DGPSI (Data Governance and Protection Standard of India) is a suggested standard and a framework of compliance for organizations who intend to implement “Compliance By Design”. In this respect it is more like ISO 27701 which tries to establish a framework for “Privacy by Design”.
“Privacy” is a right of an individual and all Privacy Activists are committed to the protection of the right to privacy. The world however consists of Privacy Activists and also Data Driven Business and E-Governance authorities. Hence it is essential that “Privacy by Design” has to accommodate “Data Dependent Business” and “Data Oriented Governance”. The legislation whether it is DPDPA 2023 or GDPR or CCPA/CPRA has to therefore accommodate all the stake holders.
Hence “Privacy” cannot be at the exclusion of the right of monetization by the business nor right of “Surveillance” by the Government. Even the “Right to Security” of individuals is as much a fundamental right as “Right to Privacy” and has to be recognized. The law therefore has to accommodate these diverse interests when it makes the law. While GDPR also has provisions which accommodate rights of security and governance to some extent, Indian law namely DPDPA 2023 is more conscious of this responsibility. Hence DPDPA 2023 has certain provisions which may make puritans a little uncomfortable.
FDPPI has recognized this need for harmony and had adopted this as one of its objectives in its memorandum by stating
“To bring harmony in the pursuance of Civil Rights of individuals such as Privacy and Freedom of Expression along with the Right to Information and Right to Cyber Security .”
The approach of DGPSI as an instrument of “Compliance By Design” of which “Privacy by Design” is a component along with Personal Data Governance and personal Data Security. Hence it accommodates compliance of not only DPDPA 2023 but also ITA 2000 and BIS standard of Data Governance.
Just as a Fair Data Protection law has to be fair to the business and Government, DGPSI also is a “Fair Compliance Framework” which tries to be fair to the CFO, CMO along with DPO and CISO. Through “Distributed Responsibility” criteria it even tries to be fair to the DPO and spreads the responsibility across the organization. Through “Implementation Charter” signed by the top management it brings the Board level commitment to support the DPO. By adding Data Valuation and Data Monetization as a policy DGPSI tries to support the CFO/CEO/CMO and adoption of innovative data analytics.
“To be fair to all stake holders within and outside the Company” is therefore the underlying principle of DGPSI. It is practical and recognizes the need of an organization to survive and grow while remaining in compliance with the law of the land. Need to survive is through compliance for mitigating the penalty risk under DPDPA 2023 and ITA 2000. Need to grow is nurtured by enabling policies for handling the dilemma of data monetization and innovative Data Governance. The DGPSI auditors who interpret the principles of DGPSI in a given context need to remember this “Compliance Dharma” to protect the interests of all stake holders.
Naavi
P.S: At the dawn of the Shrirama Shaka of Kaliyuga, let us remember the lessons of Ramayana and adopt it to the challenges faced by a DGPSI auditor. Just as Lord Rama had to balance between his personal interests, wife’s interest, interest to protect the honour of his father, interest to protect the desires and wishes of his citizens and yield to one at different times but for logical and justifiable reasons, DGPSI may at times yield to one of the stake holder’s interest against the other. Maintaining the balance is the work of a DGPSI auditor and as tough as what Lord Rama faced when he had to explain some of his actions.
