Naavi.org

The Bureau of Indian Standards has released the IS 17428 part I and Part II as Data Privacy Assurance Requirements and Guidelines.

FDPPI has already released the PDPSI standards which are inclusive of the ISO 27701 which is a GDPR based Personal Information Management Standard (PIMS).

We welcome the release of IS 17428 and ensure that PDPSI would be inclusive of the best practice indications in IS 17428.

However PDPSI will stand out as “Inclusive but Different” and continue to be a unified  “Certifyable Standard” for compliance of data protection  regulations.

PDPSI compliance will therefore be inclusive of the essence of IS17428 compliance while the vice-versa may not be true. However, if there is any conflict between IS17428 and PDPSI, the PDPSI will call out the conflicts.

More information about how the IS 17428 will merge with PDPSI will be provided in due course.

Naavi

FDPPI, the premier Privacy and Data Protection organization in India is offering a single stop Combo certification leading to Certified Global Privacy and Data Protection Consultant. Top performers will have an opportunity to be also accredited as Certified Global Privacy and Data Protection Auditors.

The program is available on tap through online video streaming courses followed by online examinations.

The total cost of three certifications, Module I on Indian Data Protection laws, Module G on Global data protection laws and Module A on Audit skills will be available at a total cost of Rs 30000/-.

Register today at www.fdppi.in.

Naavi

Since 17th September 2018 when FDPPI was born, FDPPI has traversed a long journey in a relatively short time.

In order to keep on record some of the developments for the information of new members who are joining the organization, I try to give below a brief narration of the developments.

Details about FDPPI constitution, membership etc is available at different sections of this website.

In essence, FDPPI is an organization of the Data Protection Professionals, for the Data Protection Community.  The “Supporting Members” are the delivery channels through which FDPPI renders its services to the community.

Individual members are provided with many services for knowledge enhancement, Certification and Career advancement as explained here. Additionally Companies are provided with “Corporates Services”  to help them in implementing Data Protection

Jnaana Vardhini

One of the first objectives of FDPPI was to spread awareness of Privacy and Data protection in India so that India does not lag behind the world in the field of Data Protection. Accordingly, FDPPI started with a series of weekly webinars under the “Jnaana vardhini Series”.

Upto end 2020, 54 webinar sessions had been conducted and in 2021, so far 4 sessions have been conducted. In these 58 sessions, FDPPI has tried to disseminate knowledge about Privacy and Data Protection. Most of these sessions are available as video recordings in YouTube.

Additionally a messaging group “FDPPI Knowledge Group” functions on Telegram and doubles up as a communication between members and other guests who have been admitted to the group and also to spread knowledge through discussions. Since most of the members are themselves experts in the field knowledge acquired by sharing is immeasurable.

In addition to the weekly webinars FDPPI members have been conducting free educative sessions on many other forums and created a treasure house of knowledge for persons who would like to understand the Data Protection and related concepts.

Indian Data Protection Summit 2020

As a further step towards spread of professional knowledge, FDPPI conducted the Indian Data Protection Summit 2020 as a virtual summit along with the Bangalore Tech Summit held by the Government of Karnataka in November 2020.

CDPP Programs

In a further bid to provide professional certification programs, FDPPI created a series of Certification programs namely

a) Certified Data Protection Professional-Module I (Covering Indian Data Protection Law)

b) Certified Data Protection Professional-Module G (Covering Global Data Protection Laws)

c) Certified Data Protection Professional-Module A (Covering Data Audit Skills)

These certifications were offered independently as a part of a 5 module larger program in which modules on Technology and Behavioural Skills are due to be introduced in future.

Each of these programs were conducted as online training followed by an online examination. After the programs were conducted online, recorded sessions were made available through an “On Demand, Video Streaming Facility” so that the certifications can be availed on tap by interested persons.

Those professionals who have completed all the three programs were further recognized as “Certified Global Privacy and Data Protection Consultant” or “Certified Global Privacy and Data Protection Auditor”

The Consultant or Auditor so certified have been considered eligible to provide services related to implementation of data protection compliance in organizations and certification of organizations along with an assessment of DTS (Data Trust Score).

