The PDPSI works on three different levels. The core of PDPSI is the standards. The operating part is the implementation specifications and the visible part is the DTS.
The PDPSI Certifying body will evaluate on the basis of adherence to the standards. The implementing organization will use implementation specifications to meet the standards. The evaluating auditor will convert his evaluation into a DTS which will be disclosed.
All the three aspects namely the Standards, the implementation specifications and the DTS are inter related.
The 11 standards of PDPSI are as follows:
By the very nature of “Standards” these are mandatory for the purpose of certification. However the exact manner in which the standards are implemented my differ from organization to organization.
The Implementation specifications associated with PDPSI provide one suggested set of guidelines. It is open to the organization to accept them as they are or modify them.
However the modification has to be logically supported by a documentation which will create the “Implementation Charter” which becomes the operating instructions of the top management to the operational team.
The responsibility for the Charter lies with the top management which alone can decide on the risk appetite of the organization and decide what implementation specifications may be skipped and why.
A measurable mechanism is included in the standard and the DTS is a mechanism for the purpose.
The implementation is always at the enterprise level and PDPSI. It is open to the organization to create an “Enterprise within an Enterprise” to have focussed implementation in a smaller part of the organization provided it can be suitably segregated into a n independent operating zone with its own people, technology and infrastructure.
The Classification concepts are explained in the earlier articles .
The “Distributed Responsibility” concept envisages that the responsibility for implementation within the organization would not stop at the DPO but extend to every member of the workforce.
The technical controls and policy controls refer to the IT controls and policy formulations adopted by the organization. The “Culture” aspect takes care of the need to ensure that compliance is accepted by all the members of the organization and not restricted to the IS or Data Protection department alone.
The PDPSI certification program will be administered in such a manner that there is a proper documentation of the audit. The standard implementation organizations like the FDPPI may use a system of accreditation of the auditors, reporting of the audit findings, verification of audits etc to ensure that the system is reliable.