance System (PDP-CMS) in organizations that process Personal Data.
IS 17428 comes with a good pedigree since it is backed by the BIS . But compared to PDPSI, it is observed that the standard does not make an attempt to cover the requirements of the PDPB 2019 which is the forthcoming law of data protection in India. It also does not confine to the requirements under Section 43A of ITA 2000 which is the current law of data protection in India. The standard tries to look at GDPR and replicate ISO 27701.
Like ISO 27701, IS 17428 cannot be implemented without ISO 27001 and is not certifiable. On the other hand, PDPSI is inclusive of technical security measures and is certifiable with DTS calculation.
The IS 17428 standard has two parts, the first part being termed as “Requirements” and the second part as “Guidelines”. The Guidelines are said to be “Optional”.
Part 1 has the following six sections
1.Scope
2.References
3.Definitions
4.Privacy Engineering
5.Privacy Management
6.Compliance.
Part 2 contains the first 5 sections and not the 6th section.
The standard tries to distinguish the terms “Privacy Engineering” and “Privacy Management”. Rather than providing clarity on two roles in Privacy Protection one for the technical team and the second for the organizational team, this adds more confusion to the compliance process. If Privacy Engineering refers to the technical side of processing and Privacy Management refers to the policy level of processing, it is unclear whether a Data Protection Officer is a Privacy Engineer or a Privacy Manager.
In PDPSI, it is not only the DPO who will be responsible for compliance but under the “Distributed Responsibility” concept, every employee is a DPO for his area of function. This concept raises the level of “Accountability” of the organization as an aggregation of the accountability of every employee.
PDPSI addresses “Privacy Engineering” by the Implementation specification on “Privacy By Design” but leaves the direction to the DPO along with the distributed responsibility of the engineering team.
Unlike ISO 27701 which integrates ISO 27001/2 into the standard itself IS 17428 only provides DPMS related requirements relegating the ISO 27001 reference to the optional guideline under Part 2.
As a result there is lack of adequate clarity in the document.
On the other hand, PDPSI comes with 12 standards and 50 implementation specifications. The Standards are a overview while Implementation specifications go a step further into the details.
The 50 implementation specifications of PDPSI cover not only the PIMS related aspects in ISO 27701 or the DPMS requirements under IS 17428, they also cover the requirements of the ISO 27001/2, though the requirements are clubbed under less than 50 items.
It is for this reason PDPSI is considered as “Essence of the Essentials but different by far”.
Naavi
Apple is posing a great challenge to law enforcement across the world with its proposal to introduce its new version of phone (I phone 13) with a chip that can connect to the Low Earth Orbit (LOE) Satellite. The phone comes with a customized Qualcomm X60 baseband chip which may be able to connect to the Global star’s satellite communication. This facility will enable the phone to have connectivity from remote locations where there are no network connectivity. It is said that adventurists such as hikers, mountaineers etc may find this very useful if they are lost in the wilderness.
While for technological considerations, this appears exciting, the introduction of this type of universal connectivity will pose a huge threat to the society. It will be immediately used by all Naxalites, Terrorists and Criminals. At present the tracking of mobile phones with reference to the mobile location is one of the biggest advantages that the law enforcement is using to crack many crimes. Crimes like rapes, murders etc are often tranced with the help of the mobile phone tracking.
Once iphone 13 is introduced, whether normal users use the facility or not, all criminals will definitely use the facility. It is said that the price of the phone may not be much different from other models and there could be increased subscription costs. But “Affordability” is never a challenge for criminals and hence Apple will be the biggest abettor for all types of crimes.
The Home Ministry should immediately ensure that the current system of licensing of satellite phones is further tightened and iPhone 13 is banned. Current generation of satellite phones are at least identifiable as different by the very looks. But iPhone 13 may look similar to other phones and hence any criminal in our midst may be using the phone for nefarious purposes sitting next to us without we being able to locate such phones easily.
I wish the Government of India takes immediate steps to ban the use of iPhone 13 in India with immediate effect.
Naavi
Refer: :Computerworld.com
According to UNCTAD, 128 of the 194 UN affiliated countries have put in place legislation to secure the protection of data and privacy. 158 countries have in place the E commerce laws and 154 countries have Cyber Crime laws.
While the need for a law in each jurisdiction is essential because the countries are sovereign countries, the existence of multiple laws makes it extremely difficult for the global citizens to follow and comply. This problem is accentuated because the technology has been developing in the direction of breaking down the barriers of communication and data moving freely across the political boundaries.
This issue is more pronounced in the data protection laws since data processing is an important business activity and cross border business engagements are common.
While the commercial aspects of data and its utility has created an interest in Governments opting for “Data Localization”, most laws try to retain extra territorial jurisdictions to impose penalties and bring in impossible conditions into business contracts in the form of “Standard Contractual Clauses” and “Abdication of the local security considerations”.
In this scenario, a data processing company which operates a website and cloud services to collect, process and disclose personal data through the internet faces the challenge of being exposed to multiple data protection laws.
While most laws look similar, the very fact that democratic countries which genuinely respect the right of privacy and implements laws to protect the right of privacy, dictatorial regimes like China, fake democracies like Pakistan, religiously fanatic countries in the Muslim world all seem to have laws called “Data Protection Laws”, makes it obvious that that the laws can share the same name but inherently are different.
At the time of compliance this creates a problem since the entire personal data accessed by the organization needs to be properly segregated before the compliance can be achieved.
While in terms of a framework for compliance, the PDPSI or the Personal Data Protection Standard of India promoted by FDPPI (Foundation of Data Protection Professionals in India) has developed a Unified Framework of compliance by incorporating an appropriate data classification system, the complexities of creating a “Foundation Compliance Framework” and customize it for “Law Specific Modifications” remain because every law looks similar but has some subtle differences.
It is therefore necessary that an attempt should be made by the UN to develop a “Model Law on Data Protection” and persuade its members to bring uniformity to the laws. However UN in recent days has become completely in effective because of the archaic “Veto” system and unless this system is disbanded, UN remains a useless organization.
The EU for its own reasons has tried to unify the laws within 27 countries of the Union but still retains differences in terms of State Laws. US calls itself a federation of 50 states but is allowing each state to pass its own data protection laws rather than forcing adoption of a single data protection law for the entire country. Many other countries including Canada, UK and Australia may have issues with provincial Governments and independent administrative territories splintering the laws.
It should be appreciated that India even when it adopted the Information Technology Act adopted it as a federal law and with the integration of J&K into the country with the abolition of Article 370, the upcoming data protection law is also being framed as a “National Law”.
In the Past there has been an attempt by some States to intrude into the Central legislative powers under Information Technology Act 2000 through amendments in Police Act or State Stamp Act or other laws. Given even a slight opportunity there are rogue states who may take an aggressive stand to promote local laws different from national laws by citing the “Powers of the State to control law and order” to infringe on the Data Protection Laws.
To prevent such a possibility, we need to ensure that PDPB 2019 is made water tight as a single data protection law for the entire country including the Union Territories and no opportunity is given to the States to make any amendments.
It should declare that
“No State Government shall have the power to make laws which may contravene the provisions of the PDPB/A” and any amendment required to be be made for regional considerations shall be made only through the PDPB/A and not through any state law.
Based on how this “Unified Data Protection Law for the entire country” is defined, we may also amend the information technology act to define “Cyber Crime” and create a federal agency for investigation and prosecution of cyber crimes.
Comments are welcome.
Naavi
