Naavi.org

Often in our professional career, we get into a conflict between what we believe is correct and what is happening around us. A large number of professionals in whom the “Fear of Failure” dominate, tend to avoid opening out with their thoughts because they may be either not confident of themselves or are more concerned about being ridiculed.

It is a fact of life that there is always a “Resistance to Change” in the community and when we challenge the established order, we do have many people who would call the move thoughtless or risky etc. Some may call it as premature unethical etc. It is possible that many of the thoughts from the thought leaders appear premature because the society around may not be ready for it. Hence a fair amount of such resistance is normal and the person who believes that he is moving in the right direction needs to overcome such murmurs and carry on.

I don’t intend a theoretical discussion on these concepts of leadership at this point but just to give a few examples of recent developments in my work space that made me reflect on these aspects.

In January when I released my book “Personal Data Protection Act of India (PDPA2020)” many of my friends were disturbed. The book was based on the Bill pending before the Parliament and which had not yet technically become an Act. By naming the book as it was named, I was exercising the author’s prerogative to give a title to a Book and explaining it in the content that it is the name used for reference only. I had used a similar nomenclature of ITA 2008 for the amended Information Technology Act 2000 which also at that time drew some objections from experts. I agreed that the experts had a point of view which was not unreasonable but insisted that I had the right to use an alternate “name” which was useful for me to pass on a concept. I opted for utility versus convention.

Then came the launching a “Certification” program from the Foundation of Data Protection Professionals in India (FDPPI) to confer the title of “Certified Data Protection Professional-Module I” covering the training in the proposed PDPA. This also caused a stir as many thought it was premature to award certifications for an yet to be made law. But the need of the community was that sooner or later this law would come and from the first day there would be a need for professionals who are aware of the law. This would be possible only if some body took the lead in creating the certification program and FDPPI went ahead with its program.

Recently State Bank of India and Tech Mahindra have released recruitment notices for recruiting Data Protection Officers and both have asked for people with certifications in GDPR knowledge. While GDPR may be relevant for both organizations, the lack of awareness of the emerging local data protection laws and the need for the DPOs to be aware of them was missed by both HR departments. Hopefully the certifications created by FDPPI will be noticed by the HR departments who will be recruiting DPOs in the coming days.

FDPPI is now embarking on another major initiative shortly which will also shake the established system. I may wait for a couple of more days to make an announcement in this regard, but as we prepare for the same, a thought occurs that the saga of the Bold First Step inviting a potential critical reaction seems to continue.

Will come back more on this in the next few days…

Naavi

Cyber Law College has opened registrations for training only. Fees Rs 6000/- . Participants may opt for FDPPI Certification by paying additional amount as per FDPPI terms.

Naavi

FDPPI has embarked on the Certification Training for Module G and the sessions will start from 11th July 2020. 12 sessions of 90 minutes each will be conducted on week ends from July 11th to August 16th, 2020, at 4.00 pm every Saturday and Sunday.

Registrations for the training is now open for non members also under the following terms.

1. Interested persons may enroll for the training at a payment of Rs 6000/-
2. The trainees may opt for Certification by payment of Rs 12000/- of which  Rs 6000/- would be considered as membership fee if the person intends to become a “Foundation Member” of FDPPI. Those who donot opt to become a member would be considered as “Patrons”.
3. The total registrations for the current batch will be limited to 50 including the registration of members already completed.  Hence interested persons may register at the earliest.

Payment can be made through the following link.

The complete information about the program is available in the enclosed Prospectus.

FDPPI, Foundation of Data Protection Professionals in India was started in September 2018 to be an organization of the Data Protection Professionals, By the Data Protection Professionals and for the Data Protection Professionals. Since India was intending to come out with a specific data protection law in India at that time, there was a felt need to create an adequate appreciation of Privacy Rights and the role of a data protection professional  the Data Protection Eco system in India.

FDPPI stepped in to fill the void and lead the Data Protection Ecosytem in India with a clear focus on the Indian requirements. Though there were some other agencies who had a similar thinking, it was felt that there was a need to build a new entity by the professional community themselves.

Encouraged by a few like minded individuals, a core group of professionals set up FDPPI as a Section 8 Company (Not for profit) with “Limited By Guarantee” structure to align it with an acceptable structure of one member one vote as in a society structure.

Over the last two years, FDPPI has grown into an organization which has made substantial progress in educating the community on Indian Data Protection regulation as it exists today and emerging in the future. In association with Naavi’s 20 year old Cyber Law College, FDPPI rolled out its certification programs in December 2019 with the first Certification titled “Certified Data Protection Professional-Module I” (CDPP-M I)covering the Indian laws. But the goals were set higher to create an empowered community of “Certified Expert Data Protection Professionals” (CEDPP) with a a legal knowledge base covering Indian and global data protection laws, data protection technology and data audit skills along with an enhancement of behavioural skills required for Data Security Governance.

This enhanced vision of FDPPI to expand beyond the shores of India in terms of knowledge has gained a significant momentum today with the opening of its doors to membership from outside India and also launch of the next Certification module on Global data protection laws covering GDPR, CCPA, Singapore PDPA, HIPAA and Dubai DPL 2020. The certification training is set to commence from July 11th, 2020 and will lead to the title of “Certified Data Protection Professional-Module G”.

