Naavi.org

PDPSI is the Personal Data Protection Standard of India developed by Cyber Law College as an open standard framework for Personal Data Protection particularly in compliance with the proposed Indian Personal Data Protection Act. Naavi has been explaining the different concepts of PDPSI through the articles in Naavi.org also collated at www.pdpsi.in.

Professionals working in the field of Information Security are used to the format of a framework followed by ISO and it is difficult to make them look at any new framework unless it is explained with reference to the known frameworks. Hence it would be necessary to explain the PDPSI framework with reference to ISO27701 or its predecessor BS 10012. However, Naavi urges professionals to look at PDPSI independently without being too much clouded by their experience with the ISO frameworks.

PDPSI is meant to be an open standard document unlike the mesh of proprietary standards that are used in the ISO framework. It is our belief that what is a “Standard” should be for the benefit of the society and such standards should ideally be open standards. Professionals can still make money out of the standard in the form of implementation consultancy since any standard will require interpretation by an expert and adoption to a given context. This give enough room for our professional income generation rather than milking the standard itself for our revenue.

Today we shall highlight the special feature of this framework that extends beyond PDPA compliance into the domain of GDPR compliance.

The PDPSI framework is built on the following five key boundary implementations

namely Classification, Distributed Responsibilities, Development of the PIMS culture, supported by the policy documents and technical controls.

“If I certify for ISO 27701, will I be considered certified for GDPR?”.

Most professionals who look at ISO 27001 try to map its controls to GDPR and the frequent question we receive from IS professionals is that “If I certify for ISO 27701, will I be considered certified for GDPR?”.

A similar question has been raised in India also regarding ITA 2008 compliance with reference to ISO 27001. It is a history now that Naavi vehemently opposed the MeitY when it was working under Kapil Sibal that the Government of India should not give an impression that being ISO 27001 certified is deemed compliance of Section 43A. Though the department gave some vague answer as follows:

This was in reference to the rules under Section 43A notified on 11th April 2011 (Refer details here)

Despite the clarification, the MeitY has done nothing to expel the general impression in the community that being ISO 27001 certified is deemed compliance under ITA 200/8. ISO organization (which is not a Government body ) made full use of the misconception in marketing its certification in India.

Now there is a new attempt in the international scenario to project as if Certification for ISO27701 is deemed compliance of GDPR. In future this argument may be extended to “Deemed Compliance under PDPA” and hence this has to be flagged here and now.

It is important for professionals to realize that ISO standards are industry best practice standards and though they go a long way to meet the requirements of the law, the compliance to a data protection law is independent of the certification under an industry standard.

The same principle applies to PDPSI also when it is used as a means of compliance to either PDPA or any other law. Irrespective of the framework used, the data protection authority has a right to ask for a separate “Data Audit” or “Data Breach Audit” or “harm Audit” or a “Data Protection Impact Assessment” and ignore the certifications.

Hence let us first make a categorical statement that being certified under ISO 27701 (or PDPSI-GDPR being discussed here) is not to be considered as “Deemed Compliance” to GDPR.

Now we shall proceed further to discuss what is PDPSI-GDPR?… in the next article.

Naavi

The compliance of the DIFC data protection law 2020 is administered by the “Commissioner” of Data Protection who will be  the regulatory authority for the Data Protection regulation. The home of the regulator is found at here

Unlike the Indian DPA which will be a 7 member body, Dubai regulator will consist of one person namely the “Commissioner” who is appointed in consultation with the DIFCA Board of Directors and he shall be a person who is appropriately experienced and qualified. The appointment is contractual for a period of 5 years and the upper age limit for the commissioner is 75 years as against 65 years in India.

DIFC DPA 2020 however permits the delegation of powers and establishment of an advisory committee with its own chairman and secretariat.

The Commissioner may establish codes of practice and certification schemes.

One of the major changes that the new version of the Dubai law has brought in is the provision for appointment of a Data Protection Officer. According to Article 16, a Controller or a Processor “May elect” to appoint a DPO.

However DIFC bodies other than the Courts and Controllers or Processors performing “High Risk Processing” on a systematic or regular basis need to mandatorily appoint a DPO. For others appointment of DPO is optional but the Commissioner has the right to direct an entity to appoint a DPO if it finds it necessary. However where a DPO is not designated, the entity should still designate a person with responsibility for compliance.

