When FDPPI started its IDPS series with IDPS 2020, it was the first such program in India focussing entirely on Privacy and Data Protection. As we run into the 5th year of the series with IDPS 2024 on November 30 and December 1, India is reverberating with the sound of DPDPA as much for the law passed as also for the Rules not having been notified. Professionals all over India are keen to debate the impact of DPDPA on their organizations and their professions.
In the last three days, I had the privilege of attending two large conferences on Cyber Law, Cyber Security and Data Protection in Delhi . One was the 11th year international conference on Cyber Law, Cyber Crime and Cyber Security from Pavan Duggal Associates and the other was the first conference of DPO Club titled Bharath Privacy Conference.
It was heartening to see professionals and academicians from several organizations in India and abroad and also officials from Government participate enthusiastically in the deliberations. It appears that there is no dearth of “Awareness” in the industry about DPDPA and its importance. There may still be need for awareness amongst the public who are the focus of this legislation but the awareness in the organizational level seems to be fairly high.
However, whether the current awareness is adequate or needs to be refined is a matter of discussion.
The corporates in India are approaching DPDPA with the lens of GDPR and there may be a popular perception that GDPR is the golden standard and India can only copy and paste the provisions of GDPR. We at FDPPI have been crying hoarse that understanding of DPDPA needs certain unlearning of GDPR. It was heartening to note that the eco system is slowly accepting the concept that “DPDPA is different and if we are GDPR Compliant, it does not mean that we are DPDPA Compliant”. This is a big step in the creation of awareness in the professional circles and we are firmly in this zone of awareness.
When it comes to “Compliance” there is still some confusion on how to address different provisions and the challenge seems to be encouraging some companies to find an excuse to start compliance by pointing to MeitY not having notified the “Rules”.
MeitY officials were tight-lipped on the status of the release of the Rules but indicated that a draft rules will be released for public comments and when passed will provide substantial time for implementation. This could have to some extent brought comfort to the industry and reduced the tension of Rs 250 crore penalty hanging against their heads.
There was a small section of industry professionals who felt that Rs 250 crores penalty instead of turnover based penalty is more to appease the large organizations like Meta but at the same time threatening to the MSMEs.
There was a popular debate on what should be the credentials of a DPO but one encountered a number of “CISO Cum DPO” s in the congregation. It was evident that many professionals are looking at “DPDPA Compliance” from the eyes of a CISO and find it difficult to see the raise of a DPO as a designation that may be on par with CISO or slightly higher than CISO. This requires a more in depth debate.
There was no discussion on “Nomination”, “Right to Personal Remedy”, “Children Data Processing”, “Disabled Data Processing”, “Consent Manager”, “Grievance Redressal” and “Data Auditor”. Though a mention of “Nomination” “Handling of unstructured Data” and “Children Data” came up for discussion during Bharat Privacy Conference, no discussions happened. Due to multiple channels in the Cyber Law conference I missed a session on “Authentication” where the CCA was present and another session on “Cyber Psychology” which was a subject of personal interest to me. Need to check if recordings are available.
It was interesting to note that all discussions revolved around AI as much as around DPDPA and it was as if it was a movement around a binary star.
One of the common discussions was around “How to Define the Role of an organization as a Data Fiduciary or a Data Processor?”. Other discussion were centred around , “Data Access Rights” , “Handling of legacy data” etc.
It was clear that just as “Unlearning of GDPR is required to understand DPDPA”, “Unlearning of the ISMS principles is essential to understand the compliance framework for DPDPA. Many are still thinking that ISO 27001 :2022 version is still an applicable standard for DPDPA compliance.
However when we follow some of the discussions, it was clear that the professionals are already expressing the need for many of the DGPSI principles such as “Process Based Approach”, “Data Classification approach of DGPSI” etc.
Now that IDPS 2024 has the responsibility for answering some of the unanswered questions. Let us see how much of the aspirations can be fulfilled.
Incidentally IDPS is a hybrid conference and I invite all the attendees of the two Delhi Conferences to also attend IDPS 2024 either physically or Virtually. Let us make this a continuation of the discussion from the other conferences.
Naavi
