IS 17428 has been released as an “Indian Standard” and is the second such standard to be released in India behind PDPSI (Personal Data Protection Standard of India).However, on a deeper perusal IS 17428 appears to be more influenced by the need of Indian organizations to be compliant with GDPR rather than the current or forthcoming data protection law in India.
PDPSI also has the flexibility built into it so that an Indian Organization processing personal data from across the world can implement this as a Unified Framework for compliance of multiple data protection laws.
IS 17428 (Part I) in para 3.3 defines “Data Controller” with the following notes.
” Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym ‘PII controller’ or ‘data exporter’ or ‘data fiduciary’ can also be used in some countries instead of the term ‘Data controller’.”
India which uses the terminology of “Data Fiduciary” has become “Some Country”.
In the same way the term “Data Subject” is used and not “Data Principal”. Under para 3.10 referring to other country laws, there is no mention of ITA 2000 or PDPB 2019.
It is only when referring to Sensitive Personal Information that the definition included in ITA 2000 has been referred to.
These observations indicate that whoever drafted the document were not able to look at the Indian regulation independently.
The PDPSI thought has been triggered by the proposed Indian Data Protection law. But considering the need of an Indian organization to also be compliant with other laws, it has built in within the Standard and Implementation Specifications, a need to add “Applicable Law” as part of the process of classification of data . Since personal data related to India gets segregated from Personal data related to EU-GDPR or other laws, the next step of implementation specifications will automatically gets fine tuned based on the relevant law.
PDPSI is therefore “Made in India, first for India for the World” . By incorporating principles such as DTS, PDPSI is taking the Indian law as the lead implementation guideline and in due course can become a guiding force for Personal Data Audits even outside India.
Since PDPSI is inclusive of all requirements under ISO 27701 it can easily absorb the requirements of other countries without forgetting its origin from India.