PIMS (Personal Information Management System) is the next buzzword in the Information Security domain that will be discussed by the Data Protection professionals.
Presently, two international frameworks namely the BS 10012 and ISO27701 are available for us to follow. The undersigned has however developed a separate framework titled the Personal Data Protection Standard of India (PDPSI) which has been developed with the exclusive idea of assisting Indian Organizations and more particularly the SMEs and MSMEs.
It is our belief that Information Security Framework is developed by experts in order to guide the community for adopting it as a business practice that benefits the organization. When multiple organizations adopt a food framework of information security, the community would benefit.
Such a framework should be “Open Source” and not looked upon as a Cash Cow by charging exorbitant fees for the community members to know what is the best practice to follow.
Whether it is BS 10012 or ISO 27701, it costs around Rs 13000/- each to acquire and read. ISO 27701 makes normative reference to four other standards namely ISO 27000,ISO 27001,ISO 27002,ISO 29100. To understand ISO 27701 we therefore need to acquire and study all these collateral documents. Fortunately BS10012 does not have any normative references.
Those organizations which are considering the PIMS now and donot have earlier ISO implementations, need to therefore spend a significant money just to acquire a document that lists out the suggested practices. The interpretation and implementation through a consultant is the additional expenses.
Basically these frameworks list out the broad outlines of compliance requirements as follows:
ISO 27001 continues with specific guidance related to ISO27001 and ISO 27002 as also guidance directed to Controllers and Processors.
The PDPSI incorporates all these principles though the document is under development. In principle, PDPSI focuses on five foundation principles represented by the following diagram.
This model compresses the normal technical controls into one segment and all policy controls into a second segment. The need to manage the human elements is packed into the third segment. The Leadership, commitment etc is clubbed under Responsibilities. The classification of data is considered a separate foundation requirement which defines also the scope of the implementation.
PDPSI recommends a “Distributed Implementation Leadership with a Top level policy leadership along with a designated person for accountability”.
For those who are accustomed to a specific format of the ISO/BS, PDPSI appears as a raw document. Salient features of PDPSI is explained under www.pdpsi.in
The normative references (to keep to the familiar term) are made to IISF 309 (Indian Information Security Framework), Theory of Information Security Motivation, Naavi’s pyramid model of Prioritization of Information security objectives.
The Classification model is depicted in the following diagram.
The classification of the data incorporates the “Subject Laws” so that PI-GDPR is classified differently from PI-PDPA.
The measurability aspect will point to a “Data Trust Score” for which one of the recommended approaches is the Naavi’s 5X5 DTS system indicated below.
The distributed model of responsibility sharing is reflected in the Governance model indicated below. (Explained in greater detail on www.pdpsi.in)
Overall, PDPSI attempts to cover the principles inherent in both ISO27701 and BS10012 and provides a greater focus for an Indian organization with a few innovations thrown in between.
Once PDPSI is fully developed with the assistance of other professionals who are well versed in ISO/BS but are free mentally to pursue a more “Made in India” framework, it could be adopted widely.
In the meantime, some of the principles enunciated in PDPSI is expected to become part of the ISO/BS in their revised versions. Also the Data Protection Authority of India which is likely to come up in 2020 may adopt most of the principles under PDPSI as suggested framework under PDPA.
In the meantime, Naavi.org will continue to develop this concept which is already being applied by Naavi where ever it is relevant.