[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]
What we have so far discussed on PDPSI include
Now we shall start discussing the different “Implementation Specifications” which are the “Operational Controls” suggested under the PDPSI. These include the policy documents that are essential for the operating personnel to implement the standard.
Distributed Responsibility for Data Security
Though at the higher policy making level, PDPSI recommends a Personal Data Protection Governance Structure (PDP-GS) which includes the Data Protection Committee (DPC), the Personal Data Protection officer (PDPO), at the implementation level, PDPSI considers every “Data Processing Employee” as a participant in the Personal Data Protection Eco System.
Out of all the Data Processing Employees, the person who first receives a set of what constitutes “Personal Data” is considered the “Personal Data Recipient Employee” (PDRE). Since data comes in to the eco system first without any tag, the recipient of incoming data is first recognized as the “Data Recipient Employee”. It is the responsibility of every data recipient employee to first identify and tag the data. If it is recognized as the “Identifiable personal data” then the recipient employee becomes the PDRE and becomes a stake holder in PDPSI. Otherwise, he remains the stake holder in the larger system of Data Protection but outside the PDPSI eco system.
The DRE is considered as the person responsible for tagging the incoming data with the right tags that lead to it being properly handled during the subsequent process. He is therefore the “Internal Data/Personal Data Controller” and “Subordinate Data/Personal Protection Officer” for a given data set. He acts as a “Nodal Point” for the incoming data which is tagged and redistributed within the organization.
In organizations which follow a strict “Pseudonymity principle“, all the personal data received has to be passed through a “Data Gate” where it is pseudonymized.
While the majority of the data that an organization collects can be routed through the designated “Data Gate Keeper” , in most organizations, data including personal data tend to land in the hands of the business executives first and later are turned over to the departments for necessary action.
For example, typically the call center employee is one who receives the first information about any incident along with the data associated with it, though the call center employee may be one of the junior most employees in the organizational structure. In other cases it may be the marketing team that first receives data/personal data and only there after, it can be handed over to other data protection executives.
The recipient of the data who may be called the DRE should first tag the data into one of the 16 data types and send it to the Data Gate keeper. The Data Gate keeper may be the supervisory authority to confirm the data classification and simultaneously de-identify, pseudonymize or even anonymize the data as may be dictated by the “Data Pseudonymization policy” of the organization.
Afterwards the data goes into processing as either the identifiable data only or as pseuodonymized data or as anonymized data.
The Data Gate keeper will therefore be the employee in the organization who has access to the “Re-identification Table” and should be considered as the “Principal Internal Data Controller” (PIDC).
The DRE who first receives the data and then hands it over to the PIDC remains in the knowledge of the data and therefore continues to hold the data protection responsibilities for the identifiable personal data that he receives. He therefore remains the Subordinate Internal Data Controller (SIDC).
The SIDC and the PIDC have to work with the DPO and the DPC in ensuring that the overall Information Security policies of the organization of which the Personal Data Protection Policy is a part, is successfully implemented.
In this system, there is a distributed responsibility for data protection in an organization and every PDRE is having the responsibility for data protection because he is the SIDC. The PIDC has the larger responsibility because he is also responsible for conformation of the data classification and the psydonymization.
It is possible for the PIDC to be also the DPO of the organization.
With these concepts, the Data Protection roles in an organization appear as follows:
This distributed model of data protection in an organization brings all the employees to bear the responsibility for data protection. The DPO still remains the statutorily responsible person for regulations like the GDPR or PDPA but internally the entire organization would stand in his support.
It is the responsibility of the PDPSI auditor to examine if an organization has the necessary commitment to data protection and strengthened the hands of the DPO by adopting the above structure or considers him as a scapegoat to be hanged if anything untoward happens.
(To Be continued)
Other Reference Articles
- A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
- Data Protection Standard of India- (DPSI)
- Data Classification is the first and most important element of PDPSI
- Why 16 types of Data are indicated in PDPSI?
- Implementation Responsibility under Personal Data Protection Standard of India
- India to be the hub of International Personal Data Processing…. objective of PDPSI
- Principles of PDPSI
- Pentagon Model of TISM…An implementation approach to PDPSI implementation
- Naavi’s Data Trust Score model unleashed in the new year
- Naavi’s 5X5 Data Trust Score System…. Some clarifications
- Naavi’s Data Trust Score Audit System…allocation of weightages