DGPSI is the Digital Governance and Protection Standard of India. The concept of a “Framework” for compliance has been pursued by Naavi since IISF 309 was launched as the Indian Information security Framework in March 2009.
DGPSI is now the standard developed for DPDPA 2023 Compliance and can be used for implementation of a system that complies with DPDPA 2023 which is referred to as DGPMS or Digital Governance and Management System.
Presently DGPSI is a framework which can be used for third party audit and certification.
While DPOs may use DGPSI for implementation, Data Auditors may use it for Data Audit.
Since DGPSI also comes with DTS evaluation both for the enterprise as well as systems of software, DTS can be used for measurement of the maturity of an enterprise or a sub system for DPDPA Compliance.
DGPSI is being developed as the “Jurisprudence” of DPDPA so that many of the techno legal aspects of the law find an expression in the DGPSI detailed implementation document. Naavi who is the creator of DGPSI has released the book “Privacy Guardians.. Comprehensive handbook on DPDPA and DGPSI”. In the trainings on C.DPO.DA. Naavi has been discussing greater details of DGPSI. These are being codified into a separate book which may be published in a month or so.
In the meantime, some queries on DGPSI are answered in the form of an FAQ here. If there are more questions, readers can send their questions to Naavi and we will add the response here.
| Sl No | Question | Response |
| 1 | What is DGPSI | “DGPSI” stands for “Data Governance and Protection Standard of India”. It is a framework developed by FDPPI and the chief architect is Naavi. The framework is meant to guide “Implementation of a Compliance by Design Program” by an entity for compliance of Personal Data Protection regulations in India covering DPDPA 2023 and the related laws and regulations. |
| 2 | What is “DGPSI-Lite” | “DGPSI-Lite” is one of the two versions of DGPSI and is meant to provide a simple and direct compliance checklist for compliance of DPDPA 2023. It is recommended as the first step towards compliance and can be achieved quickly by appropriate policies and simple technology controls. In Smaller organizations, it should be possible to implement it manually. DGPSI-Lite has 36 model implementation specifications. |
| 3 | What is “DGPSI-Full” | “DGPSI-Full” is the second version of DGPSI which has 50 implementation specifications and covers compliance of DPDPA 2023 along with ITA 2000 requirements related to PII and also Bureau of Indian Standards requirements on Data Protection. The 50 implementation specifications try to address the nearly 200 different requirements that arise in terms of DPDPA 2023, ITA 2000, ISO 27701 and BIS requirements. There are simplifications and groupings to reduce the number of “Controls” but it essentially covers the essence of these frameworks. |
| 4 | Why do we need DGPSI | Organizations who process personal data for business need to manage the penalty risks arising out of DPDPA non compliance. DPDPA is a law and is subject to legal interpretation. Organizations need to be assisted with a guideline that provides a conversion of legal requirements under different sections of the Act into implementable Governance parameters in the organisation. This cannot be done by the Ministry since the interpretation of the ministry becomes part of the law and if proved wrong, could even vitiate the law itself. The industry’s own interpretation could be coloured with vested interests. Hence there is a role or an NGO kind of organization to provide the “Derived Controls” for implementation of DPDPA compliance by design which DGPSI represents. |
| 5 | Why do we need two versions of DGPSI? | DGPSI lite is a simpler version and easy to implement. It is limited to a direct compliance of the different sections of DPDPA 2023. DGPSI Full is an open ended framework where interpretations can be beyond the simple interpretation of the law. It is more flexible and can be expanded as the nature of the requirement expands. Good for large organizations and more particularly the potential and identified Significant Data Fiduciaries. |
| 6 | What are DGPSI Principles? | There are 12 major principles that drive the DGPSI frameworks. They may be considered similar to “Standards” where as the “Model Implementation Specifications” can be considered as implementation instructions. |
| 7 | What are “Model Implementation Specifications”? | The “Model Implementation Specifications” represent the implementation instructions for an organization. It incorporates some flexibility so that some specifications can be considered as “Required” and some “Addressable” as per terms used under HIPAA. At present all implementation specifications are considered “Addressable” in the sense that they can be achieved by alternative means as possible. |
