Naavi.org

DTS or Data Trust score is a derivative of DGPSI the unique framework developed by FDPPI. After an auditor audits the DPDPA compliance system of an organization, the auditor also simultaneously generates the Data Trust Score for the enterprise which reflects the maturity of implementation of DPDPA Compliance. This is a conversion of subjective assessment of the auditor into an objective score.

The organization is free to use this score either to improve itself or to disclose it to its customers to enhance their confidence.

In addition, DTS can be used as an “Insurability Index” at the time of seeking insurance against the liabilities of DPDPA and for negotiating the premium for the insurance policy. Similarly when there is a claim, DTS can be used to negotiate the Claim with the insurer.

Additionally, since DGPSI is a process based implementation in the enterprise, DTS can be calculated for each process separately. When a certain process represents a “Product”, “Service” or an “AI algorithm”, the DTS allocated to the process can be used as a marketing tag indicating the induced compliance impact when the product or service is used by a third party.

Learn more about this by attending the Focused Group Discussion for Data Auditors at the IDPS 2024 conference in Bengaluru on November 30 and December 1.

Register today at www.idps2024.in

Naavi

The DGPSI is a unique invention of FDPPI to facilitate an efficient “compliance by Design” system for DPDPA compliance.

The DGPSI Eco system consists of four components. At the foundation of DGPSI are the set of 12 principles which are like “Standards” for implementation.

DGPSI Lite is the first level of compliance where the focus is compliance of specific sections of DPDPA.

DGPSI is an extension of DGPSI Lite and expands compliance to ITA 2000 and Data Governance under BIS requirements.

DTS or Data Trust Score is the outcome of an audit converted into an objective score as an assessment of the maturity of implementation.

To understand all the nuances of DGPSI, professionals may attend the focussed group discussion at IDPS 2024 at Bangalore.

Professionals attend many conferences round the year on various topics. Currently it is the season of Data Protection in India and multiple conferences are being held at different locations.

For those who attend a paid conference where there is a “Delegate Fee” often wonder what do they take from the conference.

There are one class of attendees whose main purpose of attending a conference is networking with the peers and thereby enhancing their business prospects or employment opportunities. There is another class of participants who believe that attending a conference is for “Knowledge” and every hour spent is helpful in improving themselves. The concept of allotting CPE hours is based on this principle that some learning does take place.

FDPPI which has been advocating “Valuation of Data” in its compliance guidance, has been focussing on this “Knowledge” part of a conference in its events like the IDPS 2024 so that there is “Value for Money” for the participants.

Hence the two day program on November 30 and December 1 is meant to provide nearly 12+ hours of conference time (excluding lunch and tea breaks) involving listening to Key Note and Panel Discussions. Accordingly CPE hours are also allocated to the registered participants.

What is more important in the case of FDPPI conference is that in addition to the 12 hours of conference time, participants are provided with “Focus Group Sessions” of around 6 hours at the conference venue itself and an additional Virtual keynotes of another 4-6 hours. As a result, apart from the main conference time of around 12 hours, another 6 hours are being offered without any additional price.

The delegate fee of Rs 3000/- therefore covers nearly 18 hours of knowledge sharing time. If we consider that each knowledge hour in the conference is worth Rs 1000 and each focus group hour session is worth at least Rs 2000/- we are talking of a total value of Rs 12000+12000 equal to Rs 24000. This is a value multiple of 8 times on the delegate fee paid.

Between now and the conference time, we are trying to add another 12 hours of recorded videos so that the value multiple is raised further to around 12 times, valuing the virtual sessions at Rs 1000/- per hour.

FDPPI is proud that as a Section 8 company, it is its commitment to the Data Protection Community to provide such value addition.

For more information, visit www.idps2024.in

Register today and book your seat….here

One of the first Model Implementation specifications under DGPSI, the compliance framework for DPDPA Compliance by design is

“Organization shall designate/appoint, DPO/Compliance Manager with  necessary credentials and provide support in terms of people, budget and technology and external consultancy.”

This specification essentially focusses on “Necessary Credentials” for the compliance manager or the DPO. The discussion on what is the necessary and desirable credentials for a DPO has been a long debate ever since GDPR came into being in 2018. The laws cannot specifically define the credentials. At best it can only list the requirements to be fulfilled by the DPO.

GDPR has been a little more specific on the tasks of the DPO while DPDPA is very crisp and states DPO shall “represent” the Significant Data Fiduciary, be a “point of contact” for grievance redressal and “be responsible” to the Board of Directors.

If we put on the DGPSI’s Jurisprudential lens and start interpreting the words “Represent” and “Be responsible”, and “Point of contact”, we will be able to understand the credentials required for a DPO.

A “Point of Contact” can be just that and can be a postman who passes on grievances to some body who is designated as a Grievance Officer”. On the other hand, the DPO himself can be the Grievance redressal Officer. The ball is now in the court of MeitY that when it releases the much awaited “Rules” it can define the role of a DPO as either the “Postman” or the “Grievance Redressal Officer”. (GRO).

