Naavi.org

One of the hallmarks of DGPSI (Digital Governance and Protection Standard of India) is that it recommends a “Process Based Approach” to compliance and an aggregation to arrive at the “Enterprise Level Compliance”.

In other words, the DGPMS (Digital Governance and Protection Management System) is an aggregation of Process1, Process 2 etc where process n refers to a technology process where applicable personal data is an input or a product of generation or is being stored, modified or disclosed.

One example of this approach, is the website compliance. In this approach, a “Corporate Website” is a process and Compliance as per DPDPA applies to personal data collected during the visit of a data principal to the website serving corporate information. The purpose of the website is serving of corporate information and the collection of personal data should be limited to the purpose, retained for the required purpose, secured during the purpose etc. DGPSI discourages use of “Omnibus Privacy Notices” and recommends process specific privacy notice and consent”.

Similarly, under this principle, AI enabled Data Analytics can be considered as a “PII Process” which requires to be compliant to DPDPA and can be assessed separately and certified for compliance.

DPDPA Compliance (DP.COM.) for AI Enabled Data Analytics can be a combination of “DP.COM for AI algorithm” used and “DP.COM for Data Analytics algorithm” used. AI itself can be defective due to BIAS and HALLUCINATION and along with Data Analytics, which may ignore notice and consent requirements and therefore, there could be doubling (Squaring) of the DPDPA risks.

During the last week’s ETCIO conference in Bengaluru, the presentations of many companies indicated an aggressive use of AI Enabled Data Analytics to draw different “Insights” into the behaviour of customers and for generating automated decisions that could persuade the customers of a service towards a desired objective of purchase on the e-commerce website.

While, as an ex-Marketing professional, I do agree that Business should have the ability to profile their customers and direct their marketing efforts to bring maximum customer satisfaction even on the “Post Purchase Experience”, as a Privacy an Data Protection professional, I am constrained to point out that a “Consent” is required from the customer before his personal data is collected deceptively and manipulated to conclude a sale.

It is not correct to only object “Data Subject Manipulation” when Cambridge Analytica uses personal data for creating ads for Election Campaign and ignore an e-Commerce entity make you buy things which you do not want.

When I pointed out that AI+Data Analytics has the negative intelligence probability, I was indicating that “Dark Patterns” and “Deceptive Marketing” is legally not allowed. This could become a non compliance issue and lead to DPDPA fines.

In this connection, I want to draw the attention of the audience on the Consumer Protection Act 2019 and the notification on Dark patterns issued on 30th November 2023 which states

“dark patterns” shall mean any practices or deceptive design pattern using user interface or user experience interactions on any platform that is designed to mislead or trick users to do something they originally did not intend or want to do, by subverting or impairing the consumer autonomy, decision making or choice, amounting to misleading advertisement or unfair trade practice or violation of consumer rights;

For details of the Consumer Protection Act and penalties refer here:

The rules also provide a list of practices that may be considered as “Dark Pattern Practices” which include “False Urgency”, “Basket sneaking”, “Confirm shaming”, “Forced action”, “Subscription trap”, “Interface interference”, “Bait and Switch”, “Drip Pricing”, “Disguised Advertisement”, “Nagging”, “Trick question”, “SaaS billing”, “Rogue Malware”, etc.

Under DPDPA 2023, the “Fiduciary” who is a trustee of the Data Principal is obligated to process the personal data only for a “lawful purpose”. The intention of the Consumer Act and the above rule is to indicate that it is not lawful to use “Dark Patterns” and it could lead to a penalty of upto Rs 250 crores under DPDPA.

I request all the Tech Experts to review the AI Enabled Data Analytics patterns used by them and check if they are not “impairing the consumer autonomy, decision making or choice and trick users to do something they originally did not intend doing.

DGPSI therefore recommends that there is a need to audit the use of AI enabled Data Analytics, and ensure that it is in compliance to DPDPA requirements. DGPSI also tecommends a specific policy for “Monetization” as well as “Discovery consent”.

