(This article is written in the light of my participation in a panel discussion titled “Guardians of Data-Navigating the future with India’s Data Privacy Bill” in the upcoming Cloud Security Alliance conference in Bengaluru on December 13, 2023 and the publication of my book Guardians of Privacy- A comprehensive handbook on DPDPA 2023 and DGPSI)
The professional community that guards data includes those who primarily occupy the position of CISOs in organizations. Quality Managers, CTOs do assist the CISOs in discharging their duties as “Guardians of Data”. The goal of a “Guardian of Data” is the preservation of the confidentiality, integrity and availability of data. In pursuance of this objective, the data guardians are required to treat all data equally.
However with the advent of DPDPA 2023, the Guardians of Data need to sharpen their focus to identify what kind of data they are guarding and whether it includes “Personal Data”. If so, the guardians of data have to also consider an additional responsibility to be “Guardians of Privacy” of such data principals whose personal data is being guarded.
The requirements of “Privacy” are dependent on the relevant laws applicable which requires a “Classification of Personal Data” on the basis of the jurisdiction of law to which it is exposed. The security safeguards to be applied to personal data could differ from what is applicable to non-personal data. Since the IS professionals may not have adequate exposure to data protection law and may have a conflict with the protection of “Privacy” of an external person, laws often demand that personal data protection has to be entrusted to a person with a specific designation of DPO and further that a CISO may not hold the joint designation as DPO. This means that “Guardians of Data” and “Guardians of Privacy” need to be different in an organization. The Guardians of data probably hold designations such as DPO or CPO.
Law also specifies that DPO should be probably reporting to the Board while no such legal mandate exists for the operating level of a CISO. As a result the DPO stands a shade ahead of CISO in the Corporate hierarchy and the “Guardians of Data” look at “Guardians of Privacy” as as an aspirational destination.
The segregation of responsibilities between the CISO and DPO start with “Classification” of data, first as personal and non personal. The Non Personal Data needs to be guarded under the CIA principle while the Personal Data has to be guarded under CIA+Privacy principles. The responsibilities of DPO are therefore wider though the stock of data to be managed may be lesser.
One of the tough challenges before the management is to ensure that the CISO and the DPO maintain a harmonious relationship without a turf war between them.
DGPSI (Data Governance and Protection Standard of India) assists this development of harmonious relationship between the CISO and DPO besides taking into consideration of a futuristic conflict that may arise with the Chief Data Officer (CDO) who may have his own claims to decision making related to Data.
The frameworks such as ISO 27001 which guide the Guardians of Data are insufficient for the requirement of the Guardians of Privacy. At present there is only one guideline that can be used by these Guardians of Privacy in India which is DGPSI. Even the ISO 27701 falls short of the requirements of Indian DPOs since their principal target is DPDPA 2023 compliance.
Professionals need to first accept that being in compliance with GDPR is not compliance with DPDPA 2023 and hence a certification for ISO 27701 (2019 or any modified) is not Certification for compliance of DPDP 2023.
On the other hand Compliance Certification under DGPSI can be an assurance for compliance of DPDPA 2023, ITA 2023 and the BIS Draft standard for Data Privacy.
Naavi
Explore how a Guardian of Data can transform himself as Guardian of Privacy. To add this additional repertoire to your portfolio and enhance career prospects, Guardians of data may read the accompanying book and/or undergo the DGPSI lead auditor course.
For those who are attending the CSA conference, a special discount of 20% would be available. If interested, obtain the discount code by contacting naavi.
Naavi