Naavi.org

Continuing our introduction of the PDPSI methodology for compliance and PDPSI-GDPR as a substitute to ISO27701 and BS10012, it is necessary to highlight one of the implementation specifications that PDPSI considers worth trying.

This is the implementation of the “Pseudonymization Gateway” along with the Internal Data Controller who controls the Pseudonymization gateway.

In many processing activities, the Data Processor receives a set of personal data which is processed and converted into a value added data set and returned back to the sender. In such circumstances the sender of the information is the Data Controller who sends the data to the data processor. But  within the data processor’s office, several employees get access to the personal data and compliance responsibilities have to be managed across the enterprise with corresponding risk of data leakage. In most of the processing the risk can be substantially reduced by using a Pseudonymization gateway which de-identifies the data to be processed and runs all the processes in the de-identified mode. The final product of processing can be re-identified in the gateway before it is released to the customer who may want it back with identification. If the customer only wants the processed data without identity then the processed data can be sent without re-identification .

In this process the identity of the data is known only to the team managing the gateway and the mapping table can be secured by a strong encryption and proper control. The rest of the organization is spared from the rigors of compliance.

PDPSI is expected to recognize such technology processes for data protection along with the methods used for storage, encryption, transmission etc and accord DTS score.

While DTS score is a concept introduced in the Indian system, it can also be applied to PDPSI-GDPR as it provides some kind of measurability to the compliance practices. This will also provide a flexibility to the Certification system that instead of painting all certified entities with one brush and branding them “Certified”, it can distinguish one certified entity from another.

The DTS system has been explained earlier  (Refer here) and auditors can either adopt the suggested system or develop their own systems as a guidance.

The measurability of compliance with a score for the time of audit and the trend as recommended would improve the system of certification as it exists now under ISO 27701 or BS 10012.

Other than the major points indicated in the preceding few articles, the auditor will examine the various controls for implementation of different aspects of compliance as envisaged in the regulations.

There is a tendency now for some professionals to take the ISO 27701 as the base and map its controls to the different provisions of a law. Instead, it would be better if we take the law as the basis and map the different controls. In such case, the number of headings to be monitored would be less.

The major heads under which a data protection law has to be verified for compliance is

1. Identification of stake holding data and the roles of the organization vis a vis the data supplier.
2. Collection as per law with appropriate consent, notice, lawful basis, legitimate basis etc.
3. Storage, Transmission, retention and deletion as per law
4. Supporting the Rights of the Data Principal/subject and the grievance redressal
5. Governance Structure
6. DPO appointment
7. Cross border transfer
8. Vendor/Processor management
9. Security safeguards along with incident management system and risk assessment
10. Interaction with the regulator
11. Interaction with the data principal
12. Documentation

I would urge audit professionals to work on this new approach and develop an indigenous Personal Data Management and Audit system.

Naavi

Reference Articles:

Governance and Implementation Structure under PDPSI-GDPR

What is PDPSI-GDPR

PDPSI-GDPR the replacement for ISO27701

In continuation of our earlier articles explaining the PDPSI-GDPR that encompasses the ISO 27701 and BS10012, we shall now look at the first of the six fundamental requirements listed earlier for PDPSI namely the implementation responsibility.

A) Define Implementation Responsibility unambiguously with top management involvement

B) Define the scope of implementation in terms of the laws that it needs to address

C)  Incorporate measurability in the form of a Data Trust Score or its equivalent

D) Incorporate Privacy by design through out the life cycle of personal information that the organization may encounter

E)  Define the implementation charter  signed off by the organization at the highest level

F) Incorporate an appropriate certification process –to meet the annual and sub annual requirements of Data Audit as required under the Indian laws

PDPSI suggests as in other frameworks that there would be a Data Protection Committee (DPC) appointed by the Board which will have at least one of the Board Members as part of the committee, preferably the independent Director.

There will be a designated DPO or Data Protection Officer (or a compliance officer if DPO is not mandatory) who will be part of the DPC.

Beyond these two Governance roles, PDPSI differs from all other frameworks in identifying a “Distributed Model of Data Protection”.

What this model suggests as an optional implementation specification is that the organization should identify the “Data Gates” in the organization through which personal data comes in either in one full set or in individual personal data elements.

In the simplest sense there could be a web page on which there is a form for submission of personal data after accepting the “Privacy Policy”. In such a case the entire set of personal data comes in one bunch and there will be one internal executive who receives it first in the company before transferring it to different process owners. That person will be recognized as an “Internal Data Gate Keeper” and will be responsible for receiving it and tagging it appropriately before releasing it to the rest of the processes. He has to identify if which is the applicable law, whether it is the data of an employee or not, whether it is sensitive or not, whether it belongs to a minor etc and add the appropriate tag before committing it to the internal data base, and simultaneously erasing from his cache space.

