[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]
PDPSI is a standard for a “Techno Legal Compliance”. Hence the controls under PDPSI go beyond the usual technical controls such as the Firewalls, IDS systems, Access Control, Encryption etc.
Additionally it is important for us to recognize that most organizations use outsourcing for many of their activities and are also themselves the sub contractors for certain data processing activities.
The regulatory framework envisages that the entire eco-system of personal data processing needs to be accountable for meeting the regulatory compliance requirements. As a result of this, every organization has a liability to its upstream data provider and imposes liabilities to the down stream data processors. These transfer of responsibilities occur through the business contracts.
Most of the time the business contracts stop at defining the service requirements and the financial commitments. But in the current regime of data protection, the “Information Security” obligations also need to be defined as a part of such contracts. Thus a Data Collector (First Data Controller) collects personal information under a consent contract, hand over the information to a secondary data controller who in turn hands it over to the data processor etc.. all through business contracts.
Hence every organization processing data will have several business contracts which may have prescriptions of its data processing liabilities. It is therefore necessary for the DPO to understand such obligations and factor it into his activities.
Most of the time these business contracts are executed by business executives without adequate consideration of the information security requirements. Hence the DPO needs to ensure that his requirements are well understood by the business executives so that every contract is “Compliance Ready”.
Assuming that the business executives do execute such contracts, it is the responsibility of the DPO to keep track of the inventory of “Data Protection Liabilities” arising out of these contracts and monitor changes that may occur from time to time.
Some times there would be difficulties in implementing these requirements and notices of compromise may have to be exchanged. All such requirements need to be documented for the purpose of compliance.
PDPSI therefore expects that the subject company has a robust policy where every contract signed in the name of the company is brought on record, serially numbered and the obligations undertaken are duly taken note of for compliance throughout the life cycle of the contract.
(To Be continued)
Other Reference Articles
- A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
- Data Protection Standard of India- (DPSI)
- Data Classification is the first and most important element of PDPSI
- Why 16 types of Data are indicated in PDPSI?
- Implementation Responsibility under Personal Data Protection Standard of India
- India to be the hub of International Personal Data Processing…. objective of PDPSI
- Principles of PDPSI
- Pentagon Model of TISM…An implementation approach to PDPSI implementation
- Personal Data Gate Keepers and Internal Data Controllers in Organizations
- Legitimate Interest Policy
- Implement “My Bhi Chowkidar” policy for Personal Data Protection.
- Criticality of the Grievance Redressal Mechanism in PDPSI
- Data Breach Notification-What PDPSI expects
- Naavi’s Data Trust Score model unleashed in the new year
- Naavi’s 5X5 Data Trust Score System…. Some clarifications
- Naavi’s Data Trust Score Audit System…allocation of weightages