The two eyes of DPDPA Compliance

DPDPA envisages two key professional roles for driving compliance.

The DPO is responsible for for DPDPA compliance within the organization while the Data Auditor is an independent auditor who checks the implementation.

FDPPI has recognized these roles and created the C.DPO.DA., or Certified Data Protection officer and Data Auditor as a Certification program.

In the upcoming IDPS 2024 on November 30 and December 1 at KLE Law College Auditorium in Bangalore (also available virtually), you can discuss the impact of DPDPA on the professions of DPO and Data Auditor.

Be there, participate and contribute. Register today at www.idps2024.in

Naavi

Posted in Cyber Law | Leave a comment

Credentials of DPOs….. Be a Guardian of Privacy

As India moves ahead into the era of DPDPA, there is a rush for professionals to occupy the role of “DPO” in an organization. It is some times easy to grab a title but difficult to retain it and feel deserving to hold it. Hence those who aspire to be DPOs need to have and develop the credentials necessary to be a DPO.

When FDPPI was formed in 2018, one of the first objectives set for itself was to build an “Empowered” community of “Knowledgeable”, “Efficient” and “Ethical” Data Protection Professionals who contribute to the development of a “Secure Information Society” by lawful means.

The “Empowerment” comes from the “Ethical Attitude” which is as often absent in our approach to modern life. The knowledge we have, the skills we possess are meaningful only when they are applied with a noble objective. It is not enough if as a DPO we guide our organizations to be law abiding and meticuously follow the “Rules” when published. We need to be also “Ethical” in our approach and fulfil our duties as a ” Guardian of Privacy” of the “Data Principal”. A DPO is himself/herself is a “Fiduciary” and needs to be guided by the needs of the “Data Principal” when designing the compliance in an organization.

DGPSI as a framework of DPDPA Compliance recognizes this role of a DPO. As a guardian of Privacy of the Data Principal, the DPO is responsible to identify the Privacy Risks of the Data Principal and ensure that the risk is mitigated to the extent feasible, informed to the data principal and consent recorded.

In fulfilling this role, DPO will have a natural conflict with the business objectives of the organization which he has to navigate through. This requires leadership skills, persuasive communication skills and also empathy with the Data Principal. DPO also being a first respondent to the Data Principal needs the skill to negotiate and resolve disputes. Interpersonal skills to work harmoniously with the peers, superiors and regulators is also a desirable credential of the DPO.

Want to know more about the credentials of a DPO?….

Attend IDPS 2024…Details at www.idps2024.in …Register today.

Posted in Cyber Law | Leave a comment

NEGD starts DPDPA Awareness Campaign

It appears that on behalf of MeitY, National E Governance Department (NEGD) has started an awareness campaign on DPDPA to the industry professionals.

A few days back NEGD conducted a physical conference in Delhi and today they hosted a one hour webinar from Advocate Supratim Chakraborthy of Khaitan Associates.

It was a well conducted webinar and useful to the industry professionals.

Hope many more such discussions will be conducted by NEGD.

In the meantime, FDPPI will conduct about 20 hours discussion on DPDPA and other global Data protection laws and the interaction with the recent developments in technology in the two day conference in Bangalore on November 30 and December 1, under the Indian Data Protection Summit 2024. (IDPS 2024).

Check for details on www.idps2024.in and be there physically or virtually.

Naavi

Posted in Cyber Law | Leave a comment

IDPS 2024 will provide answers to the dilemma of DPDPA compliance

When FDPPI started its IDPS series with IDPS 2020, it was the first such program in India focussing entirely on Privacy and Data Protection. As we run into the 5th year of the series with IDPS 2024 on November 30 and December 1, India is reverberating with the sound of DPDPA as much for the law passed as also for the Rules not having been notified. Professionals all over India are keen to debate the impact of DPDPA on their organizations and their professions.

In the last three days, I had the privilege of attending two large conferences on Cyber Law, Cyber Security and Data Protection in Delhi . One was the 11th year international conference on Cyber Law, Cyber Crime and Cyber Security from Pavan Duggal Associates and the other was the first conference of DPO Club titled Bharath Privacy Conference.

It was heartening to see professionals and academicians from several organizations in India and abroad and also officials from Government participate enthusiastically in the deliberations. It appears that there is no dearth of “Awareness” in the industry about DPDPA and its importance. There may still be need for awareness amongst the public who are the focus of this legislation but the awareness in the organizational level seems to be fairly high.