Like in the case of GDPR, DPO may be an internal employee or an external contractual person.

The DPO must reside in Dubai unless he is a common DPO for the group entity.

The details of the DPO must be made public.

One of the responsibilities of the DPO is submission of an annual report to the Commissioner similar to the “Annual Data Audit” in the Indian PDPA.. DPO will also be responsible for overseeing the DPIA as and when undertaken.

As regards the role and tasks of the DPO, the law states that the DPO shall be provided with sufficient resources to carry out his duties and freedom to act independently and without conflict.

The DPO besides being the contact person for the Data Subject, is expected to monitor the compliance activities in the organization,inform and advise the organization and its employees, cooperate with the Commissioner, be the point of contact for the Commissioner etc.

It is noted that the Act specifies that the DPO shall be able to advise the entity not only on the Dubai Data Protection law but also on other relevant laws to which the organization may be subject to “including where the organisation is subject to overseas provisions with extra-territorial effect”.

Overall, the passage of the new law adds to the responsibilities of all organisations that have a presence in Dubai. Some of them may be “Controllers” or “Joint Controllers” and they need to take suitable steps for compliance.

Naavi

Reference articles:

The New Dubai Data Protection law stresses on Compliance Accountability

The New Dubai Data Protection Law is Bigger, Better and Will bite harder
Dubai Data Protection Law

The new Dubai Data Protection law in comparison to the 2007 version has given a lot more emphasis on Compliance.

Legitimate Interest

Article 8  of the old Act and Article 9 of the current Act speaks of the General Requirements. It may be observed that most of the requirements in the 2007 law has been carried over to the 2020 law with the addition of “Transparency”.

Additionally “Lawfulness” has been separately expanded in Article 10 and Accountability and Notification separately explained under Article 14 (2020). Six basis have been identified under “Lawfulness” and “Anyone” of them is considered acceptable. This follows the GDPR model and includes

a) Consent

b) Necessity for performance of a contract in which the Data Subject is a party

c) Necessity for compliance of an applicable law that a “controller is subject to”

d)Necessity for protecting the vital interests of a data subject or of any natural person

e) Necessity for the functioning of DIFC

f) Legitimate interest

The 2020 law also defines  genetic and biometric data as additional to the list of special categories defined in  the earlier version which requires “Explicit Consent”.

The Consent and Notice has been elaborately covered along with the Accountability. The onus of proving that Consent has been obtained, lies on the Data Controller.

Article 10(1)(f) states that one of the lawful basis on which personal data can be processed includes where

“Processing is necessary for the purpose of legitimate interests pursued by a Controller or a Third Party to whom the Personal Data has been made available, subject to Article 13, except where such interests are overridden by the interests or rights of a Data Subject.

Article 13 on the other hand states

(1) A public authority subject to DIFC law may not rely on the basis of legitimate interests under Article 10(1)(f) to Process Personal Data.

(2) A Controller that is part of a Group may have a legitimate interest in transferring Personal Data within its Group for internal administrative purposes.

(3) Processing of Personal Data shall be considered a legitimate interest of a Controller if it is necessary and proportionate to prevent fraud or ensure network and information security.

In terms of compliance therefore, a Data Controller should always look for “Consent” and when in doubt bring the processing into the legitimate interest argument preferably by an appropriate internal documentation.

Accountability

One of the areas of emphasis in the new version of the law is Accountability of the Data Controller. The Controller needs to establish data protection by design and default taking into account the risk assessment and establishing a compliance program. The law repeatedly emphasizes “Proportionality” in respect of data collection to the purpose of collection.

Article 14(7) states

“A Controller or Processor shall register with the Commissioner by filing a notification of Processing operations, which shall be kept up to date through amended notifications.”

Article 14(8) also states that the above notification shall be kept in a publicly available register maintained by the Commissioner.

This provision has similarity  to the Indian provision of “Privacy by design policy” being filed with the DPA and is a significant change to be noted.

