Naavi.org

Dear Friends

Last year, we held an even at Chennai on August 24, 2023 in which we discussed DPDPA 2023 just after it was passed on August 11,2023.

The discussions held on that day is relevant even today and hence we are re-publishing he same here for reference.

In the meantime, even after one year the rules are yet to be notified. We expect the rules to be officially notified any time during this week.

However, a few weeks back, the MeitY had discussed a version of rules with select industry players which indicates roughly the thoughts of the Ministry. The organizations which had the privileged access to this document were the likes of FaceBook and (Meta), Amazon, Google etc who are all globally renewed for their business. The passage of the law will definitely impact these organizations adversely and hence there is a vested interest for them to delay the implementation of the law and dilute it to the extent possible. These MNCs are also those who will go to the Court immediately to challenge the law and the notification. But the MeitY trusts them by sharing the draft rules with them with the hope that there will be a consensus.

Unfortunately, there is unlikely to be any consensus and the “Non Privileged” part of the industry who are the organizations who will really comply with the law are waiting for the law endlessly with the fear of “Rs 250 crores” penalty hanging over their heads.

In this context this copy of “Business Mandate”, the magazine of MMA, which I had the privilege of contributing a column long time back, and a video of the panel discussion that captures the DPDPA 2023 as an Act is available here.

On July 27, 2024, FDPPI conducted an event in Bangalore where the draft rules referred to above was discussed with industry leaders and a feedback from thee industry was gathered and submitted to MeitY with the hope that some of these suggestions can be incorporated in the rules when notified next for public comments. The program was a paid event and the entire proceedings are available in video form in FDPPI’s Jnaana Bhandar which is available on subscription basis.

I invite professionals to subscribe to this Jnaana Bhandar and also join the community of FDPPI as a “Member” so that they can contribute to the developments in Data Protection in India. FDPPI is a participative movement in which every data protection professional should participate. Whether you are a designated DPO or not, whether you are a just a Lawyer interested in Privacy, a Manager worried about Data Governance or a Technology person who is in Information Security area, FDPPI is open to participation.

You can download the Membership brochure here: You can also visit www.fdppi.in for more information.

Now Naavi is recording a separate video of his views on the draft rules and it will be shortly available here. The objective is to keep the professionals ready to pass proper comments when the Government wants their views.

Naavi

Recently Mr Gaurav Batra, Founder & CEO of CyberFrat got together 100 professionals as “Influencer Titans” under the banner of CF 100.

This unique group consists of Lawyers, Police Officers, Information Security Professionals, etc.

It is the desire of FDPPI to invite this entire team to be also the “Guardians of Privacy” so that they can exercise their influence in the emerging field of Data Protection.

Towards this end, FDPPI would like to organize a Grand Round Table of all these professionals and discuss certain key differentiators for being “Guardians of Privacy”.

Watch out for more information on this.

Naavi

One of the notable mentions made by Prime Minister Mr Modi during the Independence Day Speech yesterday was a call for development of Indigenous standards.

This was heartening since FDPPI has been working on the indigenous standard DGPSI (Data Governance and Protection Standard of India) which is meant as a framework for organizations to be compliant with DPDPA 2023.

Currently many organizations and professionals work around available but incompatible frameworks such as ISO 27001 and 27701 and claim that they are able to achieve compliance of DPDPA 2023.

This view arises both from the point that the companies know these frameworks, worked with them and are familiar. The fear of the unknown and “Resistance to Change” prevents them from even considering an alternative solution. Often they find excuse in the fact that their customers ask them if they are ISO 27001 compliant or GDPR Compliant and therefore they have no choice.

Choices can be considered only if there is a conviction that frameworks like ISO 27001 or 27701 were created for different contexts and though they may be best suited for those contexts, they need not be so for he Indian context.

For Example we have repeatedly drawn comparison to Cricket and pointed out that Gavaskar is a legend but today for the T 20 matches he is not the right choice ahead of say Suryakumar Yadav. Mr Neeraj Chopra may be the best Javelin Thrower in India but you cannot ask him to compete in discuss throw or shotput.

Once companies shed their resistance to look at the new frameworks, they need to understand what the framework suggests and arrive at their own conclusions about whether a customized ISO 27701 is a solution for DPDPA 2023 compliance or DGPSI is a better solution.

We must also accept that “Frameworks” are only guidelines and just because we follow a framework it does not mean that we are perfect in compliance. We all know how many companies in India are ISO 27001 compliant and whether they have the necessary security infrastructure. Implementation is therefore extremely important and this comes only with the understanding of the law of DPDPA 2023.