I suggest that the interesting equation that ETCIO coined for their conference needs to be modified as

where i is the complex number representing the DPDPA impact.

(P.S: Sorry to use Complex Number theory in explaining the concept. Ignore if you want)

If you disagree, please let me know why? If you agree, please let me know how you are going to meet the compliance gap when DPDPA becomes effective whenever the Government notifies the date of effect for penalties.

Naavi

Today I came across an interesting observation related to Government Gazette Notifications issued in electronic form.

The notifications are signed by different officials of a department authorized to issue a direction. The PDF files issued as Gazette Notifications are however signed by an official such as “SURENDER MAHADASAM”.

The digital certificate is issued by (n)code Solutions CA 2014 valid at the time of signing and notes that Mr Surender Mahadasam is carrying an email surender.mahadasam@gov.in, Directorate of Printing, Government of India Press.

This practice of digitally signing the Gazette Notification by the publication department and not the original signatory of the electronic record raises an important legal issue of how the content of the electronic record may be considered authenticated.

It is my suggestion that the Publication department must add a certificate of assurance that

” I Certify that this is a faithful reproduction of a signed paper document with the authenticated signature of the relevant authorized person authorised to issue this notification and has been produced using the SOP…….. of the Department of Publications and may be considered as a True Copy”.

Though this certification may not exactly meet the Section 63 of BSA 2023, the SOP referred to which needs to be developed can contain narration that meets the requirements of Section 65B of IEA upto 30th June 2024 and Section 63 of BSA2023 there afterwards.

This procedure is directly related to Naavi63 certification suggested by the undersigned for validation of Consents under DPDPA 2023. (Refer Rule 2(1) (f) of the draft).

P.S: Naavi63 is a system where the online privacy notice confirmed by a data principal is authenticated by a repository owner (eg: CEAC Dropbox), though this is a private offering and not a Government function.

Comments invited from Cyber Law Specialists.

Naavi

DGPSI stands for Digital Governance and Protection Standard of India. It is designed as a framework for compliance for setting up DGPMS or Digital Governance and Protection Standard of India.

Just as we refer to ISMS in the context of ISO 27001, PIMS in the context of ISO 27701, DGPMS is the system that is built with DGPSI for the purpose of DPDPA Compliance by design.

DPDPA Compliance by design includes

a) Privacy by Design as required in India by DPDPA

b) Security by Design as required by ISO 27001 in respect of Personal Information to which DPDPA is applicable.

DGPSI is therefore a combination of PIMS for DPDPA and ISO27001 for PII under DPDPA.

DGPSI is built around 12 basic principles which form the foundation of the framework and comes in two flavours namely, DGPSI-Lite with 36 Model Implementation Specifications (MIS) for compliance of DPDPA 2023 and DGPSI-Full with 50 Model Implementation Specifications (MIS) which includes DPDPA 2023, ITA 2000 for PII and Draft BIS standard for Personal Data Governance.

MIS refers to the requirements that are suggested for implementation. DGPSI Lite is directly related to DPDPA provisions and hence is required to be implemented by all organizations that process Digital Personal Data for which DPDPA 2023 is applicable. We may refer to it as Applicable Personal Data or APD. All Data is not APD and all Personal Data is also not APD.

Flexibility in implementation of the MIS in respect of DGPSI Full is provided by the document “Deviation Justification Document” that is like the “Statement of acceptable Exclusions” and relates to the Statement of Applicability and Scoping in ISO 27001 framework. The Deviation Justification Document that is approved by the Management is considered as the “Implementation Charter” for the DPO for implementation of the DPDPA Compliance. The deviations are considered as “Accepted and Absorbed Risks” and to be also managed through appropriate Cyber Insurance covering first party and third party liabilities.

The Implementation Specifications that are part of the Implementation Charter is referred to as Adapted Implementation Specifications.(AIS)

At the time of third party audit, the auditor will evaluate the Deviation Justification Document and audit the implementation for a binary response of each of the implementation specifications.

