Naavi.org

Californian Senate has reportedly approved Bill SB 1223 which is meant to protect the individual’s neural data from misuse. The Bill was authored in the name of Josh Becker and co-sponsored by Professor Rafael Yuste who incidentally had virtually addressed the IDPS 2022.

The copy of the Bill is available here.

The bill places neural data in the category of sensitive personal data within the provisions of CCPA.

“Neural Data” is defined as information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.

Naavi had similarly suggested that India should bring neural data under protection within the DPDPA 2023.

At present, DPDPA 2023 does not define “Sensitive Personal Data”. It also has tried to avoid the defining of “Harm” to include “Psychological manipulation” which was present in the previous versions of the PDPB. Now the Consumer Protection Act has by defining the “Dark Pattern” as a prohibited consumer practice stepped in to fill up the void left by DPDPA 2023.

However the nature of “Privacy” is such that the definition of “Sensitivity” and “harm” cannot be completely avoided . In 2005 when people proposed amendment of ITA 2000 to avoid liabilities of the industry like in the case of the “Bazee.com” case, it boomeranged on the industry as the title of the section was changed but the essence remained.

The intermediaries continue to be liable under the Guidelines of 6th April 2023 and the concept of “Due Diligence” is haunting the industry sufficient enough to take the issue to Supreme Court and contend that the Intermediary guidelines notification unconstitutional.

A similar situation seems to have arisen in DPDPA. The industry wanted to dilute the law and ensured that PDPB 2018/2019 was simplified to DPDPA 2023.

But by removing the definition of “Sensitive Personal Data”, MeitY has made all the general obligations apply to all Data Fiduciaries. At first glance it appeared that SDPI guidelines will go and industries can breath freely. But the situation now is different.

Now it appears that all obligations under Section 8 and 9 of the Act are applicable for processing of non sensitive personal data also.

The “Significant Data Fiduciaries” to whom the requirement of DPO, Data Auditor and DPIA apply, bring the concept of sensitivity of information back in contention for determining whether an organization is a significant data fiduciary or not.

In the first version of the “Draft of the Draft Rules” made available for discussion, there was no definition of “Significant Data Fiduciary” (SDF) and it is possible that even in the final version, Meity may refrain from defining a “Significant Data Fiduciary”.

It would therefore be left to a Data Fiduciary (DF) to decide if he is a SDF or not. When things go wrong, the DF who should have been SDF but classified himself as DF may be liable for penalties related to the special obligations of a SDF. It is natural to consider that a DF which is processing Neural Data needs to be classified as posing a significant risk and the organization should be considered as SDF.

Since Section 10 (1) states that the Central Government may “notify” any DF based on the “Risk to the rights of Data Principal” as a SDF, absence of such notification can also be interpreted as if there will be no SDFs at all. But such an argument would be fallacious and would be difficult for Courts to accept. At best, Government may take some time to notify the criteria for determining a SDF but it would be difficult to avoid it all together.

Under Section 16, Government has decided to give a “Negative List” of countries to which transfer of personal data from India could be restricted. If the Government wants to avoid defining what constitutes “SDF”, they can chose to declare which types of industries are exempted from being considered as Significant Data Fiduciaries.

Unless the MeitY declares that “Processors of Neural Data” are not Significant Data Fiduciaries, it would be unwise for DFs processing Neural data not to consider themselves as SDFS.

Let us wait if Government takes this route of avoiding a decision.

In the meantime, DGPSI will consider processors of Neural Data as Significant Data Fiduciaries only.

Naavi

When ITA 2000 was enacted and notified on 17th October 2000, technology made its entry into commerce with the recognition of electronic documents and digital signatures. Digital Signatures were also a tool of information security and non repudiable authentication. The concept of due diligence and section 85 had also introduced the concept of corporate responsibility for security for prevention of cyber crimes.

With the 2008 amendments the role of law on information security was further tightened and CERT In got notified as the apex cyber security organization in the country. Sections like section 43A, 69A, 69B etc highlighted the need for corporate compliance action.

However this legal intrusion into information security practice was brushed off by the industry and ITA 2008 compliance and IISF 309 (Indian Information Security Framework) remained only a wishful thinking of Naavi.

After 24 years, with the advent of DPDPA 2023, it appears that industry is now able to recognize this new field of information security combined with law. Just as AI enabled Data Analytics has become the corner stone of innovation in data driven organizations, ITA 2000 driven DPDPA 2023 has become the essence of the corporate information securty practices in the emerging times.

