Naavi.org

Judiciary and Quasi Judiciary authorities in the country have been accorded a special place in the structure of our democratic society. We respect them and fear them. With the increasing burden on the regular judicial institutions such as Courts, quasi judicial authorities such as Adjudications and Appellate Tribunals have been constituted under different laws so that the first trial and first appeal could be handled by these specialized institutions before the dispute passes on to the higher judiciary normally at the High Court or in some cases bypassing the High Court and going directly to the Supreme Court.

Most of  these institutions are often managed by retired Judges of the High Court and Supreme Court and have powers both to ease the procedures to make litigation convenient to the public but also powers to ensure that they are not inferior to any Court in enforcing its orders.

The availability of powers and the respect from the society needs to be repaid by these institutions with a sense of responsibility to the citizens of the country.

It is necessary to point out that the National Company Law Tribunal (NCLT) has in the case of Net4India failed to show this responsibility despite having been pointed out that the action or inaction of NCLT has resulted in lakhs of consumers of Net4India being left in the lurch with their digital business being disrupted.

Not withstanding the respect due to an institution like NCLT, it is our duty to point out the fact that NCLT missed its duty to serve the consumers of Net4India by being ignorant and irresponsible.

In the hope that this situation would not recur in the future, we provide here some thoughts along with why we need to be critical of what NCLT has not done in the case of Net4India to protect the interest of the consumers.

Net4India is one of the oldest Internet Service Providers in India and provided services for registration of Domain Names under the license from ICANN. It provides services for hosting websites, hosting e-mail services, providing digital certificate to web servers for secure web transactions etc.

Many large and small business organizations and individuals had availed their services from Net4India and have been running their web based services. Even Naavi started his activities on the web through Net4India.

Some where down the line, Net4India borrowed money from SBI and defaulted. It appears that SBI was negligent in providing the facilities and probably there was corruption and fraud in SBI which resulted in the loans being granted, not properly monitored and allowed to turn into NPAs. Given the nature of activities of Net4India and the head start it had on other competitors, it was a gold mine by itself and did not require Bank finance for its normal business.  If an enquiry is held on how SBI granted credit facilities running to more than 100 crores and let it rot, it would perhaps come to light that the officials of the bank had colluded with the company in financing overtrading and diversion of funds.

The bankers remained mute spectators when Net4India did some manipulations to shift its assets, use the services of Open Provider to keep up its public face while slowly shifting the assets out of the company. (See here)

Having committed a possible fraud, SBI made use of the provisions of the NCLT to shift the liabilities to  Edelweiss Asset reconstruction Co Ltd which invoked insolvency proceedings.

Medianama.com quotes the advocate of the Resolution Professional and indicates how there was a fraud committed over a period by the company. The advocate reportedly stated

“The RP discovered that the entire business and income of the Corporate debtor has been diverted to Net 4 Network [Services Limited], thereafter 70% shareholding of the Corporate Debtor in Net4 Network was surreptitiously transferred to a related company called Track Online India Private Limited, which is another company of the same Promoter-Director and thereafter the business of the Corporate Debtor was on 20.10.2016 transferred to Net4 Network [Services Limited] (once upon a time wholly owned subsidiary of the Corporate Debtor company) through Master Reseller Agreement (MSA), which has made Net4 Network “Master Reseller”, therefore as on the date the Corporate Debtor has remained for name sake because its shareholding in Net4 Network was transferred leaving no control over Net4 Network [Services Limited] and then strategically business as well. “

This sort of fraud could not have occurred except through connivance of the Banker, the company like Openprovider.com as well as other professional firms like the statutory auditors and company secretaries. Even ICANN and NIXI should have been able to see the fraud before it became irreparable.

The Ministries of Finance or Consumer Affairs have been silently watching the happenings and not tried to resolve the issue in a manner where the consumer’s interests are protected.

For a long time MEITY also was a silent spectator until after the issue was escalated through this website, NIXI started helping out registrants of dot in domain names ensuring that they were transferred to other registrars.