For a maturity assessment of the implementation, implementation would be assessed over each of the 50 MIS assigning different acceptable scores which are weighted and aggregated for a consolidated score. For this purpose, the lowest acceptable score is assigned for the implementation specifications that are considered part of the approved deviation justification.

For the purpose of assigning the “Score” for each implementation specification, a scale will be adopted with different limits for “Policies and Procedures being established, “Technology Controls having been established” and “Organizational Culture and sustainability having been established”.

The consolidated score of an organization’s implementation is termed the “Data Trust Score” or DTS. The DTS will be assigned for every audit and reported to the management and the FDPPI as the audit certification agency. The Company is free to publish the DTS score at its discretion.

DGPSI therefore provides the three functionalities namely

1. Implementation Assistance
2. Third party certifiable audit
3. Assessment of maturity of implementation

The objective of this series of articles is to increase the awareness of DGPSI in the community and FDPPI would like to create a set of professionals who would be DGPSI Ambassadors who appreciate the nuances of DGPSI with reference to any other framework.

FDPPI is willing to fine tune the framework as required. The detailed implementation guidelines will be part of the responsibility of the auditors and the framework will only define the broad level of requirement for meeting the implementation. This preserves the scope for auditors to add their own value to the final implementation and certification and the customization required. For example a Privacy Notice under DPDPA developed for a Bank will be different from a Privacy Notice developed under DPDPA for a Hospital. This sort of customization cannot be built into the standards document and is left to the discretion of the auditor or implementation consultant.

At present Implementation Consultancy, as well as audit is considered as part of the common skills and until necessary, C.DPO.DA. will continue to be the Certification both for Implementation Expertise and Audit expertise. This may change in future and the two may be segregated into separate certifications like “Lead Implementor” and “Lead Assessor”.

Questions if any are welcome as we now go into the clarificatory mode for a few days.

Once this introduction is absorbed by the community, we shall go into specifics of the DGPSI Principles and MIS in subsequent articles.

Naavi

We recognize that India is in the cusp of a new era of DPDPA. Whether we like it or dislike it, whether we think Government is serious or not, the reality is that soon we will have a notification of the rules of DPDPA.

The CFO of an organization should be the first to raise his voice that a new Financial risk has appeared before the Company that needs to be “Mitigated” and “Covered”. He may not know how and request his CISO or CCO to suggest. The CEO has to therefore start a new discussion in the business war rooms on how DPDPA is likely to impact business and what actions are required to be initiated.

There will always be one voice in the Corporate War room which says, “The rules are yet to be notified… We shall wait…”.

This will be music to the ears of some who revel in “Procrastination” and are happy to work on short term goals for the next quarter. But those who have the long term vision, DPDPA 2023 is already the “Due Diligence” requirement under ITA 2000 and hence the compliance by date has already arrived.

The Government may eventually release the rules first fas a draft for public comments. It may first notify the requirements of setting up of DPB (Data Protection Board) so that it can be constituted before further operational rules that affect the industry directly in terms of compliance can be rolled out. Even after the operational rules are rolled out, there could be different timelines under which different rules may become effective.

The wiser companies have already had the first discussions at their Board level to start working on “DPDPA Gap Assessment” so that they will understand where they stand and how should they strategize their next moves.

The second stage is for companies to look out for guidance on how to proceed with the compliance of DPDPA and adopting an appropriate framework for compliance.

In this context DGPSI emerges as the beacon of light as the only framework exclusively stitched together for compliance of DPDPA 2023.

As the realization of what DGPSI is and how it helps a company to find the shore of compliance, dawns, strategy war rooms in companies will reverberate with the words “DGPSI” and DGPSI would become the “Corporate Mantra” for the emerging DPDPA Era.

P.S: We will explore DGPSI point by point through this series of articles.