This is the second significant step for a professional to become a Certified Expert Data Protection Professional with a reasonable skill set of Legal knowledge supported by necessary technical, audit and behavioural skills to be a good Data Protection professional the community would be proud of.

FDPPI has placed emphasis on creating Ethical set of professionals empowered with the knowledge and skills and believes in Certification as a pointer to knowledge enhancement. Hence every module of FDPPI certification is associated with a mandatory training program to open the eyes of the professionals to a new area of their skill requirement.

India is yet to complete the formality of enacting the new Personal Data Protection Act, (PDPA) but by an innovative legislative framework, the currently available Information technology Act 2000 (ITA 200)) is functioning as the shadow of the proposed PDPA by the interpretation of “Due Diligence” and “Reasonable Security Practice” already enshrined in ITA 2000, of which the extension is the forthcoming PDPA.

In a way, PDPA India has become effective even before its passage as an Act and born out of the womb of ITA 2000 in the form of “Due Diligence”. This has been unique to India.

Several senior Corporate Professionals in the Privacy, Legal, Technology, Information Security and General Management domain have already been part of the FDPPI movement.

The journey has begun.. but there are many more milestones to cover in this local to global journey.

I invite all like minded professionals to join hands and expand this organization into a truly Indian originated global venture of Data Protection Professionals.

Naavi

FDPPI, Foundation of Data Protection Professionals in India (www.fdppi.in), a Section 8 company of the Data Protection Professionals, By the Data Protection Professionals and For the Data Protection Professionals is all set to continue its efforts in creating the NextGen Data Protection Professionals in India empowered with the knowledge of Indian Data Protection Law along with the key global laws.

Naavi and the 20 year old Cyber Law College which is a pioneer in Cyber Law education in India dedicate their support to the cause of supporting the FDPPI movement.

FDPPI successfully concluded its third certification program on Indian Data protection laws. Any enquiries for further training and certification of this module may be sent to us to enable further planning.

FDPPI is now gearing up for the next Certification of Module G which will commence from July 11th. We expect that the knowledge of some of the international data protection laws such as GDPR, CCPA, Singapore PDPA, DIFC DPL 2020 and HIPAA which will be covered in this module will help enhance the knowledge level of the Data Protection Professionals who will be certified by FDPPI.

FDPPI believes that every certification should be backed by an incremental knowledge accretion and hence training is made part of the certification program. At the same time by keeping the fees for training and certification afforadable, FDPPI wants to take the knowledge to a larger number of professionals many of whom may be entering the Privacy and Data Protection Professionals for the first time.

One such person commented for the earlier certification program

“Great content and the questions are of international standards. Thoroughly based on understanding and not on rote system. Spending time on the materials is the key.”

We may recall that one of the objectives of FDPPI is to bring together Legal Professionals, IT Professionals, and others who work in different capacities in the Data Protection domain on this platform so that there is a better understanding and harmony between these different types of professionals. To some extent this is getting reflected in the profile of people who are taking the Certification program.

In the same spirit the next Module on Global laws will create a reasonable knowledge of how different countries have approached the data protection regulation , their relative strengths, weaknesses, the commonalities and differences.

We hope that this knowledge along with Module I will make a powerful combination of knowledge that empowers the next generation of data protection professionals in India.

Cyber Law College which had earlier conducted certification programs on Cyber Laws for SriLanka, Malaysia and Mauritius in a sporadic manner based on requests,  will continue to open new avenues of training on global data protection laws and ensure.

Naavi

Referring to all the articles on PDPSI-GDPR, the framework if it can be called so is suggested as a methodology for data auditors to adopt for conducting data audits. Most of the data audits are management decisions and for an assurance that appropriate measures are in place for compliance.

The Standards and Certifications are not to give any false impression to the regulatory authorities that they are in compliance. While the CISO can satisfy the Board that the Certifications indicate everything is fine, the owners of any business are always vary of the risks that persist despite the certifications. Hence any methodology which is robust and provides a better assurance should be preferred rather than whether it is certified by any particular standard.

PDPSI is a framework for Personal Data Protection and as a Standard that emanates from India, it is applicable for compliance of PDPA as per its initial design. However the same framework as an extension such as PDPSI-GDPR can satisfy the BS10012 and its clone ISO27701. Similarly PDPSI-CCPA can satisfy the CCPA or PDPSI-SGPDPA can satisfy Singapore PDPA or PDPSI-DIFCDPL2020 can satisfy the Dubai data protection law of 2020 etc.

The “Pseudonymization Gateway”, the “Classification tagging of Personal Data”, “Distributed Responsibility Structure for data protection” and “Measurability of compliance maturity” are innovations which can add value to the audit process and the assurance to the management more than what the other standards can provide.

Cyber Law College/Naavi are willing to share more insights to auditors to adopt to this framework.

Naavi

Reference Articles:

What is Pseudonymization Gateway

Governance and Implementation Structure under PDPSI-GDPR

What is PDPSI-GDPR

PDPSI-GDPR the replacement for ISO27701

Also refer www.pdpsi.in