| 8 | What is a “Deviation Justification Document”? | Deviation justification document is a document that is developed after a “Gap Assessment” is conducted based on the model implementation specification where “Addressable Model Implementation Specifications” can be segregated and a reduced set of “Adapted Implementation Specification” is developed by the organization after taking into consideration it’s “Risk Absorption Capacity”. Any elimination of model implementation specification needs to be supported logically in the deviation justification document and is subject to the scrutiny of the auditors who should consider it as reasonable taking note of any Insurance cover or provisions made for consequences of non compliance. |
| 9 | What is “Implementation Charter”? | The Model implementation specification list reduced to Adpated implementation specification leads to the “Implementation Charter”. Essentially Implementation charter is an authorization by the management to the operational team and is also used by the third party auditor for certification. Any unreasonable elimination of model implementation specifications, would be reflected in the shrinking of the “Data rust Score” or DTS which is based on the Model Implementation Specifications and not on Adapted implementation Specification. Adapted implementation specifications is used for audit certification along with the risk absorption policies of the organization supported by the Deviation justification document. |
| 10 | HIPAA has Required and Addressable Implementation Specifications. Is there a similar approach in DGPSI? | DGPSI approach has similarities to HIPAA where the “12 DGPSI principles” can be considered as “Standards”, 50 model Implementation specifications as the full set of addressable implementation specifications. The 36 model implementation specifications under DGPSI lite can be considered as “Required Implementation Specifications”. |
| 11 | HIPAA has a concept of a “Hybrid” organization. Is there a similar concept in DGPSI? | DGPSI is a “Process Based” compliance system and organizations are expected to consider themselves as an “Aggregation of Processes” and try to achieve compliance in each of the processes independently. Hence in some processes the organization would be a Data Processor, in some “Data Fiduciary” and in some it would be a “Significant Data Fiduciary”. Hence an organization is always “Hybrid” entity. The minimum processes could be the Website, E Mail and Employee data processing. |
| 12 | GDPR has requirements different from DPDPA. How does DGPSI accommodate such difference | DGPSI recommends a data classification and storage system where the personal data is sets are tagged with the relevant applicable legal jurisdiction such as DPDPA data or GDPR data or CCPA data. They are then stored in separate silos and appropriate laws are applied as controls to the specific sets. DPDPA controls are not applied to GDPR data or vice versa. |
| 13 | There is a “Privacy Framework” of DSCI. How does DGPSI differ? | DSCI Privacy framework is meant to enable a “Data Controller” follow certain principles of processing personal data which it owns. It focuses on Visibility over personal Information, Privacy Organization and Relations, Privacy Policy and Processes, Regulatory Compliance Intelligence, Privacy Contract Management, Information Usage and Access, Monitoring and Training, Privacy Monitoring and Incident Management, Information Usage and Access, Privacy awareness and Training, and Personal Information Security. The scope of DSCI framework is limited and is considered dove tailed to GDPR-Privacy by default requirement and not compliance of DPDPA. |
| 14 | IS DGPSI similar to HITRUST framework for HIPAA Compliance? | Like HIRUST, FDPPI is a private sector organization. But HITRUST is an organization created by the industry where as FDPPI is created by individual data protection professionals. HITRUST is more similar to DSCI which is NASSCOM promoted and the similarity with FDPPI ends as a non Government agency recommending compliance measures. |
| 15 | There is ISO 27701 as a framework for PIMS implementation by default. How does DGPSI differ? | ISO 27701 is built over ISO 27001 and addresses the requirement of Personal Information management as required under GDPR principles. It has not been designed for DPDPA 2023. DGPSI is the only framework which is designed for DPDPA compliance and has no substitute for the time being. |