Where the personal data comes in an unstructured form the receiver will have the responsibility of transferring it immediately to the appropriate person within the organization where the information tagging can be made and at the same time deleting the personal data at his end. To the extent that he has the control of the personal data as a receiver and until he removes it as per the policy of the organization, he would be responsible for data protection and hence he would be an “Internal Data Controller” just like the “Data Gate keeper” who receives the web forms.

The receivers of personal data by virtue of their activities as either the web master or HR executive etc, may be referred to as a Subordinate Internal Data Controller as distinguished from the “Principal Internal Data Controller” who maintains a “Pseudonymzation Gateway” which we shall discuss separately.

Thus the Governance model recommended  under PDPSI incorporates the involvement of the top management along with a distribution of responsibilities. The principle here is that though externally the DPO holds the responsibilities for data protection, internally every employee who has access to personal data will be a subordinate internal data controller. Only those who handle de-identified or anonymized personal data escape the responsibility for personal data protection.

In this model therefore a Work From Home employee is the “Data Protection Manager” for whatever  personal data he manages and he has to apply all precautions to secure the data as required.

To the extent possible, it is the responsibility of the technical team to create an architecture where personal data is centralized so that portability and right to forget can be effectively handled as well as implement the Pseudonymization aspects that are discussed in the following article.

The PDPSI-GDPR will also adopt the above Governance structure which is a step above what ISO 27701 or BS 10012 may expect.

Naavi

PDPSI was first developed for the purpose of compliance of PDPA. Hence it incorporated the following Six fundamental principles/requirements.

1. 1. Define Implementation Responsibility unambiguously with top management involvement
   2. Define the scope of implementation in terms of the laws that it needs to address
   3.  Incorporate measurability in the form of a Data Trust Score or its equivalent
   4. Incorporate Privacy by design through out the life cycle of personal information that the organization may encounter
   5.  Define the implementation charter  signed off by the organization at the highest level
   6. Incorporate an appropriate certification process –to meet the annual and sub annual requirements of Data Audit as required under the Indian laws

The second fundamental requirement mentioned above is relevant for us to extend PDPSI to GDPR compliance, which we can identify as PDPSI-GDPR.

One of the suggested implementation parameters is “Classification” of personal data and tagging the personal data set with the “Applicable Data Protection Law”.

This principle means that we are not going to apply GDPR to protecting personal data of Indian Citizens in India nor viceversa.

Each data protection law has a “Jurisdiction” and “Objective to protect the Privacy of the citizens of their jurisdiction”. Though there are “Extra Territorial Jurisdiction” in terms of making the Data Controllers/Fiduciaries/Processors irrespective of their location, the basic objective of the law remains protection of the citizen within the jurisdiction of the law making body.

As a result each personal data set has to be identified with the applicable law and protected as required there in.

In cases where an organization is a multi national body, is registered in one country but operates in another country, processing the personal data of the citizens of the countries other than the country where the company  is registered, there is a possibility of an overlap of the laws if the laws are not properly written by the law makers or the law makers arrogate to themselves the right to make a law for a foreign country.

Indian law makers have been alert to this possibility and having been a country which has the experience of colonial rulers who made laws such as “If an Indian King does not have a heir the kingdom belongs to the foreign ruler”, incorporated a specific clause to say that  we are prepared to exempt the processing of the personal data of foreign citizens in India from the blind application of Indian law.

Some of the foreign data protection laws have not  had similar provisions and therefore puts the implementing companies to doubt as to whether they should follow two laws simultaneously.

In order to provide a standard method of dealing with such situation, PDPSI suggests that Personal Data shall be classified incorporating the “Applicable Law” as a parameter to be tagged.

The suggested implementation which is a technical measure is to tag the “Personal Data Set” with different tags as indicated below.

What this suggests is that in a formal data base of personal data, a separate column is introduced to add the above attributes. Once properly tagged the personal data can be recalled into a specific bucket representing the compliance requirements applicable to that personal data set. Hence, if a Privacy Policy has to be displayed or a Consent form has to be obtained or a specific data subject’s right has to be identified etc., the “Applicable Law Tag” will determine which privacy policy or consent form or right to be made available to the specific data subject.

While the above applies to structured data, the unstructured data will be converted into structured data as soon as the personal data enters into the custody of one of the employees of the organization. The role of such “Data Gatekeepers” is discussed in a subsequent article but is mentioned here that under PDPSI no personal data set is allowed to remain in unstructured form for a long time and converted into a structured form with the relevant tags so that further compliance in the given context can be administered.

