Naavi.org

DPDPA 2023 expects that “Consent” is the legal basis for processing of personal data. Consent requires a contract between the data principal and the data fiduciary. A Contract is a combination of an “Offer” and an “Acceptance”.

What we normally find on websites today are “Privacy Policy” which is a declaration of the organization that this is what we do to protect your privacy. This is in the form of a “Disclosure”.

When the disclosure is presented as a “Offer” and is confirmed as “Accepted”, the “Consent” is actualized. This leads to the action of the data principal in providing the necessary information, for the data processor to process the data as per the consent.

Perhaps to put the DPDPA 2023 into proper compliance framework, we need to change the “Disclosure Format” of Privacy policy to an “Offer” format of a Notice.

One of the implementation challenges is to make the consent contract non repudiable with proper authentication. The ITA 2000 indicates that the authentication of an electronic document is valid only if it is supported by a digital/electronic signature. As a result to enable a “Perfect Consent”, the Privacy Notice has to be accepted with an electronic signature. Since all data principals donot have a digital signature, the Aadhar based E-Sign is an option to explore. If however, e-sign has to be used for every consent, withdrawal of consent, modification of consent etc. it will be an expensive proposition for the data fiduciary.

How does DGPSI try to address this? or how should MeitY facilitate this? is a point of debate…

….Let us discuss your views on this in IDPS 2024 at Bengaluru, on November 30 and December 1…

Register today..at www.idps2024.in

DPDPA envisages two key professional roles for driving compliance.

The DPO is responsible for for DPDPA compliance within the organization while the Data Auditor is an independent auditor who checks the implementation.

FDPPI has recognized these roles and created the C.DPO.DA., or Certified Data Protection officer and Data Auditor as a Certification program.

In the upcoming IDPS 2024 on November 30 and December 1 at KLE Law College Auditorium in Bangalore (also available virtually), you can discuss the impact of DPDPA on the professions of DPO and Data Auditor.

Be there, participate and contribute. Register today at www.idps2024.in

Naavi

As India moves ahead into the era of DPDPA, there is a rush for professionals to occupy the role of “DPO” in an organization. It is some times easy to grab a title but difficult to retain it and feel deserving to hold it. Hence those who aspire to be DPOs need to have and develop the credentials necessary to be a DPO.

When FDPPI was formed in 2018, one of the first objectives set for itself was to build an “Empowered” community of “Knowledgeable”, “Efficient” and “Ethical” Data Protection Professionals who contribute to the development of a “Secure Information Society” by lawful means.

The “Empowerment” comes from the “Ethical Attitude” which is as often absent in our approach to modern life. The knowledge we have, the skills we possess are meaningful only when they are applied with a noble objective. It is not enough if as a DPO we guide our organizations to be law abiding and meticuously follow the “Rules” when published. We need to be also “Ethical” in our approach and fulfil our duties as a ” Guardian of Privacy” of the “Data Principal”. A DPO is himself/herself is a “Fiduciary” and needs to be guided by the needs of the “Data Principal” when designing the compliance in an organization.

DGPSI as a framework of DPDPA Compliance recognizes this role of a DPO. As a guardian of Privacy of the Data Principal, the DPO is responsible to identify the Privacy Risks of the Data Principal and ensure that the risk is mitigated to the extent feasible, informed to the data principal and consent recorded.

In fulfilling this role, DPO will have a natural conflict with the business objectives of the organization which he has to navigate through. This requires leadership skills, persuasive communication skills and also empathy with the Data Principal. DPO also being a first respondent to the Data Principal needs the skill to negotiate and resolve disputes. Interpersonal skills to work harmoniously with the peers, superiors and regulators is also a desirable credential of the DPO.

Want to know more about the credentials of a DPO?….

Attend IDPS 2024…Details at www.idps2024.in …Register today.

It appears that on behalf of MeitY, National E Governance Department (NEGD) has started an awareness campaign on DPDPA to the industry professionals.

A few days back NEGD conducted a physical conference in Delhi and today they hosted a one hour webinar from Advocate Supratim Chakraborthy of Khaitan Associates.

It was a well conducted webinar and useful to the industry professionals.

Hope many more such discussions will be conducted by NEGD.

In the meantime, FDPPI will conduct about 20 hours discussion on DPDPA and other global Data protection laws and the interaction with the recent developments in technology in the two day conference in Bangalore on November 30 and December 1, under the Indian Data Protection Summit 2024. (IDPS 2024).

Check for details on www.idps2024.in and be there physically or virtually.

Naavi

When FDPPI started its IDPS series with IDPS 2020, it was the first such program in India focussing entirely on Privacy and Data Protection. As we run into the 5th year of the series with IDPS 2024 on November 30 and December 1, India is reverberating with the sound of DPDPA as much for the law passed as also for the Rules not having been notified. Professionals all over India are keen to debate the impact of DPDPA on their organizations and their professions.

In the last three days, I had the privilege of attending two large conferences on Cyber Law, Cyber Security and Data Protection in Delhi . One was the 11th year international conference on Cyber Law, Cyber Crime and Cyber Security from Pavan Duggal Associates and the other was the first conference of DPO Club titled Bharath Privacy Conference.