FDPPI in its One day workshops on “Implementation Challenges in DPDPA 2023” of the type being conducted in Navi Mumbai on August 31 and in Mumbai on September 1 addresses these requirements.

We invite all professionals in Mumbai and Pune to take advantage of this program and attend the same.

P.S: Ujvala Consultants Pvt Ltd and Cyber Law College are sponsoring 5 deserving participants in each of the two locations in Mumbai who may be finding the participation fee a hurdle. Contact Naavi immediately if you desire availing this offer since this will be on a First Cum First served basis. These 10 persons will be designated DGPSI ambassadors in Mumbai.

Details of the program are available at : https://fdppi.in/wp/mumbai-on-31-8-and-1-9/

Naavi

Investment Managers often find a situation when they have to chose a stock for investment not for themselves but for others. As an investor they follow a logic of personal challenge and are able to take higher risks. But in investment firm, when it comes to investing for others as a manager of a portfolio or a mutual fund organization, they tend to take the “Follow the Crowd” attitude. The reason is that “Safety First” attitude overcomes their rational thinking.

The logic is when you invest in TISCO and the price goes down, people will judge that the market has failed you. But when you invest in Adani and it goes down, people will judge your decision and perhaps even the intentions. Hence Investment managers building large portfolios always take the path of the crowd. This principle is well known and understood.

When I interact with Data Protection Professionals in India, I find a similar “Follow the Crowd Syndrome” . When we suggest you can use DGPSI framework for compliance to DPDPA, they still have a hesitation to switch from other more popular frameworks. When we suggest C.DPO.DA. as a certification, they still have a resistance to switch from other more popular framework. They forget that the “Popularity” of other frameworks and programs were developed in a different context and for a different purpose which is not relevant for their current requirements.

Self aware professionals should remember that Sunil Gavaskar or Kapil Dev were India’s best Cricketers of all times but when it comes to selecting the current Indian team for T-20, we prefer to chose a Surya Kumar Yadav or even Shivam Dube.

Let us reflect on why we are prepared to discard respected legends and switch over in such cases and draw lessons on choosing DGPSI or C.DPO.DA.

I agree that this largely depends on the self confidence and awareness of the professional. If I do not know or is uncertain on what is required for DPDPA Compliance, I will go with the crowd even if we know that the crowd may be wrong. The logic is “Being wrong with the crowd” is better than “Going alone and face the responsibility of justifying your action”.

For those who are sure of their ground, it becomes easy to chose the right path. This requires effort in understanding what is required to be a good Data Protection Officer or Data Auditor in India and what it means to construct and maintain a Data Governance and Protection Management System (DGPMS) in India than an ISMS. For those who know, it is immaterial if his ignorant customer may think it is better that vendor systems pass the test of ISMS instead of DGPMS.

FDPPI during its month end programs in Mumbai on August 31 and September 1, will discuss 27 implementation challenges and Solutions that are confronting us in the light of DPDPA 2023.

The objective of this program (one in Navi Mumbai and another in Mumbai) is to ensure that our professionals acquire the level of self awareness of DPDPA and Self Confidence so that they can break out of the crowd.

I request all ISMS auditors to check and find out if they are good enough for being called DPDPA auditors in the days to come and if not how they develop themselves towards this coveted opportunity.

When you say No to Sunny and Yes to Sky, people understand the context. Similarly when you chose C.DPO.DA. or DGPSI, people will understand.

Naavi

Last year, on August 11, DPDPA 2023 was signed by the President into a law. This year we are still expecting that the rules will be notified any time during this fortnight.

However it is time for us to remember the importance of August 11, 2023. Last year we declared it to be recognized as Data Protection Day of India. Whether it is called Data Protection Day or Digital Privacy Day does not matter. But there is a need to recognize the relevance of the day. Let us therefore continue our effort to mark the day.

The only way we can celebrate the day is to ensure that we offer some thing to the society.

Naavi has today made a representation to the CJI regarding introducing a “Register of Legal Guardians Approved by Courts in India” to enable implementation of Section 9 obligations. Naavi has also decided to launch the process of developing the application for “Verifiable Consent for Minors”.

Additionally Naavi with FDPPI has extended a massive 50% discount on membership of FDPPI, Course subscriptions and Subscriptions for the upcoming workshop at Mumbai only for registrations made to day.

I hope other organizations will follow with similar or better activities and offers.

Naavi