Naavi.org

FDPPI, Foundation of Data Protection Professionals in India was started in September 2018 to be an organization of the Data Protection Professionals, By the Data Protection Professionals and for the Data Protection Professionals. Since India was intending to come out with a specific data protection law in India at that time, there was a felt need to create an adequate appreciation of Privacy Rights and the role of a data protection professional  the Data Protection Eco system in India.

FDPPI stepped in to fill the void and lead the Data Protection Ecosytem in India with a clear focus on the Indian requirements. Though there were some other agencies who had a similar thinking, it was felt that there was a need to build a new entity by the professional community themselves.

Encouraged by a few like minded individuals, a core group of professionals set up FDPPI as a Section 8 Company (Not for profit) with “Limited By Guarantee” structure to align it with an acceptable structure of one member one vote as in a society structure.

Over the last two years, FDPPI has grown into an organization which has made substantial progress in educating the community on Indian Data Protection regulation as it exists today and emerging in the future. In association with Naavi’s 20 year old Cyber Law College, FDPPI rolled out its certification programs in December 2019 with the first Certification titled “Certified Data Protection Professional-Module I” (CDPP-M I)covering the Indian laws. But the goals were set higher to create an empowered community of “Certified Expert Data Protection Professionals” (CEDPP) with a a legal knowledge base covering Indian and global data protection laws, data protection technology and data audit skills along with an enhancement of behavioural skills required for Data Security Governance.

This enhanced vision of FDPPI to expand beyond the shores of India in terms of knowledge has gained a significant momentum today with the opening of its doors to membership from outside India and also launch of the next Certification module on Global data protection laws covering GDPR, CCPA, Singapore PDPA, HIPAA and Dubai DPL 2020. The certification training is set to commence from July 11th, 2020 and will lead to the title of “Certified Data Protection Professional-Module G”.

This is the second significant step for a professional to become a Certified Expert Data Protection Professional with a reasonable skill set of Legal knowledge supported by necessary technical, audit and behavioural skills to be a good Data Protection professional the community would be proud of.

FDPPI has placed emphasis on creating Ethical set of professionals empowered with the knowledge and skills and believes in Certification as a pointer to knowledge enhancement. Hence every module of FDPPI certification is associated with a mandatory training program to open the eyes of the professionals to a new area of their skill requirement.

India is yet to complete the formality of enacting the new Personal Data Protection Act, (PDPA) but by an innovative legislative framework, the currently available Information technology Act 2000 (ITA 200)) is functioning as the shadow of the proposed PDPA by the interpretation of “Due Diligence” and “Reasonable Security Practice” already enshrined in ITA 2000, of which the extension is the forthcoming PDPA.

In a way, PDPA India has become effective even before its passage as an Act and born out of the womb of ITA 2000 in the form of “Due Diligence”. This has been unique to India.

Several senior Corporate Professionals in the Privacy, Legal, Technology, Information Security and General Management domain have already been part of the FDPPI movement.

The journey has begun.. but there are many more milestones to cover in this local to global journey.

I invite all like minded professionals to join hands and expand this organization into a truly Indian originated global venture of Data Protection Professionals.

Naavi

FDPPI, Foundation of Data Protection Professionals in India (www.fdppi.in), a Section 8 company of the Data Protection Professionals, By the Data Protection Professionals and For the Data Protection Professionals is all set to continue its efforts in creating the NextGen Data Protection Professionals in India empowered with the knowledge of Indian Data Protection Law along with the key global laws.

Naavi and the 20 year old Cyber Law College which is a pioneer in Cyber Law education in India dedicate their support to the cause of supporting the FDPPI movement.

FDPPI successfully concluded its third certification program on Indian Data protection laws. Any enquiries for further training and certification of this module may be sent to us to enable further planning.

FDPPI is now gearing up for the next Certification of Module G which will commence from July 11th. We expect that the knowledge of some of the international data protection laws such as GDPR, CCPA, Singapore PDPA, DIFC DPL 2020 and HIPAA which will be covered in this module will help enhance the knowledge level of the Data Protection Professionals who will be certified by FDPPI.