It was heartening to see professionals and academicians from several organizations in India and abroad and also officials from Government participate enthusiastically in the deliberations. It appears that there is no dearth of “Awareness” in the industry about DPDPA and its importance. There may still be need for awareness amongst the public who are the focus of this legislation but the awareness in the organizational level seems to be fairly high.

However, whether the current awareness is adequate or needs to be refined is a matter of discussion.

The corporates in India are approaching DPDPA with the lens of GDPR and there may be a popular perception that GDPR is the golden standard and India can only copy and paste the provisions of GDPR. We at FDPPI have been crying hoarse that understanding of DPDPA needs certain unlearning of GDPR. It was heartening to note that the eco system is slowly accepting the concept that “DPDPA is different and if we are GDPR Compliant, it does not mean that we are DPDPA Compliant”. This is a big step in the creation of awareness in the professional circles and we are firmly in this zone of awareness.

When it comes to “Compliance” there is still some confusion on how to address different provisions and the challenge seems to be encouraging some companies to find an excuse to start compliance by pointing to MeitY not having notified the “Rules”.

MeitY officials were tight-lipped on the status of the release of the Rules but indicated that a draft rules will be released for public comments and when passed will provide substantial time for implementation. This could have to some extent brought comfort to the industry and reduced the tension of Rs 250 crore penalty hanging against their heads.

There was a small section of industry professionals who felt that Rs 250 crores penalty instead of turnover based penalty is more to appease the large organizations like Meta but at the same time threatening to the MSMEs.

There was a popular debate on what should be the credentials of a DPO but one encountered a number of “CISO Cum DPO” s in the congregation. It was evident that many professionals are looking at “DPDPA Compliance” from the eyes of a CISO and find it difficult to see the raise of a DPO as a designation that may be on par with CISO or slightly higher than CISO. This requires a more in depth debate.

There was no discussion on “Nomination”, “Right to Personal Remedy”, “Children Data Processing”, “Disabled Data Processing”, “Consent Manager”, “Grievance Redressal” and “Data Auditor”. Though a mention of “Nomination” “Handling of unstructured Data” and “Children Data” came up for discussion during Bharat Privacy Conference, no discussions happened. Due to multiple channels in the Cyber Law conference I missed a session on “Authentication” where the CCA was present and another session on “Cyber Psychology” which was a subject of personal interest to me. Need to check if recordings are available.

It was interesting to note that all discussions revolved around AI as much as around DPDPA and it was as if it was a movement around a binary star.

One of the common discussions was around “How to Define the Role of an organization as a Data Fiduciary or a Data Processor?”. Other discussion were centred around , “Data Access Rights” , “Handling of legacy data” etc.

It was clear that just as “Unlearning of GDPR is required to understand DPDPA”, “Unlearning of the ISMS principles is essential to understand the compliance framework for DPDPA. Many are still thinking that ISO 27001 :2022 version is still an applicable standard for DPDPA compliance.

However when we follow some of the discussions, it was clear that the professionals are already expressing the need for many of the DGPSI principles such as “Process Based Approach”, “Data Classification approach of DGPSI” etc.

Now that IDPS 2024 has the responsibility for answering some of the unanswered questions. Let us see how much of the aspirations can be fulfilled.

Incidentally IDPS is a hybrid conference and I invite all the attendees of the two Delhi Conferences to also attend IDPS 2024 either physically or Virtually. Let us make this a continuation of the discussion from the other conferences.

Naavi

To

All Professionals in Privacy and Data Protection any where in India

IDPS 2024 the flagship event of FDPPI is no ordinary event. This is a “Knowledge Extravaganza”. The event focusses on more than 12 hours of intense discussions on Data Protection in India, EU and US with special reference to AI and Robotics.

The event is also further enriched with multiple Focussed Group Discussions on Impact of DPDPA 2023 on Advocates, MSMEs, DPOs and Data Auditors.

There will be many goodies on offer…like

During the Conference:

1. 20% discount on Delegate fee for Members of FDPPI
2. 10% to 20% -Special discounts for Members of other professional organizations.
3. Free Download of a E Book on Data Protection contributed by FDPPI members
4. CPE credit Certificate for 12 hours

During and after the Conference upto 31st December 2024

1. 10% discount for  certification programs
2. 5% discount for direct entry to C.DPO.DA. examination.
3. 20% discount on “Guardians of Privacy….Comprehensive handbook on DPDPA 2023 and DGPSI” by Naavi
4. 20% discount on the to be published “DGPSI-The perfect prescription for DPDPA Compliance” by Naavi

With all this the delegate fee is a pittance of Rs 1500/- for virtual attendance and Rs 3000/- for physical attendance. Over and above this, you may have the discounts.

Probably many of you think FDPPI is crazy to price this conference at this price and not at say Rs 10000/-. which could have been an optimal pricing. We have no regrets. FDPPI considers the difference of Rs 7000/- per delegate as its contribution to the society.

In this context, there is no excuse for any professional claiming to be interested in Privacy and Data Protection in India not to register for this program at least virtually. There are many delegates who are travelling from as far as Delhi at their cost to be present in the program physically. Hats off to their commitment. But others can surely attend virtually. Even if you cannot attend for the entire day, do register since you will be able to get all the benefits including limited time access to the recorded proceedings.

KLE Law College has a huge facility but we want it to be stretched… Will Privacy Professionals respond?

Naavi