Naavi.org

The audit community (eg ISO 27001 audit) generally conducts an audit as a snapshot at a point of time and issue a certificate that the subject entity is compliant. The the certificate would be normally valid for a 3 year period with a clause that the entity should maintain the compliance check through internal audits at periodical intervals. Most auditors also add that in case of any significant change in the operations, the audit should be repeated. As a result, the responsibility for the maintenance of controls after the audit vests with the organization.

The internal audit team of an organization normally maintains a schedule of audit such as quarterly audit or half yearly audit depending on its own risk perceptions. This “Intermittent Audit” is like the Financial Reporting on quarterly basis through Balance Sheets drawn once in a quarter.

In some industries the system of “Continuous Audit” is in vogue where the maintenance checks are conducted at more frequent intervals and observations are made on critical parameters on transaction to transaction basis. In such a system each transaction is filtered through an audit check before being recorded. For example in the case of a Financial Audit, each voucher may be checked for appropriate permissions and authority and on clearance taken on record. In simple decision making environment this can be automated to the extent the audit becomes almost a “Continuous Audit”.

However in the Techno Legal Audits such as GDPR or ITA 2000 or DPDPB audits, the filters involve some legal interpretations which need human intervention more often than in the case of simple financial decisions. In the case of Personal data protection, a “Transaction” may mean collection of a personal data set, or accumulation of identifiers. Some times new processes and disclosure also may be transactions where personal data is processed as a transaction.

Despite the emergence of AI tools, it is difficult to fully automate the Personal Data related transaction verification on a continuous transaction by transaction basis. The effort would therefore be to reduce the intermittent audit period from around 3 months to a lesser duration of say one month or more ideally one day. Such auditing may require some affirmative action by a human and cannot be entirely relied upon on an automated system.

How this “compression” of audit period can be achieved is a complex decision and may also depend on the risk perceptions in the entity. Further in the enterprise level legal compliance, compliance can be measured only in totality of the operations and not on individual transactions. Hence it would be necessary to have an index of compliance as a barometer to be watched. Hence Concurrent Audit in the Techno Legal scenario cannot be done without first developing the measurement index of compliance and tracking its changes.

The DTS system developed by Ujvala Consultants is used by the Ujvala Concurrent Audit system with the use of an online mechanism already developed. Some finer details of how to tag the monitoring of changes to certain parameters of change is being finalized and will shortly be announced as an automated online system for Certification.

The Concurrent DTS evaluation of Ujvala will follow the steps of “Self Assessment”, “Mentor Assisted Self Assessment”, “Summary Assessment based on documentary evidence” . Subsequently the Certification can be passed onto a qualified auditor who is accredited by a suitable organization such as FDPPI.

Watch out for the launching of the “Personal Data Certification” system based on Concurrent audit shortly.

Naavi

In our earlier article we had raised a term “Concurrent Compliance” as one of the goals of PDPSI. This was a new term coined after the more often used term namely “Concurrent Auditing”. In PDPB 2019, apart from the mandatory annual data audit by an external data auditor, Significant Data Fiduciaries were required to conduct “Concurrent Audits”.

Essentially, “Concurrent Audit” means that the organization maintains an ongoing supervision on its activities (in this instance compliance to data protection law) and not an intermittent audit conducted from time to time.

This means that if there are 50 principles of Digital Personal Data Protection Audit, which an external auditor would check once a year, the management has to keep checking these 50 parameters every day and every moment.

If DPIA is conducted as and when a new process is being contemplated, Concurrent audit should monitor DPIA on a daily basis identifying the changes that might occur in its data processing such as a new employee coming in, an existing employee exiting. or when new technology devices are purchased or sold.

Hence Concurrent Audit envisages an integrated system where relevant parameters are monitored on an ongoing basis and a dashboard is available for the management to follow. It is accepted that this is a complex challenge when the business parameters are continuously change. But organizations can work on setting up such systems initially at a higher level and later fine tune it as needed.

Under PDPSI, we are trying to use the online DTS system which we developed some time back as a tool for this Concurrent Auditing. The DTS system is a system which tries to assess the compliance of an organization to a given data protection law over 50 different Model Implementation Specifications (MIS). This was developed to assist the Data Auditor who makes an annual assessment. The same system can be also used by the management by creating a dashboard where DTS is being continuously monitored and fine-tuned.

Presently, we had introduced the online DTS system for PDPB 2019/DPA 2021 and GDPR and presented it on Ujvala.com website. This will now be suitably automated to generate the DTS on a continuing basis. As and when an external auditor makes an assessment, the self-assessed DTS would be modified to reflect the audited DTS. This will enable the synchronization of the internal approach managed by the DPO with the external auditor’s approach and both would learn by mutual exchange of views during the audit.

Await more information to be released on this service….

A few months back, Naavi.org had started a discussion on “Shape of Things to Come” where several aspects of Data Protection Law was discussed through a series of articles. A total of 23 articles were published ending with “Cut paste approach or Zero based approach?..Shape of Things to Come-23″.

We also carried a list of 8 articles on Telecom Act ending with The New Telecom Act-8: Right of Way which is still in draft status.

