Naavi.org

Naavi.org has believed on knowledge dissemination and through out the 20 years of existence tried to spread knowledge freely. In the process, when some body wants to publish any article of their own on Naavi.org, I have obliged if the content is of relevance to the audience who frequent Naavi.org. When such content is published, Naavi.org would be an “Intermediary” and would be liable as per the provisions of ITA 2000/8 and also be able to claim the benefits of exemption from liability under Section 79 of ITA 2000/8.

But some times, people may misuse the facility of allowing guest posts.

One such occasion arose recently, when I received a request from a person named Badal Patel from myadvo.in. The article was titled “GDPR Compliance Checklist for Indian Companies”.

On February 29, 2020, I received an email as follows:

Hi,

I would love to provide a guest contribution to your blog. I’m also open to any of your ideas as well.

Anytime I guest post on a prominent blog like yours I always make sure to do 1200+ words, with images and data to back up any points I make.

I promise there will be no fluff, just actionable advice.

Let me know what you think. I’m excited to hear back from you.

Keep Up The Good Work.

Best Regards
Badal      

The sender was identified as

The much awaited Module G program of the Foundation of Data Protection Professionals in India or FDPPI (www.fdppi.in) which will provide training on  many relevant Data Protection Laws of the world including GDPR, CCPA, Singapore PDPA, DIFC Data Protection law and HIPAA will commence today (11th July 2020)at 4.00 pm IST.

The sessions will be online for 90 minutes each on Saturdays and Sundays starting from today upto August 23.

This is a significant step FDPPI has taken in preparing the Indian Data Protection Community to be aware of the multiple Data Protection laws to which the organisations in India are exposed to.

So far, Indian professionals had to opt for expensive global certification programs ane even in such programs the learnings were  often limited to one specific law such as GDPR. FDPPI recognizes that the life of a DPO in an Indian company is different from that of the DPOs in other countries. Most Indian companies handle personal data of different companies and it would be inappropriate if they apply “GDPR knowledge” alone as if every other law is covered by GDPR compliance.

FDPPI’s course is therefore structured to provide a reasonable overview of multiple data protection laws and given an opportunity for the student to develop a discerning view on these different laws.

FDPPI has already covered the Indian law separately in one full module over 14- hours of online training leading to certification of Module-I. Now this module called Module G will cover over 18 hours of online training and cover GDPR in fair detail and then the other laws to the extent feasible.

These certifications are two modules of the “Certified Expert Data Protection Professional” program developed by FDPPI. This Certification is still available for interested persons under the E Education initiative of Naavi/Cyber Law College.

While individual certificates such as “Certified Data Protection Professional (Module-G)”  will be issued to those participants who register for the Course along with Certification exam from FDPPI (Total Cost rs 18000), those who have opted only for the training and not for taking the certification exam (Total Cost Rs 6000/-) will receive participation certificate from the training partner, Cyber Law College.

This Certification program as well as the PDPSI framework of implementation of data protection regulation are two significant “Atma Nirbhar Bharat” initiatives taken by FDPPI in the field of Data Protection.

The objective of these programs is to establish “National Self Reliance in Data Protection Certifications, Implementation and Audits”

Those who have missed the registration and want to catch up before today afternoon when the program starts, may peruse the Prospectus and make payment through the following link to join the program.

REGISTRATION CLOSED

Naavi

According to a report in Business Standard  the Kris Goplakrishna Committee has submitted its report on “Data Governance” to the Government. One of the recommended regulations that has been leaked appears to be for setting up of a new regulator which perhaps may be called the Data Governance Authority. (DGA)

It would be interesting how the functions of the DGA would be defined in a manner that it does not interfere with the DPA. The critical aspect of this seggregation of roles between DPA and DGA is the classification of data as “Personal Data” and “Non Personal Data”. The issues of “Data Identifiers”, the “De-identification/Pseudonymization” or “Anonyization” will need to be clarified so that the industry is clear on what is regulated by DPA and what is regulated by DGA.

The concept of “Differential Privacy” which we discussed yesterday will be extremely relevant since the proponents of “Differential Privacy” claim that it could be an alternate to “Anonymization Before Big data analysis”.

The DPA as it stands today would like the personal data be anonymized before the Big Data industry takes it up for aggregation and generation of community related inferences. The “Differential Privacy” advocates however claim that they can process identifiable personal data and ensure that disclosures remain e “Anonymous”.

Similarly, there is a need to debate on a definition of “Shared Personal Data” and “Community  Personal Data” which can be clarified when the new Data Governance law is drafted.