| 16 | How can DGPSI be used by an industry? | An industry can use DGPSI as a “Guidance for Implementation” of “Compliance by Design” and creating the “Digital Governance and Protection Management System” in the organization similar to the concepts of ISMS used in ISO 27001 and PIMS used in ISO 27701. DGPSI can be used by third party auditors to certify an organization for compliance on their self declared “Implementation Charter” associated with the “Risk Management Policies”. Organizations can also use it for assessing their compliance maturity through the “Data Trust Score” or “DTS” which can be “Self assessed” and validated through external consultants with or without audit and certification. FDPPI auditors are mandated to generate DTS and reporting it to the company leaving it to the discretion of the organization to publish it or not. |
| 17 | How can an individual specialize in DGPSI? | FDPPI as an organization conducts Certification programs such as “Certified Data Protection Officer and Data Auditor” (C.DPO.DA) to train professionals on the knowledge of data protection laws in India, global laws as well as the compliance of DPDPA through DGPSI framework. The training is followed by an online examination for validation of the Certification eligibility. The certification is subject to value depreciation that can be restored through periodical continuing education points. (CPE). FDPPI also offers “Cross Certification” for those who have completed certifications from other organizations or have developed experience based skills in managing a DPO or DA function where the candidates can appear for the examination after self study without necessarily going through the training programs of FDPPI. |
| 18 | Who is a Data Auditor under DPDPA and how is DGPSI relevant for him? | DPDPA 2023 envisages a role of “Independent Data Auditors” who will be auditing the compliance od DPDPA in organizations. This is mandatory for Significant Data Fiduciaries. DGPSI can be used as a framework for such assessment. |
| 19 | Who is a DPO under DPDPA and how is DGPSI relevant for him? | DPO is the person appointed by a Significant Data Fiduciary under DPDPA who is expected to be a person who will respond to all Data Principal Rights Management issues. Internally he may be required to guide the organisations on policy and setting up controls so that the compliance can be documented and made effective. Organizations which are not Significant data fiduciaries may have a similar responsibility assigned to a “Compliance Officer”. There may also be a “Grievance redressal officer” who may assist the DPO where required who may take care of resolving legal disputes arising our of complaints from the Data Principals before they are escalated to the DPB. |
| 20 | What is DTS and how is it enabled by DGPSI? | DTS means “Data Trust Score” and is a measure of the maturity of an organization regarding compliance of DPDPA 2023. In the earlier versions of DPDPA, DTS was mandatory to be reported to DPB but the current version does nor require it. However DGPSI system of DPDPA continues to recommend generation of DTS for an organization so that it can be used as an internal guide. It is a number which represents the quantification of the enterprise level compliance and takes into account the weighted average of the maturity of compliance on five parameters of compliance namely the Managerial Responsibilities, DPO responsibilities, The HR, Legal and Technology department responsibilities. The 50 model implementation specifications are distributed over these 5 responsibility centers, computed responsibility center wise and then aggregated with a weightage model as developed by FDPPI. At present DTS system is proprietary while DGPSI is open source. |
| 21 | What is Data Valuation? | Data has a cost of acquisition and also has a market value. But normally this is only a concept not brought into books of account. DGPSI recommends a development of a rupee value determination for data processed by a company. FDPPI has developed one reference model called DVSI or Data Valuation Standard of India which takes into account the intrinsic value of Data and further modifies it based on the depth, age, accuracy and usability of the data. |
| 22 | What is Distributed Responsibility? | DGPSI recommends that while DPO is the external face of compliance for an organization, internally, an organization needs to develop a network of “Sub DPOs” or “Privacy Compliance coordinators”. It is normally recommended that “Process owners” should have the responsibility for DPDPA compliance within the process they manage. This is also extended to every individual employee in respect of Unstructured personal data. |