It is understood that the above method involves technical architecture to be tweaked but it is one of the suggested implementation specifications which can be over ridden by other methods by the organization if it deems fit. The efficacy of such technological controls of classification and identification of the applicable law will be a parameter that will determine the DTS score. (DataTrust Score).

In the current context of PDPSI-GDPR let us stop at the classification of incoming personal data set as belonging to the application of GDPR for data protection and not PDPA or CCPA or any other law.

Beyond this classification step, PDPSI-GDPR will merge with the requirements of data protection as provided also under ISO 27701 or BS 10012.

A few other innovations that PDPSI framework will bring in the PDPSI-GDPR extension will be discussed in further articles.

Naavi

PDPSI is the Personal Data Protection Standard of India developed by Cyber Law College as an open standard framework for Personal Data Protection particularly in compliance with the proposed Indian Personal Data Protection Act. Naavi has been explaining the different concepts of PDPSI through the articles in Naavi.org also collated at www.pdpsi.in.

Professionals working in the field of Information Security are used to the format of a framework followed by ISO and it is difficult to make them look at any new framework unless it is explained with reference to the known frameworks. Hence it would be necessary to explain the PDPSI framework with reference to ISO27701 or its predecessor BS 10012. However, Naavi urges professionals to look at PDPSI independently without being too much clouded by their experience with the ISO frameworks.

PDPSI is meant to be an open standard document unlike the mesh of proprietary standards that are used in the ISO framework. It is our belief that what is a “Standard” should be for the benefit of the society and such standards should ideally be open standards. Professionals can still make money out of the standard in the form of implementation consultancy since any standard will require interpretation by an expert and adoption to a given context. This give enough room for our professional income generation rather than milking the standard itself for our revenue.

Today we shall highlight the special feature of this framework that extends beyond PDPA compliance into the domain of GDPR compliance.

The PDPSI framework is built on the following five key boundary implementations

namely Classification, Distributed Responsibilities, Development of the PIMS culture, supported by the policy documents and technical controls.

“If I certify for ISO 27701, will I be considered certified for GDPR?”.

Most professionals who look at ISO 27001 try to map its controls to GDPR and the frequent question we receive from IS professionals is that “If I certify for ISO 27701, will I be considered certified for GDPR?”.

A similar question has been raised in India also regarding ITA 2008 compliance with reference to ISO 27001. It is a history now that Naavi vehemently opposed the MeitY when it was working under Kapil Sibal that the Government of India should not give an impression that being ISO 27001 certified is deemed compliance of Section 43A. Though the department gave some vague answer as follows:

This was in reference to the rules under Section 43A notified on 11th April 2011 (Refer details here)

Despite the clarification, the MeitY has done nothing to expel the general impression in the community that being ISO 27001 certified is deemed compliance under ITA 200/8. ISO organization (which is not a Government body ) made full use of the misconception in marketing its certification in India.

Now there is a new attempt in the international scenario to project as if Certification for ISO27701 is deemed compliance of GDPR. In future this argument may be extended to “Deemed Compliance under PDPA” and hence this has to be flagged here and now.

It is important for professionals to realize that ISO standards are industry best practice standards and though they go a long way to meet the requirements of the law, the compliance to a data protection law is independent of the certification under an industry standard.

The same principle applies to PDPSI also when it is used as a means of compliance to either PDPA or any other law. Irrespective of the framework used, the data protection authority has a right to ask for a separate “Data Audit” or “Data Breach Audit” or “harm Audit” or a “Data Protection Impact Assessment” and ignore the certifications.

Hence let us first make a categorical statement that being certified under ISO 27701 (or PDPSI-GDPR being discussed here) is not to be considered as “Deemed Compliance” to GDPR.

Now we shall proceed further to discuss what is PDPSI-GDPR?… in the next article.

Naavi

The compliance of the DIFC data protection law 2020 is administered by the “Commissioner” of Data Protection who will be  the regulatory authority for the Data Protection regulation. The home of the regulator is found at here

Unlike the Indian DPA which will be a 7 member body, Dubai regulator will consist of one person namely the “Commissioner” who is appointed in consultation with the DIFCA Board of Directors and he shall be a person who is appropriately experienced and qualified. The appointment is contractual for a period of 5 years and the upper age limit for the commissioner is 75 years as against 65 years in India.

DIFC DPA 2020 however permits the delegation of powers and establishment of an advisory committee with its own chairman and secretariat.

The Commissioner may establish codes of practice and certification schemes.