However, whether the current awareness is adequate or needs to be refined is a matter of discussion.

The corporates in India are approaching DPDPA with the lens of GDPR and there may be a popular perception that GDPR is the golden standard and India can only copy and paste the provisions of GDPR. We at FDPPI have been crying hoarse that understanding of DPDPA needs certain unlearning of GDPR. It was heartening to note that the eco system is slowly accepting the concept that “DPDPA is different and if we are GDPR Compliant, it does not mean that we are DPDPA Compliant”. This is a big step in the creation of awareness in the professional circles and we are firmly in this zone of awareness.

When it comes to “Compliance” there is still some confusion on how to address different provisions and the challenge seems to be encouraging some companies to find an excuse to start compliance by pointing to MeitY not having notified the “Rules”.

MeitY officials were tight-lipped on the status of the release of the Rules but indicated that a draft rules will be released for public comments and when passed will provide substantial time for implementation. This could have to some extent brought comfort to the industry and reduced the tension of Rs 250 crore penalty hanging against their heads.

There was a small section of industry professionals who felt that Rs 250 crores penalty instead of turnover based penalty is more to appease the large organizations like Meta but at the same time threatening to the MSMEs.

There was a popular debate on what should be the credentials of a DPO but one encountered a number of “CISO Cum DPO” s in the congregation. It was evident that many professionals are looking at “DPDPA Compliance” from the eyes of a CISO and find it difficult to see the raise of a DPO as a designation that may be on par with CISO or slightly higher than CISO. This requires a more in depth debate.

There was no discussion on “Nomination”, “Right to Personal Remedy”, “Children Data Processing”, “Disabled Data Processing”, “Consent Manager”, “Grievance Redressal” and “Data Auditor”. Though a mention of “Nomination” “Handling of unstructured Data” and “Children Data” came up for discussion during Bharat Privacy Conference, no discussions happened. Due to multiple channels in the Cyber Law conference I missed a session on “Authentication” where the CCA was present and another session on “Cyber Psychology” which was a subject of personal interest to me. Need to check if recordings are available.

It was interesting to note that all discussions revolved around AI as much as around DPDPA and it was as if it was a movement around a binary star.

One of the common discussions was around “How to Define the Role of an organization as a Data Fiduciary or a Data Processor?”. Other discussion were centred around , “Data Access Rights” , “Handling of legacy data” etc.

It was clear that just as “Unlearning of GDPR is required to understand DPDPA”, “Unlearning of the ISMS principles is essential to understand the compliance framework for DPDPA. Many are still thinking that ISO 27001 :2022 version is still an applicable standard for DPDPA compliance.

However when we follow some of the discussions, it was clear that the professionals are already expressing the need for many of the DGPSI principles such as “Process Based Approach”, “Data Classification approach of DGPSI” etc.

Now that IDPS 2024 has the responsibility for answering some of the unanswered questions. Let us see how much of the aspirations can be fulfilled.

Incidentally IDPS is a hybrid conference and I invite all the attendees of the two Delhi Conferences to also attend IDPS 2024 either physically or Virtually. Let us make this a continuation of the discussion from the other conferences.

Naavi

Posted in Cyber Law | Leave a comment

There is No Excuse for Missing IDPS 2024

To

All Professionals in Privacy and Data Protection any where in India

IDPS 2024 the flagship event of FDPPI is no ordinary event. This is a “Knowledge Extravaganza”. The event focusses on more than 12 hours of intense discussions on Data Protection in India, EU and US with special reference to AI and Robotics.

The event is also further enriched with multiple Focussed Group Discussions on Impact of DPDPA 2023 on Advocates, MSMEs, DPOs and Data Auditors.

There will be many goodies on offer…like

During the Conference:

  1. 20% discount on Delegate fee for Members of FDPPI
  2. 10% to 20% -Special discounts for Members of other professional organizations.
  3. Free Download of a E Book on Data Protection contributed by FDPPI members
  4. CPE credit Certificate for 12 hours

During and after the Conference upto 31st December 2024

  1. 10% discount for  certification programs
  2. 5% discount for direct entry to C.DPO.DA. examination.
  3. 20% discount on “Guardians of Privacy….Comprehensive handbook on DPDPA 2023 and DGPSI” by Naavi
  4. 20% discount on the to be published “DGPSI-The perfect prescription for DPDPA Compliance” by Naavi

With all this the delegate fee is a pittance of Rs 1500/- for virtual attendance and Rs 3000/- for physical attendance. Over and above this, you may have the discounts.

