[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]
So far, we have discussed the Data Classification requirements and the implementation responsibilities in the PDPSI. We have also indicated the statutory scope and the need for building measurability as part of the implementation of the standard.
Now we shall extend our discussion to three more aspects of the PDPSI which define it’s architecture.
- Privacy By Design
- Requirement of a Charter of Implementation
- Certification Process
Privacy By Design
Privacy By design as an accepted concept in the implementation of Privacy Protection measures in a technical environment. It refers to the proactive measures initiated by an organization so that information privacy is protected.
Privacy By Design is not restricted to the concept that by default a control like the “Consent” should be set to “No Consent” and the user is required to initiate some affirmative action to provide his “Consent”.
Essential aspect of the design is to capture the life cycle of personal data and embed Information Privacy protection at every step of collection, generation, processing, storage or transmission of personal data.
Towards this end-to-end privacy protection, it is necessary to recognize that “Design” is not limited to the technical architecture of a software product or service. It has to extend to Managerial, Organizational and Business Aspects of the organization. It has to take into account the three dimensions of Technology, Legal and Behavioural aspects that affect the implementation of Information Privacy protection.
Privacy by design concept therefore recognizes that while constituting the DPC (Data Protection Committee), there is a role for the HR, Legal and Marketing department to be represented besides the CISOs and DPOs.
The standard can only make a statement about the need for “Privacy By design” but the proof of its implementation has to be checked by the auditor in the different aspects of the business processes followed by the organization. The Procedures of how a new business is acquired, how the data processing is planned, what kind of sanction polices are adopted for HR purpose etc are all factors that reveal whether “Privacy By Design” is actually being practiced by an organization and does not remain only a slogan.
Normally the exercise of compliance starts with a “Gap Analysis” which tries to understand the current status of Information Privacy protection vis a vis the requirements. It is drawn up by an auditor (External or internal) and may be called a Data Protection Impact Assessment (DPIA). When a new law such as GDPR or PDPA 2018 is adopted, it will be necessary to conduct a DPIA for the entire organization. There afterwards, whenever a new project is taken up, it may be necessary to check if a separate DPIA is required or the project falls completely within the current system.
Once the “Gap Analysis Report” is ready, it is to be considered as a suggestion of an auditor and it requires to be consciously adopted by the top management. once so adopted, it becomes the “Requirement Charter”. The Requirement Charter has to be further passed on to the implementation team.
The signing off of the Requirement Charter is essential to demonstrate the commitment of the top management as well as bring in the accountability of the top management. It will also ensure that the organization’s different departments cooperate with each other and support the DPO in his/her day to day duties in which several operational executives may find their freedom of operation trampled with.
This will also give an opportunity for the management to make a Risk Analysis, evaluate the total risk, define the Risk Appetite of the organization, buy adequate Risk Insurance and there after issue the Charter to mitigate risk to ensure that the residual absorbed risk remains as low as feasible.
The Certification system under PDPSI shall evaluate the managerial efficiency in defining the Implementation Charter and the implementation efficiency in implementing the charter.
This twin Certification process will ensure that the responsibilities of the top management and the DPO are defined clearly and one will not end up blaming the other for any failure.
The Certification may be initially done by an external auditor but once accepted by the organization, it may be considered as a “Self Certification”. While accepting, the management may qualify its acceptance in which case the qualifications could lead to issue of a “Revised Supplementary Charter” to be implemented as a continuing exercise.
We shall continue with other aspects of implementation in the subsequent articles.
(Comments are welcome)
- A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
- Data Protection Standard of India- (DPSI)
- Data Classification is the first and most important element of PDPSI
- Why 16 types of Data are indicated in PDPSI?
- Implementation Responsibility under Personal Data Protection Standard of India
- India to be the hub of International Personal Data Processing…. objective of PDPSI
- Naavi’s Data Trust Score model unleashed in the new year
- Naavi’s 5X5 Data Trust Score System…. Some clarifications
- Naavi’s Data Trust Score Audit System…allocation of weightages