One of the major changes that the new version of the Dubai law has brought in is the provision for appointment of a Data Protection Officer. According to Article 16, a Controller or a Processor “May elect” to appoint a DPO.

However DIFC bodies other than the Courts and Controllers or Processors performing “High Risk Processing” on a systematic or regular basis need to mandatorily appoint a DPO. For others appointment of DPO is optional but the Commissioner has the right to direct an entity to appoint a DPO if it finds it necessary. However where a DPO is not designated, the entity should still designate a person with responsibility for compliance.

Like in the case of GDPR, DPO may be an internal employee or an external contractual person.

The DPO must reside in Dubai unless he is a common DPO for the group entity.

The details of the DPO must be made public.

One of the responsibilities of the DPO is submission of an annual report to the Commissioner similar to the “Annual Data Audit” in the Indian PDPA.. DPO will also be responsible for overseeing the DPIA as and when undertaken.

As regards the role and tasks of the DPO, the law states that the DPO shall be provided with sufficient resources to carry out his duties and freedom to act independently and without conflict.

The DPO besides being the contact person for the Data Subject, is expected to monitor the compliance activities in the organization,inform and advise the organization and its employees, cooperate with the Commissioner, be the point of contact for the Commissioner etc.

It is noted that the Act specifies that the DPO shall be able to advise the entity not only on the Dubai Data Protection law but also on other relevant laws to which the organization may be subject to “including where the organisation is subject to overseas provisions with extra-territorial effect”.

Overall, the passage of the new law adds to the responsibilities of all organisations that have a presence in Dubai. Some of them may be “Controllers” or “Joint Controllers” and they need to take suitable steps for compliance.

Naavi

Reference articles:

The New Dubai Data Protection law stresses on Compliance Accountability

The New Dubai Data Protection Law is Bigger, Better and Will bite harder
Dubai Data Protection Law

The new Dubai Data Protection law in comparison to the 2007 version has given a lot more emphasis on Compliance.

Legitimate Interest

Article 8  of the old Act and Article 9 of the current Act speaks of the General Requirements. It may be observed that most of the requirements in the 2007 law has been carried over to the 2020 law with the addition of “Transparency”.

Additionally “Lawfulness” has been separately expanded in Article 10 and Accountability and Notification separately explained under Article 14 (2020). Six basis have been identified under “Lawfulness” and “Anyone” of them is considered acceptable. This follows the GDPR model and includes

a) Consent

b) Necessity for performance of a contract in which the Data Subject is a party

c) Necessity for compliance of an applicable law that a “controller is subject to”

d)Necessity for protecting the vital interests of a data subject or of any natural person

e) Necessity for the functioning of DIFC

f) Legitimate interest

The 2020 law also defines  genetic and biometric data as additional to the list of special categories defined in  the earlier version which requires “Explicit Consent”.

The Consent and Notice has been elaborately covered along with the Accountability. The onus of proving that Consent has been obtained, lies on the Data Controller.

Article 10(1)(f) states that one of the lawful basis on which personal data can be processed includes where

“Processing is necessary for the purpose of legitimate interests pursued by a Controller or a Third Party to whom the Personal Data has been made available, subject to Article 13, except where such interests are overridden by the interests or rights of a Data Subject.

Article 13 on the other hand states

(1) A public authority subject to DIFC law may not rely on the basis of legitimate interests under Article 10(1)(f) to Process Personal Data.

(2) A Controller that is part of a Group may have a legitimate interest in transferring Personal Data within its Group for internal administrative purposes.

(3) Processing of Personal Data shall be considered a legitimate interest of a Controller if it is necessary and proportionate to prevent fraud or ensure network and information security.

In terms of compliance therefore, a Data Controller should always look for “Consent” and when in doubt bring the processing into the legitimate interest argument preferably by an appropriate internal documentation.

Accountability

One of the areas of emphasis in the new version of the law is Accountability of the Data Controller. The Controller needs to establish data protection by design and default taking into account the risk assessment and establishing a compliance program. The law repeatedly emphasizes “Proportionality” in respect of data collection to the purpose of collection.

Article 14(7) states

“A Controller or Processor shall register with the Commissioner by filing a notification of Processing operations, which shall be kept up to date through amended notifications.”

Article 14(8) also states that the above notification shall be kept in a publicly available register maintained by the Commissioner.

This provision has similarity  to the Indian provision of “Privacy by design policy” being filed with the DPA and is a significant change to be noted.

(To Be continued…)

Naavi

Earlier Articles

The New Dubai Data Protection Law is Bigger, Better and Will bite harder
Dubai Data Protection Law