At the Empowering CxOs conference in Bengaluru on 5th September 2024, this aspect came for discussion in a panel “The Future of Data Privacy by Driving a Privacy-First Culture – Balancing Innovation and Privacy: A Strategic Approach.” which I had the privilege to moderate.

The entire event is available at https://www.youtube.com/watch?v=B5ZjUS77xms (Panel discussion is available at 7.10.46)

During the discussions it was clear that the future of technology related to information security would be embedded with DPDPA 2023 in a manner which the industry has fully realized and is trying to find ways to implement.

In this direction DGPSI comes out as a solution in the form of compliance framework to be considered and the training programs like C.DPO.DA. scheduled by FDPPI for information security professionals stand out as a timely introduction to the eco system.

We hope that this integration of Technology and Law in terms of “Information Security and Privacy Protection” will grow from strength to strength in the coming days.

Naavi

At a time, AI is threatening the credibility of the Internet as a medium of communication and perhaps even the human race, we at the “CXO Cywayz “are discussing the future of Data Privacy and how to strategize to bring balance Innovation and Privacy .

Like the ever lasting battle between Security and Privacy, Technology Innovation is also a continuing challenge to Innovation or vice versa.

Innovators often forget that they live in a society and all their innovations have value only if the society survives and functions in an orderly manner. Privacy regulations is one such aspect which should be considered as a necessity to be incorporated into all innovative outcomes of technology.

We in India are today in the period of dawn of DPDPA and Data related business and profession will never be the same again. What we did for the last decade need to be renewed. What we learnt may have to be unlearned because DPDPA is likely to disperse all our current strategy outcomes.

The output from the prism of DPDPA may look colourful but it comes in shades of red as well with a huge penalty lurking in the background threatening the existence of the company that ignores DPDPA.

Setting up a “Data Governance and Management System” (DGPMS) to respect law and ensure a balance between Innovation and Privacy is the way to go. The strategy for this approach lies in DGPSI the unique framework -Data Governance and Protection Standard of India. ISMS and PIMS associated with other frameworks need to yield the way to DGPMS powered by DGPSI.

Bringing harmony between Innovators in technology and the legal community fighting for “Namma Privacy” lies in the unique concept of DGPSI which speaks of “Compliance By Design” as a modified approach to “Privacy by Design”. Why this Compliance first approach is different from Privacy first approach requires a longer debate.

For the time being we can conclude that the future of balancing Privacy and Innovation through a strategic approach belongs to DGPSI and its adoption in the industry.

Naavi

At present there is a large section of professionals in India with expertise to conduct audits for Information Security and some of them are also engaged as “Auditors of CERT In Empanelled organizations”. The “Auditors of CERT In Empanelled organizations” were expected to be a hybrid type of auditors who were capable of assessing the Information System Controls from the perspective of compliance to the ITA 2000 provisions which was the law of the land. This required a “Techno Legal Understanding” that not all IS auditors could manage successfully.

With the need to now understand DPDPA 2023, the role of Techno Legal Auditors in India has undergone a further change and there is an urgent need to upgrade the expertise of “Technically qualified Information Security Auditors to understand the need to conduct audits with the Legal perspective”.

This transformation from Technical Information Security Audit to Techno Legal DPDPA audit is the need of the day and is being addressed by FDPPI though its C.DPO.DA. (Certified Data
Protection Officer and Data Auditor) Course.

In order to expand the reach of such course, FDPPI is conducting a three-day offline program exclusively designed for Information Security experts including “Auditors of CERT In Empanelled organizations”. The first of such program will be held in Bengaluru, on 27th ,28th & 29th September 2024.

Venue:

Viveka Auditorium Yuvapatha,

#4, 31st Cross Rd, 4th T Block East, 4th Block, Jayanagar,

Bengaluru, Karnataka 560011

Contact:fdppi4privacy@gmail.com

Payment for Registration can be made here:

Fees: Rs 40000/-plus GST of 18%

Discount for CERT In empanelled auditors : 20%

Early bird discount (for others) : 15% (upto 15th September)

Kindly note that all participants would be eligible for Participation Certificate with 18 hours CPE. The participants are also eligible for attending the online examination within October 15 and obtain the full certificate C.DPO.DA.

The program would be lead by Naavi and would include several case study discussions and practical issues in the implementation of DPDPA Act and upcoming rules.