(To Be continued…)

Naavi

Earlier Articles

The New Dubai Data Protection Law is Bigger, Better and Will bite harder
Dubai Data Protection Law

From July 1st 2020, life will not be same for Companies who opened offices in Dubai International Financial Center (DIFC) for various reasons. The New Data Protection Law of 2020 will become effective and will totally replace the earlier milder law of 2007.

The law will basically apply to processing of personal data by automated means and where the personal data is part of a filing system and will apply to all companies incorporated in DIFC irrespective of the place where personal data is processed. At the same time it applies to companies irrespective of incorporation if personal data is processed in DIFC as part of a stable arrangement for the processing of personal data in the context of activity in DIFC. It excludes processing of personal data by individuals exclusively for domestic purpose.

While we can discuss the changes in the Grounds of Processing or Data Subject’s rights and Compliance requirements separately, it may be immediately noticed that the new law enhances the remedies available to the Data Subjects and also imposes administrative fines in the form of fines from $50,000 to $ 100,000 for various contraventions, besides directions for cessation of business or reprimands. Additionally the Commissioner can also award compensation to the data subjects or the data subjects may make a claim for compensation through a grievance redressal process or with the intervention of the Court.

Where more than one Controller or Processor is involved, the liabilities will be applicable jointly and severally.

It is therefore time for Companies in India who have their Dubai offices to take a fresh look at their Data Protection Obligations. Many Indian companies might have entered into a business agreement with local companies but they will continue to be liable as either a Joint Controller or a Data Processor and hence have to make an assessment of their liabilities under the new law.

(More discussions will follow)

Naavi

Early Bird Discount: Upto 30th June 2020

Membership : Rs 5000 only

Full waiver of Training fee of Rs 6000/-

On September 23, 2014, Naavi.org had written

Quote

China has always been an unreliable nation and cannot be trusted for business relations. China is the leader in Cyber Warfare and using their technologies for our bullet trains and smart cities is an open invitation to disaster if and when there is a cyber war between India and China.

It is good for Mr Modi to keep China at arms length in the field of technology and ensure that India tries to develop its capabilities in the technology era with the assistance of Japan and USA.

Indian companies doing business with China should also be careful not to transfer any critical technology to China in the long term interest of our country

Unquote

This was not the first time, Naavi.org had highlighted the China risk. The fact that China was working on Quantum Supremacy and developing it’s own encryption system, the risk of buying Chinese mobiles, POS machines and computers which may have Manchurian Chips installed or malware installed, the risk of hiring Chinese employees, the risk of transfering IT knowledge to China, Possible use of Bitcoins by China to destabilize Indian economy, have all been highlighted at different points of time.

At the same time Naavi had also brought to the notice of Cert In some time in May 2017 that there was a suspicion that an incident report sent to the email address incident@cert-in.org.in appeared to have been opened in China and the same had been investigated and cleared by CERT- In.

It is therefore no surprise that when the border tensions with China are mounting, there could be a Cyber Attack on India. The CERT-In has issued an advisory indicating that there could be a large scale phishing attack and even an e-mail address such as “ncov@gov.in” could be used in the phishing. This indicated that CERT In had actually identified that an e-mail account by this name could have been created in the Government domain and the same could be linked to China.

It is therefore reasonable to presume that there is a prima facie evidence of an “Attempt to initiate a Cyber Attack” which can be considered as “Cyber Terrorism” under Section 66F of ITA 2000.

If so, the response of CERT-In to issue an advisory of the type they have issued is only the minimum requirement but is grossly insufficient.

CERT In can perhaps warn China that India reserves its right to come out with its evidence and launch a case against China for Cyber Terrorism in an international court.

At the same time, Government should start putting some check on Chinese mobile and laptop sales in India  so that the risks of implanted backdoor is curtailed. It was reported that the sale of One Plus 8 mobiles was quickly  over booked showing the demand for China products.

Each of these devices could be planted spyware in India and we need to check them before allowing their import. Just as China insisted that Microsoft had to deposit their Windows Code before selling  windows computers in China, we have to insist that the  codes in OS in Chinese mobiles must be deposited with the Government before allowing import of any mobiles from China.

It is only such strong moves that will have any security impact on China and the advisory on Phishing is a grossly insufficient response.

Naavi

Also Refer: Is there an Indo_Russia Cyber Attack Collaboration in the offing?