It may be noted that most of the persons who are certified under these schemes have also been professionals who might have the experience of similar certification programs conducted by other international orgnaizations like IAPP which conducts certification programs on GDPR and other international laws and have found the FDPPI certifications extremely valuable.

The objective of FDPPI certifications is to ensure that there is an distinctive knowledge enhancement and evaluation of understanding through examination so that the certified persons can be expected to be useful to their respective organizations. It is not simply experience based nor on mere attendance of training programs. This has been appreciated by all the professionals.

In the event the Indian Data Protection Authority introduces any criteria for accrediting Data Protection Auditors or Data Protection Officers, FDPPI certified professionals are likely to start with an advantage in terms of the knowledge requirements.

FDPPI has guaranteed that all those who have currently undergone the training for Module I on Indian laws will be provided with a one time n additional bridging session when the Personal Data Protection Bill 2019 becomes a full fledged laws.

Subsequently programs for continuing education would be introduced so that Certifications can be kept current.

Since CDPP programs of FDPPI also cover global laws such as GDPR, CCPA, Singapore PDPA, DIFC-DPA, LGPD-Brazil, HIPAA etc., the programs are considered “Made in India for the World” category of service.

PDPSI

The second most important contribution of FDPPI to the Data Protection world has been the introduction of the “Personal Data Protection Standard of India” or PDPSI. A concept which was pioneered by Naavi has been developed and fine tuned into a system which today provides a framework for compliance both as a self implementation mechanism by organizations as well as a Certifiable standard.

The uniqueness of PDPSI is that it is a “Unified” framework that can be used for simultaneous compliance of multiple data protection laws such as Indian PDPA along with GDPR. The sub modules of PDPSI framework provide the adaptability to different data protection laws that can be applied in an organization which has exposure to multiple jurisdictions.

Further PDPSI automatically incorporates the evaluation of the Data Trust Score (DTS) which is a measure of the Data Protection compliance maturity of an organization and is mandatory under the Indian law.

FDPPI has now set up a mechanism for Certifying an Organization through accredited PDPSI auditors.

A Unique feature of the PDPSI audits is that the audits are registered with FDPPI along with DTS and the auditee organization is provided with support subsequent to the completion of the audit through a “Mentoring” program with a limited quarterly consultation to clear any doubts in implementation. Though these are not “Review Audits”, they provide an opportunity for the auditee organizations to tap the experts of FDPPI to get some quick clarifications critical to their implementation of PDPSI compliance suggestions.

PDPSI is another unique “Made in India for the World” contribution of FDPPI. It is an open standard and will relieve the complying organizations from the burden of proprietary international standards.

DPERT

One of the recent services that has been introduced is the setting up of DPERT or Data Protection Emergency Response Team on the lines of the CERT organizations that function in the domain of Cyber Security.

The DPERT would be a team of experts chosen by FDPPI and would provide some quick suggestions for any reference from organizations who report any suspected Personal data breaches.

DPERT will work in close association with the law enforcement authorities and regulators and assist the companies in taking right decisions in times of a crisis.

DPERT will remain a free service to the society and where an in depth consultancy is required, will guide the companies accordingly.

DDMAC

DDMAC or Data Disputes Mediation and Arbitration Center is another unique service that FDPPI is bringing to the society and is in the final stages of introduction.

DDMAC is  a platform which can be used both offline and online for dispute resolution in the Data Processing industry. DDMAC will develop  a set of neutrals who are experts in data related regulations  and also trained in the art of Mediation and Arbitration. It will be available to be used by Data Fiduciaries and Data Principals to redress their grievances through ADR processes including Mediation and Arbitration.

DPJI

In order to ensure that knowledge dissemination to professionals occurs in a formal manner, apart from the information made available through the website of FDPPI, a journal titled “Data Protection Journal of India” has been started by FDPPI in 2021. The journal will be available at www.dpji.in.

Future Developments in pipeline

The above narration captures some of the developments in FDPPI till date. We will update this further. FDPPI is negotiating several collaborations some of which will fructify shortly. FDPPI is also working on additional projects including an award for the “Data Protection Champion” etc.