The program would also discuss the details of India based frameworks such as the Cyber Security Framework of CERT In and BIS standard (draft) for Data Governance and Data Protection. It may be noted that at present there is no other similar program in India with a focus on Indian requirements of data protection, particularly to the depth to which this program goes in.

Appropriate reading material would be provided during the program for the participants.

This program will further strengthen the approach of FDPPI to develop an indigenous approach to the compliance of DPDPA using DGPSI along with CSF of CERT-In for information security of applicable personal information.

Price with GST

(For the Bengaluru Program only)

Type	Discounted Price	GST	Total
Cert In Auditors	32000/-	5760/-	37760/-
Early Bird(till 15th September 2024)	34000/-	6120/-	40120/-
Full price	40000/-	7200/-	47200/-

The program is designed for “Auditors of CERT In Empanelled organizations” and the capacity is a maximum 25 numbers. A few auditors who are not “Auditors of CERT In Empanelled organizations” are being accommodated on specific request.

Payment for Registration can be made here:

We all know that the world around us is changing. Even to remain where we are, we need to keep running. Otherwise the world around us moves ahead and leaves us behind for no other fault of ours.

Transformation is therefore the key to professional success or even professional survival.

Naavi himself was once a Banker with relatively high expertise in accounting, tallying of books, customer service etc. Today I have moved through a marketing and advertising role , information security role, Cyber law role and landed up in the Privacy and Data Protection role. The journey has been exciting but changes were the essence of such journey.

With DPDPA 2023 in place, it is time for other professionals to also look at the need for transformation in their career. Whether they are experts in ISO 27001 or GDPR, whether they have certifications such as CISSP or CIPP, it is time to look at new horizons such as DGPSI and C.DPO.DA.

It is the duty of professionals who have made a few steps forward to try and take the others along this path of development irrespective of the competition that it could generate for themselves. Remember that a Cricket team requires both batsmen and bowler and specialist fielders in different positions. Even the batsmen and bowlers themselves are different by themselves. Likewise the Privacy and Data Protection Community requires multiple members to constitute a team. Unlike a cricket team with a limitation that only 11 players can plat at a time, Data Protection Profession can accommodate many more.

It is therefore necessary for organizations like FDPPI to assist professionals who are today in information security area or legal area or in Corporate Governance, to move into the area of Privacy and Data Protection. Some may aspire to be DPOs in companies and some may aspire to be “Data Auditors”.

One such community FDPPI is now addressing is the community of CERT IN accredited auditors. These audit firms are now engaged in different audit programs related to ITA 2000 and also whenever data breaches occur. With DPDPA coming into effect, the role of CERT IN auditors has undergone a change. Now data breaches need to be evaluated both for ITA 2000 and DPDPA 2023. IS audits have to be compliant both to ITA 2000 and to DPDPA 2023. With a penalty of Rs 250 crores plus, companies are keen that their DPDPA Compliance is in place. The buzzword therefore in the industry is “Compliance By Design” and “DPDPA Audit”. There will also be special “Conformity Assessment Certifications” that are required under DPDPA 2023.

FDPPI has therefore taken the first step to bring the CERT IN auditors into the domain of Data Audit and specially structured a Three Day offline program in Bangalore on September 27, 28 and 29 with the association of CERT IN.

This will be a first of its kind program that tries to engage experts in Information Security audit and make them take up a Techno Legal audit of DPDPA conformity.

The registration requests are being received now through email at fdppi4privacy@gmail.com

More information is available in the following brochure.

The program will cover DPDPA 2023, in particular and the data audit measures required . It is both for being DPOs and also for being Data Auditors in coming days. It will cover also essence of GDPR, ITA 2000, as related to Personal Data Protection and even cover CPA 2019 as required. In the audit section it will take off from ISO 27001 but focus on CSF of CERT In. The framework of DGPSI is already covering these aspects including draft BIS standard of Data Governance and Data Protection which also is a part of the coverage.

In summary the course will truly be the first of its kind and those professionals who want to be ahead of others should take up this opportunity without fail.

The 3 day course is priced at Rs 40000/- but CERT In accredited Auditors have a 20% discount and others will have early bird discounts and also other benefits of complimentary membership of FDPPI and other benefits.

Act today if you want to be ahead of others…. Drop an email to fdppi4privacy@gmail.com

Naavi

For More Information