FDPPI believes that every certification should be backed by an incremental knowledge accretion and hence training is made part of the certification program. At the same time by keeping the fees for training and certification afforadable, FDPPI wants to take the knowledge to a larger number of professionals many of whom may be entering the Privacy and Data Protection Professionals for the first time.

One such person commented for the earlier certification program

“Great content and the questions are of international standards. Thoroughly based on understanding and not on rote system. Spending time on the materials is the key.”

We may recall that one of the objectives of FDPPI is to bring together Legal Professionals, IT Professionals, and others who work in different capacities in the Data Protection domain on this platform so that there is a better understanding and harmony between these different types of professionals. To some extent this is getting reflected in the profile of people who are taking the Certification program.

In the same spirit the next Module on Global laws will create a reasonable knowledge of how different countries have approached the data protection regulation , their relative strengths, weaknesses, the commonalities and differences.

We hope that this knowledge along with Module I will make a powerful combination of knowledge that empowers the next generation of data protection professionals in India.

Cyber Law College which had earlier conducted certification programs on Cyber Laws for SriLanka, Malaysia and Mauritius in a sporadic manner based on requests,  will continue to open new avenues of training on global data protection laws and ensure.

Naavi

Referring to all the articles on PDPSI-GDPR, the framework if it can be called so is suggested as a methodology for data auditors to adopt for conducting data audits. Most of the data audits are management decisions and for an assurance that appropriate measures are in place for compliance.

The Standards and Certifications are not to give any false impression to the regulatory authorities that they are in compliance. While the CISO can satisfy the Board that the Certifications indicate everything is fine, the owners of any business are always vary of the risks that persist despite the certifications. Hence any methodology which is robust and provides a better assurance should be preferred rather than whether it is certified by any particular standard.

PDPSI is a framework for Personal Data Protection and as a Standard that emanates from India, it is applicable for compliance of PDPA as per its initial design. However the same framework as an extension such as PDPSI-GDPR can satisfy the BS10012 and its clone ISO27701. Similarly PDPSI-CCPA can satisfy the CCPA or PDPSI-SGPDPA can satisfy Singapore PDPA or PDPSI-DIFCDPL2020 can satisfy the Dubai data protection law of 2020 etc.

The “Pseudonymization Gateway”, the “Classification tagging of Personal Data”, “Distributed Responsibility Structure for data protection” and “Measurability of compliance maturity” are innovations which can add value to the audit process and the assurance to the management more than what the other standards can provide.

Cyber Law College/Naavi are willing to share more insights to auditors to adopt to this framework.

Naavi

Reference Articles:

What is Pseudonymization Gateway

Governance and Implementation Structure under PDPSI-GDPR

What is PDPSI-GDPR

PDPSI-GDPR the replacement for ISO27701

Also refer www.pdpsi.in

Continuing our introduction of the PDPSI methodology for compliance and PDPSI-GDPR as a substitute to ISO27701 and BS10012, it is necessary to highlight one of the implementation specifications that PDPSI considers worth trying.

This is the implementation of the “Pseudonymization Gateway” along with the Internal Data Controller who controls the Pseudonymization gateway.

In many processing activities, the Data Processor receives a set of personal data which is processed and converted into a value added data set and returned back to the sender. In such circumstances the sender of the information is the Data Controller who sends the data to the data processor. But  within the data processor’s office, several employees get access to the personal data and compliance responsibilities have to be managed across the enterprise with corresponding risk of data leakage. In most of the processing the risk can be substantially reduced by using a Pseudonymization gateway which de-identifies the data to be processed and runs all the processes in the de-identified mode. The final product of processing can be re-identified in the gateway before it is released to the customer who may want it back with identification. If the customer only wants the processed data without identity then the processed data can be sent without re-identification .

In this process the identity of the data is known only to the team managing the gateway and the mapping table can be secured by a strong encryption and proper control. The rest of the organization is spared from the rigors of compliance.

PDPSI is expected to recognize such technology processes for data protection along with the methods used for storage, encryption, transmission etc and accord DTS score.

While DTS score is a concept introduced in the Indian system, it can also be applied to PDPSI-GDPR as it provides some kind of measurability to the compliance practices. This will also provide a flexibility to the Certification system that instead of painting all certified entities with one brush and branding them “Certified”, it can distinguish one certified entity from another.