FDPPI has more than 150 professional members today and each one of them is an expert in his own domain. FDPPI being an aggregation of these professionals it has all the strengths of these professionals within its umbrella. FDPPI’s strength is therefore not limited to its employee force and hence when the full potential of its members is harnessed, it will be one of the biggest Data Protection Consultancy organizations in India.

Let us look forward to glorious days ahead and welcome more members to join this movement.

Naavi

FDPPI, the pioneering institution focusing on empowering the Indian community to be Privacy and Data Protection Compliant, has set up a Data Protection Emergency Response Team (DPERT) as part of its commitment to the Data Protection industry to assist in the development of a nationwide data protection environment.

The DPERT will be constituted as part of FDPPI which is a Not for Profit organization registered under Section 8 of Indian Companies Act.

DPERT will consist of a group of voluntary data protection professionals who would provide immediate guidance to any organization confronted with an emergency response requirement in the event of a suspected personal data breach event.

The members of DPERT will remain anonymous and the first response is a free service.

DPERT can be contacted through e-mail here: DPERT 

In view of the need for immediate contact, any person trying to contact DPERT may also send a message to Naavi through WhatsApp or Telegram or e-mail. On receipt query would be circulated to the Team members and a response would be sent ASAP.

Naavi

The Audit is always a “Snapshot concept”. The auditor gathers his observation and as on the date of his certificate adds his disclaimers that to the best of his knowledge and in good faith and based on the evidences  provided, he certifies that the organization is compliant. The Certification sponsors do their best to properly accredit auditors with training and imbibe a culture of responsibility and ethics  to ensure that audits are meaningful.

However industry practitioners know that some accredited auditors take their work lightly and issue certificates without proper assessments.

The auditor escapes his responsibility because the moment the audit is over, it is entirely the responsibility of the organization to maintain the controls suggested and taken on note during the audit. While we can understand that the auditor cannot take more responsibility on an ongoing basis, from the point of view of the CEO, it is often felt that audit is a money making game and it has no real value to the organization.  Organizations still go through audit certifications because the customer feels more assured and it has become a ritual to ask for certifications.

We need to change this perception of auditors and the perception on the system of audit. Audit is not a money making tool. It should be an instrument of change in an organization.

Naavi therefore suggests what could be a revolutionary concept in IS audits through the PDPSI (Personal Data Protection Standard of India framework that is being developed through FDPPI. (Foundation of Data Protection Professionals in India).

FDPPI has envisaged the engagement of PDPSI in two modes namely “Consultancy” mode ” Audit” mode. In the consultancy mode, a PDPSI consultant works with an organization to conduct a Risk assessment, develop a Gap analysis report. The PDPSI comes with a table of  “Model Implementation Specification” (MIS) and it could be basis on which the gap report emerges. But the organization may decide that they have a certain level of  “Risk Appetite”  and hence all controls in the MIS is not relevant for them and they would like to implement only a truncated version of MIS.

This truncated version is what is referred to as “Adopted Implementation Specification” (AIS) and is like the “Statement of Applicability” or SOA.  The AIS is supported by a “Variance Justification Document” (VJD)  where there is a documentation of why the organization thinks that a suggested MIS control is not relevant or needs modification. This concept is similar to the HIPAA concept of “Addressable implementation specifications” in its security rule.

The PDPSI consultant will work with the organization until this AIS with VJD is signed off by the top management. This AIS will then be the “Implementation Charter” for the DPO. If the implementation charter is faulty, then the responsibility is with the management. The DPO’s role is to understand and implement the AIS in good faith.

The PDPSI auditor when he enters the scene will ask for the AIS. If it is not available, the auditor will conduct his own risk assessment, develop a gap report and submit it as the first deliverable. He will then wait for the management to either give a go ahead for the gap report as presented which means that the MIS becomes identical with AIS. If not the management may come up with its own VJD and fine tune the MIS into its approved AIS which becomes the implementation boundaries set by the company for itself.

The Company may take a stand that they are only interested in the AIS as adopted and the auditor can check if they have done it properly.

The PDPSI auditor therefore looks at the AIS item by item, calls for evidences and decide whether the AIS items have been implemented “Satisfactorily” or “Not”. This is a binary decision and for an organization there has to be 100% satisfactory report. Where there is a “Not satisfactory” remark, the organization can justify its non compliance based on a new VJD. The auditor will go with the decision of the company and close his audit.

