Naavi.org

After the previous post and during my visit to Delhi over the last two days, I have been asked a question by a few why is that I have called C.DPO.DA. as the “Crown Jewel” of Privacy Certifications in India when there are other national and international certifications which claim the backing of some reputed and some new organizations. Some have even queried why should not the certification be as expensive as it is.

It is my duty to answer these queries without specifically mentioning any specific program. I am aware of other international organizations who are conducting Privacy Certifications. Many HR persons know only these certifications and often specify it as a requirement for recruiting DPOs or related positions in India. I donot blame the HR personnel for this mismatch but it is like a T20 cricket team selector asking “Only those persons who have scored 3 or more centuries in Tests are eligible to apply. Double centurions and Triple Centurions are preferred”.

These international certifications were developed for GDPR and DPDPA is not GDPR. A DPDPA-DPO is a different entity than DPDPA-GDPR though both relate to privacy and data protection. After all both tests and T20 is game of cricket and a century at test level is a century in a cricket game. It is more likely that a person who is well versed in GDPR often is unable to unlearn the EU principles and adapt to Indian requirement.

I therefore consider that until these organizations come up with an Indian version, they are not comparable.

The second set of certifications which we need to see are the programs conducted by consultants in India some of whom are trying to provide certification at throw away prices. I respect every professional for his knowledge and such programs are always welcome so that price is not a barrier to learning. However, if we know the value of ISO 27001 or ISO 9001 audits which are available off the shelf at a throw away price, we can guess what could be the value of the programs where certifications are easy to obtain without an evaluation of the learning.

At FDPPI we not only provide the training for which a Participation Certificate is provided, the complete certification is provided only after an online exam. The real test of proficiency is in getting through this online examination.

FDPPI has offered other Certified persons to also take up this exam at a grossly discounted rate (One set of people were given an opportunity to attempt it free). We will continue to do so in the future as FDPPI intends to develop itself only into a Certification Body and leave the training to other training partners who may either charge or provide free training.

At present since the trainings are yet to mature particularly since FDPPI programs donot end up with the coverage of law but extend to implementation of compliance with the DGPSI framework, FDPPI continues to conduct its own training programs. Other organizations donot have a framework like DGPSI to recommend and hence have to base their implementation suggestions on other frameworks including ISMS frameworks or GDPR related frameworks

While in due course some of these training organizations adopt DGPSI as one of the frameworks to discuss or develop a framework on their own, at this point of time there are no such frameworks and Certifications based on such frameworks in place.

It is in this context that I have called C.DPO.DA. (Certified Data Protection officer and Data Auditor) as the crown jewel of Privacy certifications. Presently the program addresses both the DPO requirements as well as the Data Auditor requirement. In the coming days when it is found necessary, it may be dub divided into two channels one exclusively for DPOs with an internal implementation focus and the other exclusively for Data Auditors with a focus on Data Audit.

I hope all professionals understand this approach of FDPPI and if they are interested, they can register themselves as “Master Trainers” for DPDPA certifications so that their trainees can automatically take the FDPPI examination and qualify for FDPPI accredited certification. It is the commitment of Naavi to keep the cost of the exam to such persons as low as feasible.

Together, let us all work towards creating a culture of DPDPA Compliance in India, the starting point of which is the Certification of professionals. If there are more Certifiers, it is better for the market. The unification of their understanding can be achieved by the common examination which FDPPI would like to offer.

Any request for further clarification in this regard is welcome.

Naavi

CERT-IN was commissioned in 2004 as part of the Ministry of IT with an objective of securing Indian Cyberspace. It is empowered under Section 70B of ITA 2000 as a Nodal Agency for Cyber Security Incident Response. As a part of its activity it has empanelled nearly 200 organizations who conduct Information Security audits in critical sectors.

Now a time has come when all IS auditors need to upgrade and expand their services to include DPDPA audits. CERT In has recognized this and sent a circular to all its empanelled auditors to take note of the certification programs like what FDPPI is conducting in Mumbai on January 24,25 and 26, leading to C.DPO.DA. certification.

Till end of today an early bird discount was available for all participants since the program was meant for even those professionals who are not empanelled with CERT IN. The early bird discount will end today but the registrations will continue.

As per our arrangement with CERT IN, the empanelled auditors will continue to get a discount and a special price.

We wish all interested professionals will take advantage of this opportunity and register themselves without delay since the number of seats will be limited.

Organizations which want more than one member to participate may contact our Mumbai Chapter President Mr Bondiah Adepu for nulk discount.

All participants will get a participation certificate , one year free membership, Books worth Rs 5000/- and also an entry to the C.DPO.DA. exam . If they complete the online exam successfully, they will be able to get the full certificate.