The DTS system has been explained earlier  (Refer here) and auditors can either adopt the suggested system or develop their own systems as a guidance.

The measurability of compliance with a score for the time of audit and the trend as recommended would improve the system of certification as it exists now under ISO 27701 or BS 10012.

Other than the major points indicated in the preceding few articles, the auditor will examine the various controls for implementation of different aspects of compliance as envisaged in the regulations.

There is a tendency now for some professionals to take the ISO 27701 as the base and map its controls to the different provisions of a law. Instead, it would be better if we take the law as the basis and map the different controls. In such case, the number of headings to be monitored would be less.

The major heads under which a data protection law has to be verified for compliance is

1. Identification of stake holding data and the roles of the organization vis a vis the data supplier.
2. Collection as per law with appropriate consent, notice, lawful basis, legitimate basis etc.
3. Storage, Transmission, retention and deletion as per law
4. Supporting the Rights of the Data Principal/subject and the grievance redressal
5. Governance Structure
6. DPO appointment
7. Cross border transfer
8. Vendor/Processor management
9. Security safeguards along with incident management system and risk assessment
10. Interaction with the regulator
11. Interaction with the data principal
12. Documentation

I would urge audit professionals to work on this new approach and develop an indigenous Personal Data Management and Audit system.

Naavi

Reference Articles:

Governance and Implementation Structure under PDPSI-GDPR

What is PDPSI-GDPR

PDPSI-GDPR the replacement for ISO27701

In continuation of our earlier articles explaining the PDPSI-GDPR that encompasses the ISO 27701 and BS10012, we shall now look at the first of the six fundamental requirements listed earlier for PDPSI namely the implementation responsibility.

A) Define Implementation Responsibility unambiguously with top management involvement

B) Define the scope of implementation in terms of the laws that it needs to address

C)  Incorporate measurability in the form of a Data Trust Score or its equivalent

D) Incorporate Privacy by design through out the life cycle of personal information that the organization may encounter

E)  Define the implementation charter  signed off by the organization at the highest level

F) Incorporate an appropriate certification process –to meet the annual and sub annual requirements of Data Audit as required under the Indian laws

PDPSI suggests as in other frameworks that there would be a Data Protection Committee (DPC) appointed by the Board which will have at least one of the Board Members as part of the committee, preferably the independent Director.

There will be a designated DPO or Data Protection Officer (or a compliance officer if DPO is not mandatory) who will be part of the DPC.

Beyond these two Governance roles, PDPSI differs from all other frameworks in identifying a “Distributed Model of Data Protection”.

What this model suggests as an optional implementation specification is that the organization should identify the “Data Gates” in the organization through which personal data comes in either in one full set or in individual personal data elements.

In the simplest sense there could be a web page on which there is a form for submission of personal data after accepting the “Privacy Policy”. In such a case the entire set of personal data comes in one bunch and there will be one internal executive who receives it first in the company before transferring it to different process owners. That person will be recognized as an “Internal Data Gate Keeper” and will be responsible for receiving it and tagging it appropriately before releasing it to the rest of the processes. He has to identify if which is the applicable law, whether it is the data of an employee or not, whether it is sensitive or not, whether it belongs to a minor etc and add the appropriate tag before committing it to the internal data base, and simultaneously erasing from his cache space.

Where the personal data comes in an unstructured form the receiver will have the responsibility of transferring it immediately to the appropriate person within the organization where the information tagging can be made and at the same time deleting the personal data at his end. To the extent that he has the control of the personal data as a receiver and until he removes it as per the policy of the organization, he would be responsible for data protection and hence he would be an “Internal Data Controller” just like the “Data Gate keeper” who receives the web forms.

The receivers of personal data by virtue of their activities as either the web master or HR executive etc, may be referred to as a Subordinate Internal Data Controller as distinguished from the “Principal Internal Data Controller” who maintains a “Pseudonymzation Gateway” which we shall discuss separately.

Thus the Governance model recommended  under PDPSI incorporates the involvement of the top management along with a distribution of responsibilities. The principle here is that though externally the DPO holds the responsibilities for data protection, internally every employee who has access to personal data will be a subordinate internal data controller. Only those who handle de-identified or anonymized personal data escape the responsibility for personal data protection.

