Naavi.org

As the D-Day for publication of rules for DPDPA 2023 is approaching, Naavi/Cyber law college and FDPPI has decided to run a special awareness building program on DPDPA 2023, Global Data Protection Laws and Certified DPO and Data Auditor.

The objective of this campaign is to ensure that we reach out to a large number of professionals aspiring to learn about DPDPA 2023 as a law and prepare themselves to be the next generation professionals such as DPOs in India and Data Auditors.

Over the next few months, there will be several in house physical training programs which will be customised to the requirements of different organizations which will be separately priced. This new campaign is meant for the “Virtual Online Sessions” based on recorded videos and pre-arranged real-time mentor sessions online.

Watch out for details.

Naavi

On May 21, 2024, the EU AI Act was given the final approval of the council of EU and is set to be published in the official journal. It will enter into force on the 20th day after publication and will be generally effective after 24 months.

We had started discussing the different provisions of the EU-AI act in these columns which will be continued.

Some of the articles already published are

1.March 17, 2024: The EU Act on Artificial Intelligence

2.April 3, 2024: Impact of EU AI act on India

3. 4th April 2024: Defining of AI: DGPSI approach

4. 5th April 2024: Applicability and Non Applicability of EU-AI Act

5. 6th April 2024: Classification of AI under EU AI act

6. 6th April 2024: “Conformity Assessment” under EU-AI act

7.7th April 2024: Classification of AI under EU AI act

8. 8th April 2024: Intersection point for EU AI Act and DGPSI: AI-DTS

9. 10th April 2024: Generative AI and EU AI Act

The discussions will continue.

Naavi

For some time now a fraud is being attempted by some automated calls made from different numbers stating….” Calling from Telecom department …All your phones will be deactivated within 2 hours. Press 9 for more information” etc…

It is obvious that this is a fraud. However such frauds occur because telecom companies donot take preventive action and police donot come in except after some body who has lost money complains.

Just now I received such a call from the number 9900880457. Earlier such calls have come from other numbers also.

I want people to be careful about such calls. If possible the above mobile number (which may be fake) be traced.

Naavi

Yesterday we had an interaction with a large group of CIOs in Coimbatore and discussed the DGPSI framework as a solution to DPDPA compliance.

As a part of the discussion, a need has emerged for considering the manufacturing industries with only B2B services as a separate category/sector for which DPDPA compliance has to be specifically designed.

The DGPSI framework already has one simpler version called DGGPSI Lite with 36 implementation specifications and DGPSI Full with 50 implementation specifications.

Both frameworks are applicable across different sectors including manufacturing sector. DGPSI full version also addresses some Data Governance issues while DGPSI Lite is limited to DPDPA compliance.

While implementing these frameworks for manufacturing industries, the fact that their exposure to personal data processing is limited to employees is already factored in. In case the manufacturing industry has retail stores or e-commerce websites, their exposure to DPDPA 2023 increases.

However there are many industries who donot have e-commerce and donot have retail sales and hence their encounters with personal data is limited to employees, current, prospective and past.

Considering these restricted exposure of B2B companies, the DPDPA Gap assessment as well as implementation has been simplified leading to an assessment which is named “B2B-DTS”.

Hopefully this will enable a large number of eligible industries of this category meet the compliance certification quickly without the rigorous requirements of a company which has personal data collections on a large scale from consumers.

Companies interested in such assessments may contact Naavi/Ujvala Consultants Pvt Ltd for more information.

Naavi

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

As a natural development of technology there is a scramble by product manufacturers to create products and services to offer “Compliance Products”. Most of these vendors are focussing on developing a “Consent Management Solution”.

The essential feature of such software would be to record the consent for a given set of personal data, give it an identity tag and attach it to the personal data set so that it can be referred to whenever required. The consent has to meet the expectations of “Purpose Orientation”, Data Minimisation” and “Data Retention Minimization”.

One of the dilemmas the companies have is that whether they can take one perennial consent for collecting personal data for multiple purposes which is logically the most suited for business.

However the law does not support such an omnibus and omnipotent, omni present, ever alive consent.

Hence consent collection, use and retention mechanism has to be a carefully considered plan that should meet the legal requirements without seriously hindering the business operations.

Probably the appropriate use of AI should help. However, when an AI is developed on a faulty training data, the AI output will also be faulty. One option that thee ML program has is to parse all similar websites and the privacy policies and gather intelligence which can be incorporated in its own policy. Obviously the user will provide his own inputs on the purpose, data requirements, retention objectives etc so that the AI algorithm will develop a suitable privacy policy that can be used.

In such automation, it is important to recognize that a “Legal Compliance” is difficult to be successfully automated and a strict human supervision is essential.

As more and more such products surface, FDPPI will apply its “Product-DTS” tool to evaluate the compatibility of the product to Indian DPDPA system and provide a “DTS Score”. 

Data Fiduciaries need to be careful when selecting solutions since any purchase of such a product is likely to be a long term purchase and difficult to be changed subsequently.

When FDPPI auditors evaluate a Data Fiduciary, they look at such service providers as “Joint Data Fiduciaries”. But the product vendors themselves have an option to get their products evaluated as a pre-sales qualification criteria. Such evaluation takes into account the principles of EU-AI act, the ISO 13485 etc. Obviously this is a complex process which is perhaps more complex than a routine DPDPA audit for a Data Fiduciary.

FDPPI therefore operates such assignments through  a “Consortium” of its experts so that the technology intricacies are considered along with the Legal, Governance and Business issues. Exciting days are ahead in incorporating EU-Ai act with the DPDPA compliance and w look forward to the same.

Naavi