We hope all professionals in Mumbai and around take advantage of this Certification Program which is a “Crown Jewel of Privacy Certifications in India”

The program will cover DPDPA Act and Rules, ITA 2000 (to the extent necessary) and the DGPSI implementation and audit framework. Program will be inaugurated by Mr Abhishek of CERT In and the sessions will be conducted by Naavi as the lead faculty.

Some feedback from the previous program conducted in Bengaluru is available below.

Naavi

Under HIPAA we use a term “Protected health Information” to denote that health information that is within the provisions of the Act. It also means that there are other health information which is not coming under HIPAA. Only the information that is related to the present, past and future health of an individual generated by a covered entity in USA is considered PHI.

This concept that a certain data is health information but is not covered under HIPAA needs to be extended to DPDPA where we have “Digital Personal Data processed in India” or “Digital Personal Data processed for the purpose of an activity related to offering of goods and services to the data principals within India” which are defined as “Protected Personal Data”.

Personal Data which is not in digital form, Digital Personal Data which is not processed in India and not related to an activity of offering goods and services to data principals in India are outside the provision of the Act. Even Digital personal data which is processed in India or processed for an activity related to offering of goods and services to data principals in India is outside the Act in case it is such data that is used by an individual for personal domestic purpose or is such data made public by the individual or by an authority under obligation of law.

Further digital personal data processed for the purpose of an activity related to provision of goods and services in India to any person other than the “Data Principals” (for eg: a B2B service) is also outside the provision of the Act.

There is also a category of personal data which is embedded with the transactional data where there are two parties involved in the generation of data and the data cannot be considered as exclusively belonging to one person. Example, if there is an invoice of an ecommerce entity containing personal data of a data principal, such invoice data cannot be considered as personal data belonging to the data principal.

Thus amongst the several types of Digital Personal Data which is processed in India or processed elsewhere, not all are “Protected Personal Data”. All data that can be identified with an individual therefore cannot be considered as “Personal Data for which the Act is applicable”.

For the same reason, when DPDPA mandates that “Business Contact Data” of the DPO shall be published on the website, or included in the data breach notice the law is implying that such data is the data of the Data Fiduciary who is required to publish it without need to obtain the specific consent of the employee designated as DPO.

Hence Business Contact data is considered another class of data which is not a “Protected Personal Data” under DPDPA or is a “Non-Protected Personal Data”. This is also because such data is created by and destroyable by the organization and not the individual and is therefore a property of the organization. It cannot be nominated as a “Right”.

Experts… Please debate why we should or Should not consider Business Contact Data as “Non-Protected Personal Data” under DPDPA.

If you are an expert, you must have a view and donot remain silent. We are creating Jurisprudence in this regard.

Naavi

P.S: A question was made to Claude thus: Under Singapore PDPA, Business Contact Data is defined separately from Personal Data. Hence is it not correct to interpret that Business Contact data is not personal data.

The answer received is as follows:

You make a fair point. Under the Singapore Personal Data Protection Act (PDPA), business contact data is treated differently from personal data.

The PDPA defines personal data as “data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.”

However, the PDPA has a separate definition for “business contact information”, which is defined as:

“an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes.”

Under the PDPA, business contact information is excluded from the definition of personal data. This means that the PDPA’s obligations around collection, use and disclosure of personal data may not apply to business contact information in the same way.

So you are correct that under the Singapore PDPA framework, business contact data is treated separately from personal data, and may not be subject to the same data protection requirements. The interpretation that business contact data is not personal data under the PDPA would be accurate.

Ed: Though DPDPA does not provide a separate definition for Business Contact Data, by using the term under Section 8(9) it provides legitimacy to the term as a term different from “Personal data”

Regret that we as humans have come to a stage that we seek the validation from AI !

On December 27, 2024, the office of Civil rights (OCR) at the US department of Health and Human Services (HHS) issued a Notice for Proposed Rule Making (NPRM) to modify HIPAA Security Rule. Public comments can be submitted upto 7th March 2025.

According to HHS, the objective of NPRM is to strengthen the Security Rule’s standards and implementation specifications with new proposals and clarifications, including:

• Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions.
• Require written documentation of all Security Rule policies, procedures, plans, and analyses.
• Update definitions and revise implementation specifications to reflect changes in technology and terminology.
• Add specific compliance time periods for many existing requirements.
• Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
• Require greater specificity for conducting a risk analysis. New express requirements would include a written assessment that contains, among other things:
  • A review of the technology asset inventory and network map.
  • Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.
  • Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems
  • An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
• Require notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
• Strengthen requirements for planning for contingencies and responding to security incidents. Specifically, regulated entities would be required to, for example:
  • Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
  • Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration.
  • Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents.
  • Implement written procedures for testing and revising written security incident response plans.
• Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements.
• Require that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate.
• Require encryption of ePHI at rest and in transit, with limited exceptions.
• Require regulated entities to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner. New express requirements would include:
  • Deploying anti-malware protection.
  • Removing extraneous software from relevant electronic information systems.
  • Disabling network ports in accordance with the regulated entity’s risk analysis.
• Require the use of multi-factor authentication, with limited exceptions.
• Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
• Require network segmentation.
• Require separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
• Require regulated entities to review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures.
• Require business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.
• Require group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

The NPRM is now available for public comments within 60 days of the publications. As a result HIPAA Compliance in 2025 will undergo a major overhaul. This also means that every HIPAA compliance certification undertaken so far by organizations need to be revisited in 2025. Once the new rule is adopted and timelines set for compliance we will come to know of the requirements.