We should note that ITA 2000 already has a need for a “ITA 2000 compliance officer and a Grievance Manager” and hence it is natural to think that there will be a common GRO for both ITA 2000 and DPDPA.

However an organization also has the exposure to other laws such as Environmental laws, labour law or POSH Law, etc.

If labour disputes and POSH disputes are considered one class of disputes, the environmental laws as another class and added on to the ITA 2000 and DPDPA disputes, then a GRO would have to be a legal expert.

If however, ITA 2000 and DPDPA disputes are considered “Data Disputes”, the expertise required are the two laws ITA 2000 and DPDPA with additional knowledge of international laws and the technology aspects.

It is this expertise of ITA 2000 and DPDPA along with international data protection laws that the trainings like C.DPO.DA. try to develop. Most other DPO Certification programs may not even cover ITA 2000.

DGPSI understands and appreciates the need for a single GRO in a company who handles all types of disputes from employees and the public. However considering the requirements of DPDPA and the likely hood of large number of complaints under DPDPA, DGPSI recommends that the DPO himself/herself should be the GRO for data related disputes.

In view of this, DPO should not be considered as a mere postman whose contact information is available on the website just to receive, acknowledge and forward it to the GRO. Instead, the DPO should have the capability of “Dispute/Conflict Resolution Skills” which involve “Negotiation” and “Mediation”. Accordingly this skills is one of the requirements of a good DPO.

The interpretation of the word “Represent” under DGPSI is that DPO shall be the face of the SDF (Significant Data Fiduciary) as far as the external world is concerned. Hence, on the one hand he faces the Data Principals and on the other hand he faces the Regulator and the Media. Hence DGPSI expects that the DPO possesses skills of negotiating with the DPB and later the Appellate Tribunal.

The DPO also needs to face the Media as a PR Manager to handle any Data Breach Crisis. hence his required credentials include the external communication skills.

DPO being a senior person reporting perhaps to the Board directly, questioning the R & D projects, Marketing Contracts etc for compliance deficiencies, often develops conflicts with other CxOs and even with the CEO. Hence, ability to manage the internal relations without sacrificing the commitment of his obligation under law is essential.

At this point of time we donot know if the DPO will be personally held liable for any compliance issues. However DGPSI Jurisprudence suggests that since the organization is a “Fiduciary” the primary responsibility of the DPO is to protect the interest of the data principals and if he fails in this regard because of any reason including the pressure from the organization itself, it is considered as “Breach of Trust”.

In the GDPR there is a provision that DPO shall not be dismissed or penalised for performance of his duties. ICO UK even has a DPO registration system.

At present, India does not have a DPO registration system nor DPO protection system at the level of the Government.

Only organizations like FDPPI are planning to provide such support.

Considering these internal conflicts, ability to effectively communicate internally and maintain internal relationships are considered as other requirements of an ideal DPO.

In view of the above the following six credentials are considered essential for a Good DPO.

1. Legal Knowledge of DPDPA and other data protection laws along with ITA 2000
2. Understanding of technology to the extent of converting the law into technology practices or identify legal infringements in technology
3. Handling of Grievances with skills related to Conflict Resolution, Mediation etc.
4. Ability to communicate effectively and negotiate with the Regulators
5. Ability to communicate effectively and maintain good internal relationships with other CxOs
6. Ability to communicate effectively with the external agencies like Media.

FDPPI through its training programs is trying to provide such skills and expertise and recommend others also to follow suit. Alternatively the management has to ensure that the DPO designate is provided training not only with organizations like FDPPI but additionally appropriate organizations for Conflict Management, Mediation and PR.

Naavi

IDPS 2024 has planned its flagship event of FDPPI, in Bengaluru on November 30 and December 1 with several Key Note and Panel Discussions on Privacy and Data Protection with speakers from India and abroad.

Some of the topics listed for discussions are

1. Emerging Technology Challenges to Privacy
2. Privacy Enhancement Technologies
3. Global AI developments, an Introduction
4. Shaping the future of Data Protection and Influence of AI tech in EU and UK
5. Recent Developments in US Data Protection Laws
6. Guarding India’s Data Against Cyner Crime and AI threats
7. Social Impact of AI and Robotics
8. Is Industry ready for DPDPA?
9. Responsible AI-AI and sense of Self
10. Privacy Breach, Compensation through Adjudication
11. EU AI Act
12. DPDPA and the Emerging Rules

Apart from these discussions, IDPS has planned three focus group discussions on Impact of DPDPA firstly on Advocates, secondly on CIOs and DPOs the thirdly for Data Auditors separately as parallel sessions.

In these sessions the impact of DPDPA would be discussed with reference to the specific groups in terms of their roles, professional opportunities etc. These sessions will be valuable for the professionals to get all their doubts cleared in terms of the Act and its impact on their professions.

The profession of “Data Auditors” is a less known but is an activity important for current auditors in the Information Security area.

We hope these sessions will add lots of value to the program.

Naavi