The India representative of ICANN has also been doing his bit to get the ICANN supervised domain names like dot com names to other registrars through the dispute resolution process with the ICANN which is slow and painful.

However the domain name owners are not able to recover their money stuck up with the Net4India accounts. They are cumulatively “Creditors” of Net4India in its insolvency provision which the NCLT has conveniently ignored.

Each of the 70000 plus customers (may be upto 3 lakh according to one estimate) have different amounts from Rs 1000 to Rs 25000/- in their accounts remaining as balances in their accounts with Net4India which were ear marked for their future renewal of services. These were in the nature of pre-assigned payments and not available for being used for repayment to SBI or Edelweiss and NCLT should have arranged for this to be segregated and accounted for the individual customers, which it has failed to do so.

The NCLT also failed to recognize that Net4India even as a shell company was a “Going Concern” and if its rights of being a domain manager for 70000 customers had been traded with another registrar, the rights would have fetched a value of its own. This “Intangible value of the domain business” went un accounted before NCLT declared Net4India as insolvent.

NCLT also failed to give notice to each of the 70000 domain name registrants who were small creditors to the company before the Insolvency proceedings were launched.

NCLT by launching the insolvency proceedings closed down the running operations of the company and the services of the consumers got disrupted.

NCLT has to be therefore squarely blamed for the disruption of the businesses of 70000 plus consumers of Net4India.

NCLT had within its powers to ensure that before ordering closure of the company, sale of its immovable properties etc., an search for auctioning the customer rights to other registrars at a premium. Some other registrar would have valued the customer acquisition of 70000 domain name operators as a great opportunity and acquired the entire business which NCLT valued at “Zero” value at least under a management contract at say around Rs 10 crores with a seamless continuation of the services to the consumers which is priceless.

But NCLT was not aware of the damage it was creating to the digital markets in India and /or was not concerned. It had its blinkered approach to going through the motions of resolution so that SBI could recover its own fraud proceeds and Edelweiss could make some money of its own.

PS: In case NCLT feels aggrieved with this criticism, we would like to know what measures NCLT took to bring the interests of the consumers of Net4India to the resolution process, whether notices were given individually to each of these consumers, whether there was any attempt to value the “Contractual Rights” created through domain services contracts at least at a notional nominal value to the books. We are willing to apologize if there has been a reasonable effort from NCLT in this regard.

At present several of the affected persons are rallying around Naavi.org and many of them have been able to resolve a part of their problem in getting the domain names transferred, But they still have not been able to recover the money stuck with Net4India and there are many more whose domains are still not transferred particularly by ICANN. All of them have to view NCLT as the villain who protected the fraud partners for Net4India at the cost of innocent consumers of Net4India.

Future Actions Required

For the time being let us leave the NCLT to learn from its mistakes but focus on what we need to do in the future.

1. Bring the value of digital assets into the books of accounts.

The first and foremost action required to be undertaken by all of us who are users of domain names and other digital assets created out of contracts to bring the value of such assets into the books of account.

For example, Naavi.org as a domain name is valued at $1328 at Godaddy. In terms of expenses it costs around Rs 942.82 to renew every year which can be capitalized.  If Ujvala Consultants Pvt Ltd which has registered the domain names for Naavi aggregates all the domains under its control and values it either at the market value estimated by Go daddy or at capitalized annual expenditure to be written off over a period of time instead of being considered as an expense, the balance sheet of Ujvala would reflect an asset value of several lakhs which today is not getting recognized.

If under the similar principle, Net4India had recognized the value of its domain name  business at some valuation method say on the basis of cost of acquisition, the net present value of future business or the cost for a competitor to build 70000 plus customers, then its balance sheet would have carried an asset base of crores of rupees which the NCLT could not have ignored.

The Accounting professionals, ICAI and Ministry of Finance should therefore think of introducing a system where by digital assets are accounted for in the books as “Intangible Assets”.