The Government had at that time announced the intention of revising the ITA 2000 and introducing a new Act titled Digital India Act. (DIA). We had published 4 articles in this series ending with https://www.naavi.org/wp/digital-india-act-4-online-gaming/

Many sugestions have been made earlier also when T K Vishwanathan committee was working on the amendments. One such article was Suggestions on Modification of ITA 2008

Now, on 9th March 2023, the honourable Minister of State for IT, Sri Rajeev Chandrashekar (RC) has unveiled the contours of the new Digital India Act proposed to replace the current ITA 2000. Mr RC made a power point presentation outlining the “Proposed Digital India Act 2023” calling for suggestions to be sent to the Ministry.

We can therefore continue our discussions on the DIA series on the basis of this new draft. A copy of the presentation made by Mr RC is already available here:

One of the first observations that can be made is that DIA is set to be “Principle Based” and not “Prescriptive”. This indicates that the Act would focus more on the regulation of the industry and restrict its penal provisions to only Civil Wrongs. It is likely that the entire Chapter XI of ITA 2000 may be moved as an amendments of IPC. This incidentally explains the logic in the new DPDPB2022 dropping the criminal offence of “Re-identification of Anonymized Information” as well as the amendments sought to be made to ITA 2000 through the JanVishwas Bill. (yet to be passed).

It is perhaps a good idea to place all Cyber Crimes as part of IPC. At present, any crime under IPC where an Electronic Document is an instrument of crime or a target of crime was being defined as a “Cyber Crime” along with specific crimes defined in the ITA 2000.

But Police were often confused on invoking proper sections of ITA 2000 since the names of Cyber Crimes given by the Tech Industry need decyphering with the “Intention based violations” that was the basis for invoking IPC. The legal education system was also not geared to teach ITA 2000 in as much detail as it was necessary for lawyers. These things may change for the better now since Cyber Crimes may become part of IPC.

(P.S: The movement of Chatper XI of ITA 2000 to IPC is an expectation and we need to watch out for the next draft of DIA for confirmation).

…Discussions continue

While the Government of India is in the process of finalizing the Digital Personal Data Protection Bill (DPDPB), Naavi is busy in finalizing the new version of PDPSI incorporating the changes that have been brought in by the DPDPB2022. Once the final Bill is ready and presented in the Parliament, the new version will be released and a training program for auditors would be started in April 2023 as a Certification program.

The essence of this new version of PDPSI (version 2023) would be the concept of “Concurrent Compliance” where the management of a data fiduciary would be monitoring the compliance parameters on an ongoing basis.

The Concurrent Compliance Tool which would be available for companies online would enable even Data Auditors to conduct audits.

If the audits are to be certified by FDPPI, there will be certain requirements. Otherwise the tool can be used as a Self assessment tool.

We are looking forward to the Government to come up with the new version of the Bill.

FDPPI will also be commencing parallelly a program on Module I on Indian Data Protection law in April as soon as the Bill is ready.

Watch out for necessary information here shortly.

Honourable Minister of State for IT, Sri Rajeev Chandrashekar (RC) launched the first public consultation on the proposed Digital India Act 2023 (DIA2023) at Hotel Conrad, Bangalore on 9th March 2023.

During the interaction, RC presented the thoughts of the Government on the proposed law which will replace the Information Technology Act 2000 and also answered queries from the audience both those who were present physically as well as many in the virtual conference.

Mr RC was extremely cordial and provided honest answers to all the queries raised. It was a very pleasant interaction. Mr Rakesh Maheshwari the Group Coordinator, Cyber Law Division and Dr Sandeep Chatterjee who is succeeding him in this role were also present during the interaction.

Mr RC highlighted that currently ITA 2000 along with the Intermediary Guidelines and Digital Media Ethics Code, Certifying Authority Rules, SPDI rules, Section 79 rules, Indian CERT and Cyber Appellate Tribunal as the framework of regulations.

He indicated that this framework will be replaced with the Digital India Act 2023 along with the DPDPB2023, DIA rules, National Data Protection Policy, and ongoing amendments that will happen to IPC.

The main goals set up for DIA include the Open Internet, Online Safety and Trust, Accountability and Quality of Service, Adjudicatory Mechanism, New Technologies etc.

The broad contour of the Act was laid out as follows:

1.Preamble

2.Principles

3.Digital Government

4.Open Internet

5.Online Safety and Trust including Harm

6.Intermediaries,

7.Accountability,

8. Regulatory Framework,

9. Emerging technologies and guiding rules

10. Miscellaneous.

It may not be surprising if DIA 2023 is also as simple as DPDPB2022 and most of the Chapter XI moving to IPC. Already the Jan Vishwas Bill has “de-criminalized” many sections of ITA 2000 and the trend appears to be to keep all crimes under IPC and relieve DIT 2023 from the burden of CrPC/IPC.

It was suggested that public may send their views and recommendations which will be duly considered. During the question and answer session that followed, Mr RC indicated that the intention of the Government was to bring the law in 2023 and the consultation process may take 3-6 months before a draft law would be published.

The suggestions may be sent by email to to gc@meity.gov.in

P.S: During the interaction, one could gather that the DPDPB2022 is done and dusted and the attention of the Government is on the DIA 2023. We can therefore expect that the DPDPB2022 will be presented in the Parliament as expected in the next half of the current Parliamentary session starting on March 13.

Naavi

Copy of Presentation made by Mr Chandrashekar at Bangalore

On 7th March 2023, the Finance ministry has issued a Gazette notification as follows.

Read along with PMLA, this means that any person who is directly or indirectly associated with entities like the above will be exposed to penalties under section 3 of PMLA.

Naavi