Continuing our introduction of the PDPSI methodology for compliance and PDPSI-GDPR as a substitute to ISO27701 and BS10012, it is necessary to highlight one of the implementation specifications that PDPSI considers worth trying.
This is the implementation of the “Pseudonymization Gateway” along with the Internal Data Controller who controls the Pseudonymization gateway.
In many processing activities, the Data Processor receives a set of personal data which is processed and converted into a value added data set and returned back to the sender. In such circumstances the sender of the information is the Data Controller who sends the data to the data processor. But within the data processor’s office, several employees get access to the personal data and compliance responsibilities have to be managed across the enterprise with corresponding risk of data leakage. In most of the processing the risk can be substantially reduced by using a Pseudonymization gateway which de-identifies the data to be processed and runs all the processes in the de-identified mode. The final product of processing can be re-identified in the gateway before it is released to the customer who may want it back with identification. If the customer only wants the processed data without identity then the processed data can be sent without re-identification .
In this process the identity of the data is known only to the team managing the gateway and the mapping table can be secured by a strong encryption and proper control. The rest of the organization is spared from the rigors of compliance.
PDPSI is expected to recognize such technology processes for data protection along with the methods used for storage, encryption, transmission etc and accord DTS score.
While DTS score is a concept introduced in the Indian system, it can also be applied to PDPSI-GDPR as it provides some kind of measurability to the compliance practices. This will also provide a flexibility to the Certification system that instead of painting all certified entities with one brush and branding them “Certified”, it can distinguish one certified entity from another.
The DTS system has been explained earlier (Refer here) and auditors can either adopt the suggested system or develop their own systems as a guidance.
The measurability of compliance with a score for the time of audit and the trend as recommended would improve the system of certification as it exists now under ISO 27701 or BS 10012.
Other than the major points indicated in the preceding few articles, the auditor will examine the various controls for implementation of different aspects of compliance as envisaged in the regulations.
There is a tendency now for some professionals to take the ISO 27701 as the base and map its controls to the different provisions of a law. Instead, it would be better if we take the law as the basis and map the different controls. In such case, the number of headings to be monitored would be less.
The major heads under which a data protection law has to be verified for compliance is
- Identification of stake holding data and the roles of the organization vis a vis the data supplier.
- Collection as per law with appropriate consent, notice, lawful basis, legitimate basis etc.
- Storage, Transmission, retention and deletion as per law
- Supporting the Rights of the Data Principal/subject and the grievance redressal
- Governance Structure
- DPO appointment
- Cross border transfer
- Vendor/Processor management
- Security safeguards along with incident management system and risk assessment
- Interaction with the regulator
- Interaction with the data principal
I would urge audit professionals to work on this new approach and develop an indigenous Personal Data Management and Audit system.