It is possible that the Ministry of Finance would immediately think if they can tax this asset. It would be cruel if they did so. But since the valuation method may not be universally agreed upon, the accountants can start by placing a “Contra entry” in the books of account so that the valuation does not affect the balance sheet in real terms.

While the ICAI may take its time to understand the value of this “Digital Asset Valuation”, considering the future advent of Non Personal Data Protection regulation where valuation of data may become a realizable value, Naavi has already recommended inclusion of the “Personal Data Valuation” as a best practice under the PDPSI (Personal Data Protection Standard of India) which is a new standard of data protection and assessment of compliance.

2. Registrars of Domain Names to be regulated by MeitY

Considering the critical nature of the business of domain name registrars, the adverse impact if registrars go out of business in future as well as to reduce the incidents of domain name frauds. the Meity has to recognize that Registrars are a special category of “Intermediaries” and  introduce appropriate regulatory control.

The Data Protection Authority (DPA) under Personal Data Protection Act (proposed) should also recognize domain registrars as “Significant Data Fiduciaries” and bring them under the regulatory control.

Both the above suggestions are well within the powers of Meity at present and hence we hope that they would be considered seriously.

Naavi

The revised recommendations on the Kris Gopalakrishna Committee on Non Personal Data reiterates the significant role that the Non Personal Data Authority.

It may be noted that the Committee has ab-initio been influenced by the industry to include a recommendation that it must be created with “Industry Participation” . This recommendation has to be taken with circumspection.

While NPDA has to consult industry and have persons with industry experience in its constitution, “Regulation” has to be segregated from the industry. If industry organizations become part of the regulatory agency, the regulatory functions will be corrupted.

Hence the committee’s suggestion “NPDA must be created with industry participation” needs to be rejected.

The NPDA’s  Enabling functions include

a) Ensuring unlocking of economic benefit from non-personal data

b) Creating a data sharing framework

c) Managing the meta data directory of data businesses in India

NPDA’s Enforcing functions include

a) Establishing rights over Indian Non-Personal data in the digital world

b) Address privacy, re-identification of anonymized personal data, prevent misuse of personal data

c) Adjudication when a data custodian refuses to share data with the data trustee.

In defining the enforcing functions, mention of “Privacy” indicates a deliberate attempt to create overlapping powers against the Data Protection Authority being created under PDPB 2019.

While the report says that the roles of NPDA should be harmonized with the CCI and DPA, there is an element of overlapping of regulatory functions which need to be consciously avoided.

As regards “Privacy”, the DPA under PDPB 2019 should be given the unambiguous authority. When there is a doubt the NPDA should refer the Privacy issue including the re-identification of anonymized personal data or misuse of personal data to the DPA for necessary adjudication and corrective action as may be required. 

This has to be kept in mind when the new Non Personal Data Regulation Act is framed.

Naavi

In the previous article, we discussed the “Consent for Anonymization” which has been recommended by the revised report submitted by the Kris Gopalakrishan report.

One other concept which has been suggested by the committee which requires some detailed look is the definition of “High-Value Data Sets” (HVD).

The concept of HVD is a little confusing as it is used in reference to the “Role of an Organization”. In general, concept however it appears to be a Special Category of Non Personal Data” just like how “Sensitive Personal Data” is defined in the PDPB as different from Personal Data in general.

The report defines HVD as

-a “Data Set” that is “beneficial” to the community at large

-shared as a “public good” subject to certain guidelines

There are 15 different types of data sets which have been listed as HVDs plus “and others” whatever it means.

The 15 types of HVDs are the following

i. Useful for policy making and improving public service and citizen engagement
ii. Helps create new and high-quality jobs
iii. Helps create new businesses – startups and SMEs
iv. Helps in research and education
v. Helps in creating new innovations, newer value-added services / applications
vi. Helps in achieving a wide range of social and economic objectives including
vii. Poverty alleviation
viii. Financial inclusion
ix. Agriculture development
x. Skill-development
xi. Healthcare
xii. Urban planning
xiii. Environmental planning
xiv. Energy
xv. Diversity and Inclusion

The organization (either a Government or a non-profit organization)  responsible for the creation, maintenance and data sharing of HDVs are called a “Data Trustee”.

