One of the hallmarks of rapid development is the ability to learn from others. Hence it is natural that IS17428 could have borrowed some concepts from the pioneering framework of PDPSI.
Though IS 17428 has carefully avoided any reference to PDPB 2019 as if it was non existent, it could not ignore the need for recognizing one of the features of PDPSI which is the concept of “Measurability” of a Personal Data Protection Management System. (PDPMS).
Standard 12 of the PDPSI (Refer page 16 Handbook on PDPSI) states
“Appropriate measures amenable for measurability of compliance shall be maintained”.
The explanation to the standard states
PDPSI requires the Data Auditor to assess the compliance not only against the implementation charter adopted by the organization, but also the larger standards expected under the relevant law as per the evaluation of the data auditor.
This assessment is required to be converted into an indicative compliance score such as the Data Trust Score and shall be disclosed to the auditee organization as well as the Certification body where required.
Though computation and disclosure of the measure of compliance is not mandatory in some data protection laws, it is considered a good practice and made part of the PDPSI audit system .
The disclosure of the Data Trust Score as declared by the auditor to the public may depend on the legal requirements and the discretion of the organization.
The Certification system under PDPSI envisages that the auditor will compute the DTS, inform the auditee company and also inform FDPPI. FDPPI will upon receiving consent (if provided) by the auditee company will publish the DTS.
As a part of the audit training, the auditors have been trained with a detailed system of DTS calculation which incorporates the assessment of the auditor on the PDPMS of the auditee company.
In the first year of DTS evaluation, one number would represent the DTS score. Additionally, in the subsequent years, DTS Score will be suffixed with a trend indicator such as + or – indicating an improving or declining trend.
We may now see what the Chota bhai IS 17428 has indicated regarding the evaluation of the DPMS.
Para 5.15 of the IS17428 (part 2) states
Measurement and Continuous Improvement
Appropriate Metrics should be developed to track various aspects of DPMS. The metrics could be qualitative or quantitative and need to be chosen among other factors, based on the current maturity of the organization.
5 examples of metrics have been indicated namely
a) Lead time to mitigate privacy risks
b) Number of Critical Privacy Incidents
c) Service level agreement to address and close privacy incidents/breaches
d) Number of changes that were not subjected to PIA
e) Percentage of staff trained on data privacy
The guideline suggests that the triggers for improvement initiatives could be from unfavourable performance as reflected by the measurement program and improvement can be demonstrated broadly in two forms namely
- Consistent trend in improvement
- Exceeding set target based on industry standard
IS 17428 however does not go further in defining how the “measurement program” can be developed.
It is left to the discretion of the organization to develop its own measurement program
PDPSI has however covered the last mile requirement of how the DTS can be evaluated and how the qualitative observations of the auditor can be converted into a quantitative assessment as envisaged by the PDPB 2019.
Probably the Chota brother born later missed an opportunity to either follow the big brother or more appropriately design an even better system given the advantage of prior knowledge it had access to.
The DPA when it is formed is expected to come up with its own suggestions on how the DTS may be computed. However the current system of PDPSI is so comprehensive that it can accommodate any variations that may be brought into by DPA.
In case the DPA adopts only a few parameters of measurement such as what Naavi 5X5 DTS system or the IS 17428 has suggested or the more comprehensive 50 parameter evaluation that PDPSI, the PDPSI framework is ready to compute the DTS on its expected level of maturity as well as the DPA expected level of maturity.
The PDPSI-DTS system is therefore “Ready for the Future”.