The inauguration of the Bala Rama Temple in Ayodhya has started a new era in India which should revitalize the old civilization of India. We are therefore entering a new era which we can call the Shrirama shaka.
Naavi.org has been advocating “Cyber Law” and was born with the slogan Let’s Build a Responsible Cyber Society where law would be fair and people would comply voluntarily.
In practice it is not always possible for the law to be drafted in a balanced manner and even if it is so, for the Judicial system to apply it fairly. But the endeavour has to continue. The concept of “Jurisprudence” has to guide both the law makers and law enforcers to be fair and balanced.
Naavi.org is neither a law maker nor the law enforcer but has been trying to fight either a bad law or a bad enforcement while at the same time trying to persuade the public to be compliant. In the past we have supported the litigation requirements of public through CEAC as well as direct participation in the S Umashankar case.
This effort of support to the fair establishment of law as a part of the “Rama Raajya” concept will continue even in the emerging Shrirama Shaka. However, due to the contextual circumstances, Naavi we may restrict our activities to only education and not take up litigation support work.
To mark a new beginning, Naavi will re-dedicate himself to a new range of educational activities both in the Cyber Law as well as in the Data Protection Area.
Watch out for the announcements through this website.
The concept of Data Protection as management of Personal Data of individuals involving certain Privacy Principles in addition to information security concepts emerged from the need to protect the Privacy Right of the individual.
In protecting the Privacy the concept of Information Security got enhanced with the principles of providing a right of choice to the personal data owner on what are his preferences regarding the use of personal data by a third party. Hence “Consent” became the main parameter on which the personal data needs to be governed by any organization.
At the same time to be fair to the community there was a need to incorporate some of the legitimate interests of the business and the Government. Hence the final outcome of the data protection law is an attempt to balance the interests of the individuals along with the interest of the business and the Government.
This principle of “Fair Governance” is reflected in the DGPSI framework which is the only framework available on date for compliance of DPDPA 2023.
Some of the key principles adopted by DGPSI (Data Governance and Protection Standard of India) which reflects “Fair Governance” is
a) Need for Data Valuation policy to enable the Management understand the financial risks involved in the Governance of Personal Data
b) Need for a Data Monetization policy to represent the interest of the business where “Privacy Compliant Data Monetization” is pursued.
c) Need for “Data Disclosure Policy” to support the requirements of law enforcement and Government to ensure that the personal data is not misused.
d) Need for Responsibility Distribution so that the entire organization and its work force takes up the responsibility for compliance.
Understanding and implementing the requirements of different sections of Personal Data Users is also the concept of Fair Governance of a Kingdom which came to be recognized as the “Rama Rajya” concept which we may remember on the day when India is entering an era of awakening with the opening of the Ayodhya Rama Temple.
While we are awaiting the civilizational event at Ayodhya tomorrow DGPSI of FDPPI takes a leaf out of the concept of Ramarajya as a symbol of Fair Data Governance as part of the Compliance framework of DPDPA.
After DPDPA 2023 has become a reality, there is a scramble to find a framework of compliance which can assist organizations in implementing a Data Governance and Protection Management System (DGPMS) which can provide “Compliance by Default and Design”.
The key compliance requirement of the Act is contained in Section 4(1) of the Act which says
A person may process the personal data of a Data Principal only in accordance with the provisions of this Act (a) for which the Data Principal has given her consent; or (b) for certain legitimate uses.
Consent or legitimate use is a necessary aspect of the obligation but not “Sufficient”. The obligations cover all the other provisions of the Act which need to be taken into account.
An organization that needs to be compliant with DPDPA 2023 cannot rely on the existing frameworks such as ISO 27001 which addresses only one aspect of compliance namely how to preserve the confidentiality, integrity and availability of personal information to those who have a need to know or ISO 27701 which extends the ISO 27001 to legal basis of processing and rights of data principals under GDPR.
While there is always a possibility of adapting ISO 27001 or ISO 27701 to compliance of DPDPA 2023, if the implementer is innovative enough, the need for India to develop its own framework to directly address DPDPA Compliance has arisen with the passing of DPDPA which is not GDPR.
If DPDPA is not GDPR, it seems not logical that we should use ISO 27701 for DPDPA Compliance.
The TINA principle (There is no alternative) is unfortunately not applicable in favour of ISO 27701 since FDPPI has been working on the alternative in anticipation of the law being passed in India. Accordingly, PDPSI or Personal Data Protection Standard of India was introduced after PDPB 2018 was released and progressively upgraded to PDPB 2019, DPA 2021 and DPDPB 2022 is now available as DGPSI or Digital Governance and Protection Standard of India.
DGPSI recognizes that compliance of DPDPA 2023 requires also compliance of ITA 2000 since there are some sections of ITA 2000 which are relevant even after DPDPA 2023 comes into existence.
For example, we can recall Section 72A of ITA 2000 which states
(72A of ITA 2000) Penalty for Disclosure of information in breach of lawful contract
Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses,without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be liable to pay penalty which may extend to twenty-five lakh rupees
This section will continue to apply even after DPDPA 2023 comes into being.
Similarly there are several other sections of ITA 2000 applicable to Personal Data Breach that needs to be complied with by a Data Fiduciary as well as a Data Processor.
Hence DGPSI framework recognizes and incorporates ITA 2000 compliance requirements also to the implementation framework which ISO 27001/27701 may not consider.
As a bonus DGPSI also includes part of the Bureau of Indian Standard draft guidelines on “Adequacy of Data Governance and Data Management System” meant for data driven organization which recognizes Data as a valuable asset of a company which is recommended to be managed in a particular manner.
As a result, DGPSI has emerged as the Gold standard for a Compliance framework for DPDPA and perhaps the only standard for implementation.
The fact that it is also available for Certification makes it a TINA in the reverse. As of now there is no alternative to DGPSI as a framework for DPDPA 2023. The framework also accommodates Data Trust Score as a tool of assessment which can be expressed as a Score for good visibility to the management.
A Glimpse of what DGPSI represents can be captured in the 12 key principles that are the foundation of the framework depicted below.
At the end of this short discussion organizations need to only ask themselves ….
Why run around searching for compliance framework. Why Not DGPSI?