It is envisaged that a community of people can come together to create a “Data Trustee” and host the HVD.

The Data Trustee will have a responsibility to ensure that HVDs are used only in the interest of the community. The data trustee will also ensure that the HVD is not re-identified and also maintain a “Grievance Redressal mechanism”.

Key Guidelines for HVD processing

The report suggests that for every HVD, there will be one Data Trustee but one data trustee may be responsible for more than one HVDs.  What appears to be the intention of the committee is that the organization that collects, processes or shares HVDs will be called a Data Trustee (like the Data Fiduciary in PDPB). But a single such Data Trustee may manage multiple HVDs.

The HVD will be maintained in a data infrastructure which corresponds to “Technical-material” elements like the actual data bases, APIs organizational systems etc. This is similar to the concept of “Personal Data Processing Sub Units” which has been recommended under the PDPSI (Personal Data Protection Standard of India).

Depending on the type of HVDs, the regulatory authority namely the Non Personal Data Governance Authority (NPDGA) will set the guidelines to determine appropriateness of the chosen HVD  such as the objectives, what is the public good involved  etc. It would be necessary for the Data Trustee to secure an “Expression of Interest” from a minimum number of community entities to be part of the HVD initiative.

It appears that the concept suggested here is like a “Trade Union” and if there is a difference of opinion among the community constituents, about the Data Trustee, there could be issues like in an industry with multiple trade unions.

However,  the committee envisages that there will be only one Data Trustee per HVD. The concept of “One Data Trustee” for “One HVD” appears to be short sighted and needs rethinking.

Otherwise the committee appears to think the “Data Trustee” as similar to Significant Data Fiduciaries or Guardian Data Fiduciaries under PDPB 2019. There has to be a process of registration of an entity as Data Trustee at the NPDGA.

Naavi

After the Kris Gopalakrishna Committee on Non Personal Data Governance (KGC) submitted its first report , public comments had been invited. Now the Government has published a revised report after receiving the comments and requested for a second round of public comments to submitted before 27th January 2021.

Comments can be submitted here

The revised report can be accessed here.

From the publication, it appears that this is a report revised by the Committee itself and not by the MeitY.

One of the major revisions appears to be in reiterating that in the Personal Data Protection Bill 2019, Sections 91(2) and 93(x) may be omitted.

Section 91(2) stated :

(2) The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.

Explanation.—For the purposes of this sub-section, the expression “non-personal data” means the data other than personal data.

Section 93(x) stated:

(x) the manner in which the Central Government may issue a direction, including the specific purposes for which data is sought under sub-section (2) and the form of disclosure of such directions under sub-section (3) of section 91; or 30

This does not make any material difference to the Personal Data Protection Bill (PDPB) though it will satisfy the demands from some of the opponents of the Bill who had identified this as a point of contention.

The other major point that could impact the PDPB 2019 is the recommendation regarding Consent for Anonymized Data.

The revised report suggests that “Consent should be obtained from the data principal for anonymization of personal data”.

It may be observed that Naavi has suggested the inclusion of the consent for anonymization as part of the Notice/Consent format to be used under PDPSI (Personal Data Protection Standard of India) as a measure of compliance under the principle of “Abundant caution”.

However, personally, it is necessary to record that this proposition is not considered necessary and perhaps is self contradictory to the major objective of the Non Personal Data Governance (NPDG) regulation. It may also be not fully in conformity with the principle of “Right to Carry on Business of choice” in the constitution as per Article 19(1)”(g).

According to Article 19(1)(g), it is a fundamental right guaranteed by the constitution to “practise any profession, or to carry on any occupation, trade or business”.

Why is this Provision Self Contradictory?

The revised KGC report states

“It is clear from industry feedback to the Committee and from its own research that large collections of anonymized data can be de-anonymized, especially when using multiple non-personal data sets”

Accordingly, it is suggested by the revised recommendations that “Data Collectors” at the time of collecting personal data should provide a notice and offer the data principal the option to opt out of the data anonymization.