However, every PDPSI audit also involves a DTS (Data Trust Score) assessment and in this document, the auditor will express his own view on how good is the implementation with reference to the MIS. If an organization is callous and truncated the MIS to an unjustifiable AIS, then it will suffer from a low DTS. The auditor need not fight with the organization and forced to issue a “Satisfactory” report when he is really not satisfied. In effect in this system the auditor’s report only says “I am satisfied that the Company is in satisfactory compliance with whatever AIS has been adopted”. The DTS expresses the real assessment of the auditor which is provided to the auditee and it is open to them to hide it and not disclose it.

The DTS however is reported by the auditor to the FDPPI and hence it gets recorded and cannot be manipulated subsequently.

The PDPSI system envisages that at the closure of the audit, the auditee will send one “Audit Closure Feedback” to the FDPPI. In this if the auditee has serious reservations on the DTS, it can be sent so that an opportunity would have been given to the organization to object to any DTS element.

After this FDPPI would allocate a mentor for the PDPSI completed audit as an optional service so that the DPO of the organization can on a quarterly basis check with the mentor if there is some action to be taken. For this purpose the DPO may discuss any significant “Incident” in confidence and get a feedback whether he needs to make further investigations etc.

This “mentoring” service ensures that FDPPI continues to be in an engagement with the client and does not drop him like a hot brick once the audit is closed and payments are settled.

The role of a “Mentor” is however limited and lower than the role of the “PDPSI Consultant”. Also the Mentor will not be the same person as the auditor. He can however be a consultant if required. Mentor will fulfill the role of providing a quick feedback in crisis situations will be like an “Emergency Consultancy” service so that DPO will have a friend to consult in times of need. He will be a “Friend of DPO”.

The auditor and the mentor would be offering their services under FDPPI disclaimers. Consultant is engaged by the company on a contractual basis.

PDPSI is a pioneering system and the SOPs are under development. But the end objective is clear. The PDPSI is meant to support the Data Protection Eco system on a continuing basis and is not meant to be only a money scooping activity.

FDPPI will develop a “Data Protection Emergency Team” (DPERT) which will have a pool of mentors from whom the service would be provided. Only FDPPI certified consultants/auditors would be constituting this DPERT.

We are aware that in the sceptic world, the intentions of FDPPI will have to go through a process of testing and trust building. The team of FDPPI is working towards establishing the trust of the organizations and we welcome the views and suggestions of experts.

Naavi

PDPSI is a unique framework for Personal Data Protection as per prevailing data protection laws.

Its 50 implementation specifications cover the data compliance requirements under multiple data protection laws and is more than what other best practice standards such as ISO 27701 tries to accomplish.

Some of the PDPSI model implementation specifications try to put certain best practices hither to not being part of such frameworks into the radar of the organization. Details of these are already available in the PDPSI handbook.

There are three other innovations that PDPSI has introduced and FDPPI has adopted in order to further improve the assurance of the PDPSI audits in the industry environment.

First is to register the audit with FDPPI along with the DTS computation worksheet so that FDPPI is aware of the PDPSI certifications that are in the market.

Second is getting a feedback on the auditee  including a permission if agreeable for disclosure of DTS.

Additionally, it is observed that after completion of an audit and its certification, the auditee often neglects to maintain the required data security discipline resulting in data breaches. At that time a question will be asked on whether the organization was audited, and if so whether the audit was deficient etc.

In order to make PDPSI audits more reliable, FDPPI will therefore introduce a system whereby the auditee will be required to send a quarterly report to FDPPI in which it will share any major incidents during the period and major changes in the business profile.

It is quite possible that the organizations may not send such reports in which case the responsibility of FDPPI would be reduced. If the organization considers it useful they may use this opportunity. In a way this will be like AMC service on the audit already completed.

FDPPI may charge a fee for such Audit AMC as it may deem fit.

Hopefully this would at least keep the need to be vigilant even after the audit certification will be ingrained in the auditee organization and this by itself be good for the auditee organization.

The details of the kind of reporting to be done etc are being finalized.

Naavi