In this model therefore a Work From Home employee is the “Data Protection Manager” for whatever  personal data he manages and he has to apply all precautions to secure the data as required.

To the extent possible, it is the responsibility of the technical team to create an architecture where personal data is centralized so that portability and right to forget can be effectively handled as well as implement the Pseudonymization aspects that are discussed in the following article.

The PDPSI-GDPR will also adopt the above Governance structure which is a step above what ISO 27701 or BS 10012 may expect.

Naavi

PDPSI was first developed for the purpose of compliance of PDPA. Hence it incorporated the following Six fundamental principles/requirements.

1. 1. Define Implementation Responsibility unambiguously with top management involvement
   2. Define the scope of implementation in terms of the laws that it needs to address
   3.  Incorporate measurability in the form of a Data Trust Score or its equivalent
   4. Incorporate Privacy by design through out the life cycle of personal information that the organization may encounter
   5.  Define the implementation charter  signed off by the organization at the highest level
   6. Incorporate an appropriate certification process –to meet the annual and sub annual requirements of Data Audit as required under the Indian laws

The second fundamental requirement mentioned above is relevant for us to extend PDPSI to GDPR compliance, which we can identify as PDPSI-GDPR.

One of the suggested implementation parameters is “Classification” of personal data and tagging the personal data set with the “Applicable Data Protection Law”.

This principle means that we are not going to apply GDPR to protecting personal data of Indian Citizens in India nor viceversa.

Each data protection law has a “Jurisdiction” and “Objective to protect the Privacy of the citizens of their jurisdiction”. Though there are “Extra Territorial Jurisdiction” in terms of making the Data Controllers/Fiduciaries/Processors irrespective of their location, the basic objective of the law remains protection of the citizen within the jurisdiction of the law making body.

As a result each personal data set has to be identified with the applicable law and protected as required there in.

In cases where an organization is a multi national body, is registered in one country but operates in another country, processing the personal data of the citizens of the countries other than the country where the company  is registered, there is a possibility of an overlap of the laws if the laws are not properly written by the law makers or the law makers arrogate to themselves the right to make a law for a foreign country.

Indian law makers have been alert to this possibility and having been a country which has the experience of colonial rulers who made laws such as “If an Indian King does not have a heir the kingdom belongs to the foreign ruler”, incorporated a specific clause to say that  we are prepared to exempt the processing of the personal data of foreign citizens in India from the blind application of Indian law.

Some of the foreign data protection laws have not  had similar provisions and therefore puts the implementing companies to doubt as to whether they should follow two laws simultaneously.

In order to provide a standard method of dealing with such situation, PDPSI suggests that Personal Data shall be classified incorporating the “Applicable Law” as a parameter to be tagged.

The suggested implementation which is a technical measure is to tag the “Personal Data Set” with different tags as indicated below.

What this suggests is that in a formal data base of personal data, a separate column is introduced to add the above attributes. Once properly tagged the personal data can be recalled into a specific bucket representing the compliance requirements applicable to that personal data set. Hence, if a Privacy Policy has to be displayed or a Consent form has to be obtained or a specific data subject’s right has to be identified etc., the “Applicable Law Tag” will determine which privacy policy or consent form or right to be made available to the specific data subject.

While the above applies to structured data, the unstructured data will be converted into structured data as soon as the personal data enters into the custody of one of the employees of the organization. The role of such “Data Gatekeepers” is discussed in a subsequent article but is mentioned here that under PDPSI no personal data set is allowed to remain in unstructured form for a long time and converted into a structured form with the relevant tags so that further compliance in the given context can be administered.

It is understood that the above method involves technical architecture to be tweaked but it is one of the suggested implementation specifications which can be over ridden by other methods by the organization if it deems fit. The efficacy of such technological controls of classification and identification of the applicable law will be a parameter that will determine the DTS score. (DataTrust Score).

In the current context of PDPSI-GDPR let us stop at the classification of incoming personal data set as belonging to the application of GDPR for data protection and not PDPA or CCPA or any other law.

Beyond this classification step, PDPSI-GDPR will merge with the requirements of data protection as provided also under ISO 27701 or BS 10012.

A few other innovations that PDPSI framework will bring in the PDPSI-GDPR extension will be discussed in further articles.

Naavi