This suggestion is considered as “Self Contradictory” since it directly negates the very definition of “Anonymziation” as provided in the PDPB 2019.

According to Section 3(2) of the PDPB 2019, Anonymization is defined as follows.

(2) “anonymisation” in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority;

The Data Protection Authority is expected to provide the necessary technical guidelines as to determine what is the yellow line between “Identifiable Personal Data” and “Anonymized Personal Data”.

The new recommendations appear to express its lack of confidence in this definition and the ability of the DPA to find out an acceptable technology recommendation for determining what constitutes “Irreversible process”.

The argument that “Anonymized data can be de-anonymized”  and its acceptance as a legal principle is a dangerous precedent. The same argument can be extended to “Encrypted Data can be Decrypted”.

If we presume that “Encrypted Data can be decrypted” then any data leak consisting of “Encrypted Data” has to be considered as a “Data Breach”. This goes against the accepted principles of Data Protection recognized even under laws such as HIPAA/HITECH Act and takes “Encryption” out of the equation constituting “Security of Information”.

If Anonymized data can be re anonymized then we have to accept that encrypted data can be decrypted. It is only a question of “Technology used for breaking Anonymization or Encryption”, “Efforts applied” and “Intention”.

Accepting the suggestion therefore is a serious blow to the Information Security principle that “Encryption Secures Information”.

The more practical way of addressing the concern is to clarify that “Anonymization” is an “Irreversible process”, meeting the standards of “Reasonable irreversibility” to be notified by the Data Protection Authority.

If some Data Analytics company or a Data Analyst uses efforts such which are large enough, any encrypted data can be de-crypted or any anonymized data can be identified. If such effort is being applied, it must be considered that the intention is “Malicious” and the identification should be considered as a contravention of Section 82 of PDPB2019 and punished accordingly. It may also be considered as “Diminishing the value of information residing inside a computer or affecting it injuriously by any means” under Section 43-66 of ITA 2000 and punished accordingly.

Hence there is sufficient deterrence in the law to ensure that breaking the anonymization as per the standard prescribed cannot be “Presumed”. If this can be “Presumed”, then every regulatory feature prescribed in PDPB can be presumed as infeasible of being regulated and this would be self contradictory by itself.

Why the Provision is Unconstitutional

If Anonymziation as per the standards set by the Data Protection Authority is followed, then the “Identifiable Personal Data” becomes “Non Personal Data” and becomes the subject matter of governance under the new law namely the Non Personal Data Governance Act (NPDGA). The objective of this NPDGA would be to unlock the value in the data which is considered “Non Personal”.

A substantial part of the Non Personal Data includes “Anonymized Personal Data”. If there is no freedom for the Personal Data Collector to use “Anonymized personal data” as “Non Personal data” and unlock the value, then the business arising there of is being effectively killed. In such a case any personal data collected which is for a specific purpose and limited for usage to the time until the purpose is accomplished will have zero value after the purpose is completed since it has to be mandatorily extinguished.

If we consider “Profile” as also “Personal Data” then all the profiles also need to be extinguished after the purpose for which the profile data was collected. On the other hand, if the “Profile data” could be anonymized then it would be useful to the community without adversely affecting the privacy interest of the individual.

It is to ensure that personal data collected should be useful to the community that the principle of “Permitted Data Processing and Disclosure” allows exceptions to some of the restrictions on personal data processing for Public Interest, Emergent requirements of the data principals and others, as well as the law enforcement.

Along with these rights of the society in public interest, safety and law enforcement, the right of a business to carry on business with anonymized data in a manner that does not adversely affect the privacy of the erstwhile identifiable personal data must be considered as “Legitimate Interest” of the business and protected under Article 19(1)(g).

Hence the proposition is considered unsustainable from the point of view of fundamental rights.