| 23 | What is the “Process oriented approach of DGPSI”? | DGPSI considers an organization as an aggregation of different processes handling personal data. Output from one process may become input in a different process but the two may be different with different purposes, different data requirements, different controllers etc. The roles of the organization may also differ from one process to another. For example an organization may be a processor in one process but a data fiduciary in another. Instead of classifying an organization at the enterprise level and calling it a data fiduciary or a significant data fiduciary, DGPSI recommends such classification for each process. The data minimisation and retention requirements are also tagged with each process and could be different for different processes. Even the data access control differs from process to process. This is a unique character of DGPSI. |
| 24 | How does the PII discovery process expected to be implemented under DGPSI? | PII is considered as a “Generative process” in an organization where different elements of data come together and at some point they become identifiable with an individual and become PII. When PII is deidentified, pseudonymised or anonymised, the nature of data may change. DGPSI captures this by adopting the Process oriented approach to compliance. Accordingly input to Process A can be a non personal data but the output can be personal data and vice versa. This is another unique recommendation of DGPSI |
| 25 | How does PII classification process expected to be implemented under DGPSI? | PII classification under DGPSI is compliance oriented. Hence the tags are “Jurisdiction”, “Employee” or “non employee”, “Minor” or “Major” (as per Indian law) etc. It is not the usual classification on security frameworks such as “confidential”, “Public” etc. Though “Sensitivity” is not defined under DPDPA, it is still used in classification as a tag so that the “Determination of Significant data fiduciary” status can be facilitated. |
| 26 | How does Process Inventory assist in building Data Inventory for compliance of DPDPA? | Every process has a purpose, with its own data requirement and data retention requirements. Consent and legal basis can also be established with reference to each process. Process owners can be identified as “Internal Data Controllers” etc. The personal data inventory can be constructed from the Process inventory with access to different elements of data being provided on the basis of the process requirements. Hence Data Inventory flows out of process inventory |
| 27 | How does DGPSI address the dynamic nature of Indian data protection laws? | DGPSI requires a constant monitoring of relationship with DPB/Regulatory authority and changes required are expected to be monitored on a continual basis. |
| 28 | How does DGPSI address the requirements of ITA 2000 for Data Protection? | DGPSI recognizes that Personal Data is also Data under ITA 2000 and hence any personal data breach under DPDPA is also a data breach under ITA 2000 and invokes provisions of IAT 2000. Further Data Processors who are not directly liable under DPDPA may become liable under Section 72A of ITA 2000. Data Principals who donot have personal remedy under DPDPA for personal data breach may invoke ITA 2000 for remedies. Hence certain compliance requirements of ITA 2000 are relevant for DPDPA compliance. This is flagged through one of the model implementation specifications |
| 29 | How does DGPSI address Data Governance from the perspective of BIS requirements? | A draft guideline was developed by BIS for data governance in Data Driven organizations. This also included requirements for Personal Data Protection as part of the Governance measures. These are included as requirements of DGPSI also. |
| 30 | Is DGPSI supplementary to or complimentary to GDPR compliance? | DGPSI requires segregation of personal data based on “Applicability” into different silos where different laws may be applied. Hence DPDPA is not applied to GDPR data and vice versa. Hence GDPR compliance had no direct impact on DPDPA compliance requirements of an organization. Though GDPR implementation could have developed some awareness of “Privacy”, it is possible that the understanding of Privacy compliance under GDPR may actually be in conflict with DPDPA concept and hence has to be un learned before DPDPA compliance is implemented. Hence DGPSI should be treated as independent. It is however possible to implement GDPR compliance n GDPR data using DGPSI framework if suitable modifications are made in respect of recognizing the rights and obligations. |
| 31 | How does “Consent Manager” handled by DGPSI? | A Consent Manager under DPDPA is also a Data Fiduciary and hence all aspects of DGPSI is applicable to them. Additionally the requirements of security of an inter-operable platform and its certification needs to be achieved and it is covered under a model implementation specification |
| 32 | Is there a Government recognition for DGPSI? | At present no framework has been recognized by Government. Since DPDPA compliance is driven by legal considerations, the MeitY may not come up with its own recommendation on data protection framework under DPDPA and leave it to the industry to develop. If the Government supports any framework, it would become “Deemed Compliance” and interfere with the rights of the data principals enforceable under law. |