Naavi

It appears that the Personal Data Protection Bill 2019 is stuck with the Covid lock down of the Parliamentary activities. According to a report from Media Nama sources , there is a technical objection to use of “Virtual meetings of the Parliamentary committee”. This is touted as violation of the “Parliamentary Privileges”.

While this argument may suit all those who want the Government to remain dysfunctional, it is time to question this concept. Medianama quotes its “Anonymous Sources” (which itself is a breach of parliamentary privilege) that virtual meetings cannot take place because it will introduce a third party into the activity which is the video conferencing platform.

It is a ridiculous argument when the Supreme Court itself has adopted “Virtual hearings” as part of its activities and Parliamentary proceedings are broad cast live across the globe.

The argument is suggesting a surrender of democracy to Covid and has to be defeated.

I hope that the JPC will not allow this argument to prevail and adopt Virtual meetings as part of its procedure. The video platform can be managed by NIC and a separate server within the Parliamentary building can be set up for the purpose. The connections can be on a VPN so that it is encrypted from the user’s end to the server. The depositions can be conducted in such a manner that streaming video is pushed from the user’s application to the server and the session of a deponent is closed after his deposition is over. A secure app based browser can be used to retain confidentiality and authenticity.

It is time the MeitY should provide the confidence to the Parliamentary members and the Speaker that we have the technology to create a secure virtual arrangement and conduct the proceedings.

Naavi

The proposed Indian Data Protection Act (PDPA 2020) refers to “Personal Data”,  “Anonymization”  and “De-identification/Pseudonymization”.

Anonymisation is defined as an “Irreversible” process of transforming the personally identifiable data to a form where the identity is irreversibly removed. Anonymization frees the data from PDPA controls.

On the other hand

de-identification” means the process by which a data fiduciary or data processor may remove, or mask identifiers from personal data, or replace them with such other fictitious name or code that is unique to an individual but does not, on its own, directly identify the data principal;

The definition of de-identification includes “Pseudonymization” by way of replacement of identifiers from the identifiable personal data set.

De-identification is a technical control that is used as a feature to mitigate the risk during a data processing environment so that the real identity of the information attached to an identified data principal is not shared within the organization.

Naavi has been advocating the use of a “Pseudonymization Gateway” as a standard feature so that an organization immediately pseudonymize all identity parameters at the entrance of a personal data and create a confidential mapping of pseydonymized parameters with the real parameters and a unique data identity to enable re-identification when required.

If this suggestion is technically implemented, then the entire organization will work on the personal data processing on the de-identified/pseudonymized data reducing the risk of data breach to near zero. The Pseuodymization gateway would be managed by an “Internal Data Controller” and will maintain the mapping table as securely as possible with appropriate encryption, split keys in the custody of multiple custodians etc.

When the processed data is to be disclosed, if it is to be re-identified, the designated “Internal Data Disposers” would be responsible to re-identify the data and create the “Processed version of the data with real identity” and then disclose it to the recipients as may be required.

The controls for personal data breach mitigation therefore is confined to the Internal data controllers and internal data disposers

(P.S: Here the word ‘internal’ refers to the person/s being employees of the organization though the disclosure of information is to outsiders. The term ‘dispose” refers to both external disclosures and destruction of identity of a personal data or deletion of the personal data)

PDPA has not used the term “Differential Privacy” which is a term developed by data scientists in the Big Data processing scenario.

The Sri Krishna Committee while winding up its recommendations made a comment that there is a separate need for developing regulation of “Community Data” which referred to a form of aggregation of data which is relevant for “Differential Privacy”. This is now before the Kris Gopalakrishna committee on Data Governance.

As a concept, “Differential Privacy” addresses the need for processing of aggregated data in such a manner that identity of a data subject becomes irrelevant in the aggregation and disclosure. In other words, while the aggregation happens with the identifiable data, the process of aggregation and processing is managed in such a manner that the disclosed data does not affect the privacy of an individual whose personal data is a component of the processed data.

One of the definitions of “Differential Privacy” is that

“Differential privacy is a system for publicly sharing information about a dataset by describing the patterns of groups within the dataset while withholding information about individuals in the dataset.”

For example, A, B and C undergo a medical test and A and B are diagonized diabetic and C as say healthy. (In actual situation the numbers would be large and A, B and C may represent groups of a large number of persons). Now when we say 33% of the persons are healthy and 67% are diabetic, we are disclosing the personal information of A,B or C. However, if the disclosed data remains at the level of these percentages, the identity of the individuals remains masked.