Rights Cannot be recognized in “Re-birth”

In India we believe that individuals go through cycles of birth and death and all of us have a history of previous births. There have been many instances where hypnotists have claimed that through “Age Regression” they can extract the previous birth information of an individual.  Some studies appear to suggest that some past birth experiences are also proved correct. The Nadi Astrology system also supports the views of “Karma” from “Previous birth” having an impact on the present life of an individual.

Without going into the details of a discussion on this subject of Re-births, I would like to point out the similarity of the individual’s re-birth to the re-identification of an anonymized personal data.

Once personal data is anonymized (as per standards prescribed in law), then it must be considered as “Dead”. Just as we cannot recognize the legal rights of property or family relations of a previous birth because a hypnotist can extract what appears to be an “Evidence” of previous birth,  we cannot provide rights to the data principals whose private data has been anonymized and a criminal data scientist de-anonymizes it for  commercial benefit.

Hence the concept of “Data, Re-born” should not be provided sanctity under law as much as the rights of a person on his previous birth cannot be recognized under law. It would be like recognizing the right of a person to write a will that if he returns in his next life, the property should be restored to him in the new birth.

Suggestion

It is therefore suggested that the recommendation of the “Revised Kris Gopalakrishna Committee report” regarding the “Consent for Anonymization” is rejected.

However the definition of “Anonymization” under Section 3(2) of PDPB 2019 can be modified as under.

(2) “anonymisation” in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority, by reasonable, non malicious efforts.

It can also be suggested that a definition of “De-Anonymization” can be added to the PDPB as

3(..) De-anonymization means converting “anonymized personal data” which has been subjected to a standard irreversible anonymization process as per Section 3(2), to a state where it can be identified as personal data either partially or fully, whether accurately or not.

Inclusion of the above definition of “De-anonymization” would meet all the concerns that the revised Kris Gopalakrishna Committee report expresses.

 Naavi

Cyber Law College in association with FDPPI has earlier launched two programs related to building legal awareness on Data Protection Laws connected with the “Certified Data Protection Professional ” (CDPP) course. These were part of the larger 5 Module course to build  360 degree skilled Data Protection Professionals in India. The remaining three modules were one on Technology, Audit and Behavioural skills.

The training for Module-I covered Indian Data Protection laws and training on Module G covered the global data protection laws.

Now FDPPI and Cyber Law College are launching the course on the Audit Module, namely Module-A.

During this program,  scheduled as a 12 hour online program, the Art and Science of Data Audit would be discussed. Since this is the first such program which is being conducted and introduces many new concepts including Valuation of Data in a Balance Sheet, Distributed Responsibility for implementation, etc., there is a possibility that the program may be extended beyond 12 hours if required.

The discussions will cover the conceptual difference between an “Assessment” and “Audit”, different types of audits that one encounters in the Data Protection profession , the objectives of each of these audits, the modalities of how a practitioner may conduct such audits etc.

The Data Protection Impact Assessment (DPIA), Harm Audit, Data Breach Audit and Data Protection compliance audits will be discussed separately.

The Data Trust Score (DTS) Assessment which is a part of the Indian data protection regulation will also be discussed in detail.

The Data Protection Compliance audit will be explored in detail using the PDPSI (Personal Data Protection Standard of India) framework .

PDPSI is a framework for implementation and is also a Certifiable Standard of compliance. PDPSI is also a DTS assessment framework during the Audit process.

Foundation of Data Protection Professionals in India (FDPPI) is sponsoring the Data Protection Compliance audit under the PDPSI framework and this training is considered part of the accreditation of PDPSI Consultants and PDPSI Auditors who can provide consultancy to organizations on designing and implementation of Data Protection compliance programs as also to conduct Audits of such programs.

Consultation for implementation and Audit of the implementation will be undertaken by two different individuals.

While this Data Audit training may be considered mandatory for the Audit, implementation may be guided by the consultants. Organizations are open to implement the guidelines on their own and directly approach an auditor for Certification or take the assistance of consultants before approaching the auditors.

FDPPI may have additional criteria for accrediting auditors under their approved audit process for certification.