Indian Companies who are now looking at DPDPA compliance and are exposed to HIPAA Compliance requirements by way of their earlier contractual commitments with the covered entities in USA will now have to simultaneously work on both DPDPA and the HIPAA-2025.

Naavi is looking forward to interns in Bangalore and elsewhere who are interested in working in this field. They may contact Naavi at the earliest.

Naavi

Also Refer:

HIPAA Security Rule NPRM

Final Rule on Administrative Simplifications effective from 11th February 2025

The DPDPA as an act has been in place for now over 16 months. The excuse “Rules are not notified” has begun to fade with the notification of the “Draft Rules”. Habitual procrastinators may still find excuse that the draft rule is only for public consultation and there is time for its finalization and thereafter there would be time for setting up of the Board and there after for implementation upto perhaps 2 years.

Good luck to such all those “Optimistic Chronic Procrastinators” .

But for those corporate managers who are cautious and risk averse, it is time to start their journey towards DPDPA Compliance immediately.

In this context the following corporate actions are recommended immediately.

1.In the next Board meeting pass a resolution stating that the Company has taken note of the release of the draft DPDPA rules and the impending implementation in the coming year and need to initiate immediate steps for compliance

2.The first step for compliance is to formally designate a “DPDPA Compliance Officer” (who may be the current CRO or CISO or CIO or CCO or CDO or the DPO if that designation exists with an issue of a letter of designation from the Board with the immediate task of submitting a report on the DPDPA Risk of the Company and the further actions to be taken. (The Compliance officer may be promoted as DPO in future if required and if suitable)

3.Ensure that the Compliance officer is deputed to an appropriate training drill such as the C.DPO.DA. of FDPPI so that he is prepared to take up the challenge of doing a proper DPDPA Risk Assessment and recommend further actions.

4.The above task is recommended to be completed before 31st March 2025 and developments recorded in the next Annual Report.

In the immediate future a detailed audit needs to be undertaken under a framework like DGPSI and institute a Risk Mitigation plan along with appropriate Cyber Insurance coverage where required.

Before committing purchase of any software for compliance, be sure to check if it is suitable for DPDPA Compliance or not.

In order to assist such companies who want to take off, FDPPI will be providing the following services .

1. Conduct C.DPO.DA. program for 3 days at Mumbai on January 24, 25 and 26 (Registration now open with Early Bird Discount available now).

2.Conduct a similar physical program in Delhi if possible before March 2025. (To be Scheduled)

3.Conduct at least one Virtual program before March 2025 (To Be Scheduled)

4. Institute a quick Business Impact Assessment through a Virtual interaction with corporate Managements (on a short virtual session) on request. (At a Cost of Rs 10000-25000)

(P.S: Considering the current assignments of FDPPI/Naavi booked with FDPPI, there could be scope for not more than 5 to six assessments before March 2025).

Interested company officials need to contact FDPPI immediately by visiting the website www.fdppi.in or contact Naavi through www.naavi.org.

The detailed coverage of Mumbai Program for C.DPO.DA. is as followsNaavi

All participants of the program would be eligible to get participation certificates with CPE credits for 18 hours and may also take the online examination to get the complete certificate as “Certified Data Protection Officer and Data Auditor”.

Necessary reading materials in the form of two books, worth Rs 3000/- would be provided to the participants. The registrants would also be eligible for one year free membership of FDPPI.

We have already discussed the status of Business Contact Address under DPDPA 2023 earlier and categorically held the view that

a) We cannot determine the nature of an email as personal or business with reference to the domain name attached to the email address. Accordingly Vijay@ujvala.com can be a personal email while Vijay@gmail.com can be a business email depending on the choice of “Vijay”.

b) We need to collect the choice of the data principal himself while collecting the email as to whether it is personal or business email.

c)By default and in the absence of information to the contrary, name@companyname.com can be considered a business contact address while name@gmail.com can be considered as a personal address while Designation@companyname.com can be considered as non-personal data.

The recognition of “Business Contact Data” being different from personal data is seen from DPDPA 2023 requiring the publication of business contact address of the Compliance official/DPO under Section 8 of DPDPA 2023 and Rule 9 of the DPDPA Rules.

Naavi

Reference articles:

Business Contact address and DPDPA 2023

Is Business Contact Data, Personal Data under GDPR?