When the data of another subject is added or deleted from the data set, then (assuming the large numbers), the pattern of the disclosed data does not reveal the identity of the person whose data was added or subtracted. Since the query result of the processed data cannot be used to infer whether the person whose data was added or subtracted was diabetic or healthy, it is considered that the “Privacy is preserved”.

The development of processing that meets this criteria is referred to as “Differential Privacy” by data scientists.

More technically,

” A Processing algorithm is considered differentially private if an observer seeing its output cannot tell if a particular individual’s information was used in the computation”

This concept is used by statistical organizations processing personal information.

The fact that Indian PDPA does not refer to Differential Privacy, (nor the other laws such as GDPR),  is because, these data protection laws consider that the statistical processing of the type referred to above can be done with “De-identified” or “Pseudonymized Data”.  Hence the issue of identifying an individual whose data set moves in or out of a collection of data does not matter for the privacy of an individual.

A Big Data Processor who is today looking at Differential Privacy can as well introduce an automated data anonymization process so that all incoming identified data sets become anonymised data sets at the gateway and remains at the machine level visibility. When the data is filtered into the internal systems visible for human beings it is already in an “Anonymized State” and hence the “Differential Privacy” concept may not be required.

This suggestion was made by the undersigned to one company processing CCTV footages and can be a substitute for differential privacy.

If there is any specific processing requirement where the input has to be on an identified basis and disclosure is required to be made, then the use of “Differential Privacy as an algorithmic feature” becomes the responsibility of the processor under “Legitimate Interest”.

The Kris Gopalakrishna committee on Data Governance may need to debate “Differential Privacy” in greater detail.

If the Government pursues the concept of “Open Data” and wants to collect, process and disclose identifiable personal data in an aggregated form for the benefit of the society, the concept of Differential Privacy may be useful.

Similarly, data research organizations harvesting personal data from public sources and profiling the behaviour of communities also need to adopt the principles of differential data privacy into their processing and present a legitimate interest claim when they submit DPIA to the data processing authorities.

(This topic requires further discussion. I have tried to seed some thoughts for discussion and comments and inputs are invited..Naavi)

Naavi

While in India, the Personal Data Protection Act of India  (PDPA 2020) is awaiting clearance of the Parliament, Being compliant with the Personal Data Protection law has become the top of the mind concern for most corporate managers.

Some ultra cautious professionals are waiting for the Personal Data Protection Bill 2019 to be passed by the Parliament before doing anything towards compliance. The more optimistic professionals are however going ahead and getting ready for the law with the presumption that the law will get passed soon and even if it is delayed, PDPA being an extension of ITA 2000 is relevant as “Due Diligence” under ITA 2000 even today.

In the meantime other countries are racing against each other to introduce their own laws. DIFC, UAE, South Africa, Brazil, New Zealand have all introduced their respective data protection laws.

India being the global hub for data processing, Indian companies  often deal with personal data from multiple countries which exposes them to the compliance of  multiple data protection laws. Indian data processing industry is therefore looking for ways and means of finding out the best way to implement a Personal Data Protection System in their organizations which will enable them to be compliant with multiple global laws along with the upcoming Indian law.

Some of the large organizations with high stake in GDPR have adopted ISO 27701 as a standard for implementation to be compliant with GDPR

While ISO 27701 is tailored to meet the GDPR and  could serve the compliance of GDPR it will not meet the requirement of compliance of  PDPA.

Also, ISO 27701 is meant for the rich large corporations and will require the base compliance of ISO27001, 27002 and probably some other connected standards. Together it is a massive exercise and a massive expense unsuitable for smaller companies.

It is also imperative that we need to develop indigenous standards which are a reflection of our self reliance (Atma Nirbhar) in such matters.

Recognizing this need, the team of professionals in FDPPI (Foundation of Data  Protection professionals in India) have embarked on using the Personal Data Protection Standard of India (PDPSI).

This framework will  meet the unique requirement of being compliant with PDPA 2020.

PDPSI-IN would be the instance of the framework which would be tightly mapped to PDPA 2020. This is the immediate need for self reliance of PDPA compliance in India.

At the next stage, when we move from “Local to Global”, other instances of PDPSI would be developed for compliance of other data protection laws.

With this approach,  PDPSI-EU would be mapped to GDPR, PDPSI-CCPA would be mapped to CCPA and so on. These frameworks will  basically enable the Indian organizations with stake of multiple data protection laws to ensure compliance with ease.

It is possible that if the frameworks turnout to be useful to the industry, it can become standard frameworks to be exported. Hopefully the Indian Government will see the potential of this thought as a “Make in India and Take it Global” concept and provide it’s support.

Watch out for more information on this. Contact Naavi for more details.

Naavi