| 33 | Is there DGPSI for Data Processors? | A Data Processor is liable under a contract from the Data Fiduciary. In some cases organizations may portray themselves as Data Processors where as they are actually Joint Data Fiduciaries. The contracts of Data Processing need to make reference to all requirements of DPDPA and hence indirectly DPDPA compliance is imposed on the data processor. DGPSI therefore becomes relevant even for the Data Processor. The Data Processing contract read with Section 72A of ITA 2000 becomes the regulatory guideline for Data Processors. In some cases they need to also adhere to Section 79 requirements of ITA 2000. |
| 34 | Does DGPSI framework include templates for consent management or other aspects of compliance | At present DGPSI is a framework and the individual templates of compliance are required to be developed by implementation consultants. |
| 35 | Does DGPSI assist in assessing insurance readiness of an organization for DPDPA cover if any? | DGPSI has a Gap Assessment module that is tuned to evaluating the “DPDPA Readiness”. It uses the DGPSI Full implementation specifications and comes out with the evaluation at three levels namely “Excellent”, “ Good” and “Requires additional measures” so that a Cyber Insurance organization may take it into consideration for underwriting a DPPDA policy |
| 36 | How does DGPSI address specific requirements of DPDPA Compliance? | DGPSI has specific model implementation specifications to address different aspects of DPDPA including “Determining the applicability”, “Determining the Role of the organization”, “Managing the obligations”, “ Managing the Rights of Data Principals”, “Managing DPB relations”, “Vendor or Processor Contracts” etc |
| 37 | How does DGPSI address people resources for DPDPA 2023 compliance | Specific model implementation specifications address the requirements of awareness training, whistle blowing, distributed responsibility etc. A separate privacy management policy for Employees is also envisaged |
| 38 | How does DGPSI address Data Monetization requirements? | Data Monetization Policy is suggested to guide the operating personnel on obtaining an appropriate consent enabling profiling and data monetization. |
| 39 | How does DGPSI handle awareness of stakeholders including Data Principals? | Since DPDPA imposes certain duties on the Data Principals, DGPSI envisages appropriate awareness creation when the notice is drafted for consent request. |
| 40 | How does DGPSI address the “Unstructured Data” problem? | Unstructured data management is handled through the Distributed Responsibility requirement where each employee is expected to watch and handover personal data received by him to a data custodian. |
| 41 | How does DGPSI address the AI processing? | AI is considered as a separate process and compliance within the process is handled separately. |
| 42 | How does DGPSI address Data Analytics requirements? | Data Analytics may require special consent and DGPSI Consent Management system suggests use of witnessed consent in some cases and discovery consent where required |
| 43 | How does DGPSI relate to IS 17428? | IS 17428 was introduced by BIS as a framework similar to ISO 27701 for the Indian scenario. It is not taking into account DPDPA and is linked to ISO 27001 and hence not relevant for DPDPA compliance. The best practices of ISO 17428 are available in DGPSI. |
| 44 | How Does DGPSI reduce the burden of compliance to multiple frameworks? | The total model implementation specification is limited to 50 which and includes certification possibility and assessment capabilities. Hence the need for additional certifications under multiple frameworks is avoided. |
| 45 | How does DGPSI address changes in Indian Data Protection regulations in future? | FDPPI monitors the changes in law and makes immediate changes in the specifications as may be required. |
| 46 | Does DGPSI assist in assessing the claim under a DPDPA insurance if any? | When a data breach incident is reported and there is a possibility of an inquiry, DGPSI provides for an assessment of the pre-breach compliance and provides a guidance note to the insurance company as well as to the insured which may be used for negotiations with DPB |
| 47 | What is FDPPI | Section 8 company (Not for Profit) promoted by Data Protection Professionals. Not aligned with any industry groups. |
| 48 | Who is Naavi | Promoter of FDPPI and architect of DGPSI. A thought leader in the filed of Cyber Law and Data Protection with a 25 year plus professional work in the area of ITA 2000 and DPDPA. |