Naavi

Yesterday, I attended a ETCIO conference on Data Analytics and AI in Bengaluru. One of the takeaways from the conference is that while many exciting developments seem to be happening on the use of Data Analytics with the use of AI in consumer facing industries, there seems to be little appreciation of the impact of DPDPA on the current practices of Personal Data usage in the industry.

Most of the companies which included the likes of Myntra, PayU and many others discussed how they are leveraging Data Analytics and AI for better user experience as well as productivity.

In the discussions it was clear that most of the companies donot seem to have factored in the advent of the DPDPA 2023 in their implementation strategies.

It seems that it is a long long journey before the concept of Privacy by design is considered by these companies since the commercial benefits of current practices of “Free for all PII processing” are overwhelming. Most of them are sitting on a pile of legacy data without consent which is being processed and converted into business intelligence. Though many may claim that the usage is anonymous, it is difficult to believe.

The DPOs in these companies will have an uphill task in bringing in brining discipline in the PII processing of these companies. The difficulty of building a Privacy Compliance culture in the euphoria of the Data Analytics with AI is evident.

The Conference noted that the combination of Data Analytics and AI leads to Intelligence² . But Naavi did remind the assembly that the Square root of Intelligence²  could be postive or negative value of (intelligence), as per the principles of Complex numbers, hinting the DPDPA risk that needs to be confronted.

Not sure if the message has been assimilated by the assembly. But it is clear that if the Government wants, they can fill up some of the budgetary deficit by strictly implementing DPDPA in the first few years when almost all companies will be found short of compliance. I wish the industry wakes up before it is too late.

The DPB also has the uphill task of making companies realize their responsibilities in ensuring Compliance by Design through some strict action as soon as they become operative.

At the same time it appears that the time for DGPSI has come and it is time for us to declare that DGPSI is the corporate mantra for the AI era.

Naavi

Organizations are increasingly harnessing Data for Business Growth. The new found enthusiasm in making better use of Data and increase its productivity has made “Data Analysts” key contributors to innovation in an organization. The Business discussions in organizations is therefore becoming a ground for understanding new “Data Transformation Strategies” so that available data can be grouped and re-grouped for better business performance.

While Business is interested in monetizing every bit of data in the control of an organization, the laws of data protection create their own hurdles to be navigated. Everybody is going through a congested traffic. The skill of a driver is not only to reach the destination fast and ahead of others but also ensure that he avoids accidents and traffic challans.

The discussions in the Data War Rooms are therefore no longer limited to what fanciful things can be achieved by AI and Data but identifying the problem areas.

There is need to recognize that “Personal Data” has the high potential of monetization but is like a “Hazardous Inventory” which can blow out if not properly handled . Since this is a new development in India, it is likely to cause the greatest friction in the Data war rooms.

While the Data Analyst proposes a beautiful concept of how he can develop insights to consumer behaviour using Generative AI applied to the company’s vast data lake created over decades, the marketing manager gets excited at the opportunities and the CEO is happy with the prospects of a new revenue stream, it is the duty of the Compliance officer and the DPO to stand up and point out where the plan could clash with the new DPDPA 2023.

The DPO may point out that all the Personal Data which we have now was acquired for a purpose did not include the purpose which we are now discussing, and therefore unless we obtain a new consent, the project needs to be deferred. Alternatively the DPO may give a new challenge to the team to develop a scheme of using “Anonymised Data” or “Publicly Made Available Personal Data” and achieve the objectives. The residual risks if any arising out of the legitimate use or process related information security risks may need to be covered with a new Cyber Insurance Plan which could require a re-working of the economics of the suggestion.

This will be the new discussions which will arise in the exchange of ideas in the Data War Rooms with the entry of the new elephant in the room namely the DPDPA 2023.

P.S: (Data Analytics + AI)=Intelligence² but Square root of (Intelligence²) could be a complex number . The imaginary number ‘i’ is the consequence of DPDPA 2023.

(Agenda)

Naavi