Probably many of you think FDPPI is crazy to price this conference at this price and not at say Rs 10000/-. which could have been an optimal pricing. We have no regrets. FDPPI considers the difference of Rs 7000/- per delegate as its contribution to the society.

In this context, there is no excuse for any professional claiming to be interested in Privacy and Data Protection in India not to register for this program at least virtually. There are many delegates who are travelling from as far as Delhi at their cost to be present in the program physically. Hats off to their commitment. But others can surely attend virtually. Even if you cannot attend for the entire day, do register since you will be able to get all the benefits including limited time access to the recorded proceedings.

KLE Law College has a huge facility but we want it to be stretched… Will Privacy Professionals respond?

Naavi

Posted in Cyber Law | Leave a comment

AI in Surveillance

One of the much discussed aspects of Privacy is the use of AI technology in surveillance. For law makers, it is always a challenge to balance the needs of surveillance for security purposes vs the ethics of avoiding privacy infringement. CCTV cameras on the road or in large premises can often be source of privacy infringement since the footages can be linked to a facial recognition system  and cause infringement of privacy.

Laws often provide exemptions in privacy laws for law enforcement agencies for surveillance. In India, Any instrumentality of the state is exempted from the provisions of DPDPA in the interests of sovereignty and integrity of state etc including “Maintenance of Public Order” or “Preventing incitement to any cognizable offence related to national security or public order.

But these exemptions are not available for private sector organizations who may use similar surveillance to protect corporate assets. In most cases software service providers may have easy access to the data from the law enforcement agencies either with their knowledge or otherwise.

CCTVs are also used by private sector in their offices and factory premises and in these organizations the justification has to be built on “Security” of the enterprise. Most of the gated communities use CCTV and Visitor Entry systems where the facial identity of the individuals is captured by the security agencies as a routine. In such instances, use of AI to identify people both from facial recognition as well as other behavioural factors such as gait recognition is an interesting challenge to the DPO.

The pictures collected for Visitors in most cases are good enough to be used with AI for a successful KYC in any Banking systems.  Hence these close range pictures are highly risky from the privacy perspective and leaving it in the hands of security agencies is a matter of concern.  The DPOs have very little controls of misuse in such cases.

Normally, the physical security managers who monitor CCTV or Visitor management  are not part of the Information Security system. They may report to facility managers and not to CISOs.

Recognizing the importance of “Electronic Vigilance” and impact on Privacy, it is time for organizations to think if they are sufficiently involving facility managers in their Information Security management team or involving their CISOs and DPOs in facility management.

Most information security standards do recognize the physical security aspects such as Power systems, AC ducts, Lift systems,  etc along with the network of CCTV are part of the overall Information Security systems. But most of these stop at looking at past CCTV footages when a crime is committed and identifying criminal actions.

With the advent of AI it is now possible to identify a suspected behaviour in real time and prevent occurrence of a crime. Common sense says that there should be no disagreement in using technology to enhance security in a corporate premises or a gated community.  But Privacy professionals may have an objection to the behavioural monitoring without consent and taking some automated decisions that could cause harm to data principals.

Currently, CCTV capturing is done with just a notice pasted on the wall. The Visitor Management systems may not have specific electronic consent built into the system. Hopefully some of the developers of this system may be building in such consents on the screen.  There are many security managers who even collect Aadhaar Cards or PAN cards and hold them in safe custody for return of the visitor badges issued. The DPOs of such organizations need to recognize the risk of the security personnel misusing the temporary custody of the document. Similarly all hotels collect copies of such documents and retain it for a long time even after the person checks out.

While it is perfectly justifiable to collect identity documents, make analysis of available data for security purpose, the organizations need to have adequate security measures to prevent misuse. Developing appropriate policies, creating awareness and training of the manpower are therefore as big a challenge as preventing Phishing and Ransomware attacks.

DPOs need to focus on such Electronic Vigilance systems in the post DPDPA scenario.

Naavi

Posted in Cyber Law | Leave a comment