This Module-A training would be followed by an “Online Examination” and “Submission of Assignments”. 50% of the marks would be allocated for each of these two evaluation segments.

There will be three grades namely  A, B And C.

Grade A: represents Ready for Audit

Grade B: represents Ready for Consultancy

Grade C: represents requirement of improvement

One Improvement re-examination will be permitted for upgradation of Grade C to Grade B.

According to the present scheme for accreditation of PDPSI Auditors,

FDPPI may accredit their members who pass out of this training with Grade A and have also passed out of the Module I and Module G program, as “Provisionally Accredited PDPSI Auditors”.

They may be upgraded into fully “Accredited PDPSI Auditors” after they complete the two other modules of the larger training program which includes the modules on Technology and Behavioural Skills.

FDPPI may  also upgrade Persons who pass out of the program in Grade B  “Provisionally Accredited PDPSI Auditors” based on their consultancy experience.

For registration for the program and  kindly proceed to CDPP-Module-Audit”

The Date and time Schedule for the program is yet to be finalized. Tentatively the course should commence towards the end of January 2021 after the registrations close on 18th January 2021.

P.S: Though the training program is driven by the needs of the  emerging Indian data protection law, the concepts discussed are universal and will apply even for compliance of GDPR and other Data Protection laws.

Naavi

When Personal Data Protection Bill 2019 (PDPB 2019) gets passed in the Parliament, companies will be scrambling to get on to the compliance band wagon.

While there will be many job opportunities for Data Protection Officers (DPO) trained in data protection, there will be many SMEs/MSMEs, who will not be able to hire trained DPOs since there will be a great shortage of qualified persons who are aware of the Indian Data Protection Laws and are capable of converting it into implementation plans for the organization.

Naavi has already started Certification training trying to make people understand the Personal Data Protection Bill 2019 and how it may translate into an Act. With Foundation of Data Protection Professionals in India (FDPPI), a not for profit company, Naavi has already launched a program for “Certified Data Protection Professionals”  in two modules namely a module on Indian laws and module on Global laws.  Naavi has also released a book which explains the Indian law as it is emerging.

Now Naavi has moved onto the next level of assisting the organizations on how they can go about compliance of the Data Protection Regulations through a framework that guides them through to compliance and prepares them to be certified as follows:

“Certified that …………………………..  (Name of the organization) has  satisfactorily implemented policies, procedures and other  measures to be considered compliant with the provisions of  ………… (Name of the data protection act such as GDPR, PDPA etc) ,  with a Data Trust Score of …….. (Assessment score) “

Naavi has been discussing the PDPSI (Personal data protection standard of India) over the last two years in this website and other conferences. Now the concept is explained in greater detail in an E Book. This contains the comprehensive standard for compliance of data protection laws which can be implemented by any Personal Data Processing organization by themselves with a reasonable assistance from their in-house information security or privacy aware professionals.

FDPPI which is the Certifying Agency under the standard is  shortly  conducting “PDPSI Consultant Accreditation Training” to equip data protection professionals to be fully conversant with the provisions of PDPSI and assist organizations that may need their help.

Consultants  may also conduct the audit on implementation already done by organizations with or without the help of other consultants and  issue Certificates of compliance if the implementation is found satisfactory.

These initiatives help companies to get ready for compliance as soon as the law gets passed.

The E Book above contains the 12 standards and 50 implementation specifications that constitute the standard along with details of the certification system and DTS assessment system. (P.S: The book does not contain templates of policies which are to be developed by consultants based on different implementation contexts).

The framework under PDPSI incorporates the best practices and includes the controls normally suggested under internationally used standards and makes several innovative improvements.

Organizations interested in using the PDPSI framework may contact Naavi through e-mail.

(P.S: Kindly note that this is an imitative of Naavi and FDPPI and does not have  prior consultation with or accreditation from any Government agency. After the Personal Data Protection Act comes into being, the Data Protection Authority is expected to publish norms for certification separately and this certification is expected to prepare the organization for the formal certification system that may be introduced by the Data Protection Authority in due course… Naavi)

Naavi