Naavi.org

Cricket followers have long debated who is greater between Sir Don Bradman and Sir Gary Sobers. As a Batsman, Don Bradman was incomparable in the value he brought to his team. But a person like Gary Sobers with his all-round skills as a Batsman and a bowler who could bowl both fast and spin exhibited an amazing skill which made him a person of high utility to any team. Cricket is a team game which can accommodate both Bradman and Sobers in one team and the team will be richer with the contribution of both.

The corporate scenario which we now observe with the advent of the position of a DPO (Data Protection Officer) in to the  corporate CxO team  that consists of the CISO, CTO, CCO and the CRO besides  the CEO will now sport a similar debate. Some companies may try to create the position as a CPO instead of a DPO or perhaps a CDPO with DPOs for different divisions which will ease the problem of bringing in harmony between the two key players.

With the DPO being seen as the protector of the 4% penalty (calculated on global turnover)  that most Data Protection Laws seem to fancy, the management would like the DPO to be involved in more top management decisions than what they would expect from the CISO.

While the CISO is presently taking responsibility for securing both the personal data and the non personal data in the current day scenario, the DPO is snatching away the responsibility for the protection of the Personal Data. Though the volume of personal data in an organization is always less than the total data that the CISO was hitherto managing, the role of a DPO is more complex and challenging.

A DPO has to not only manage the legal issues but should also be on top of the technology. He has to be a true allrounder and be able to manage both internal responsibilities as well as the external relationships with the regulator and the data principals.

In view of the complexities involved in the work of a DPO, a versatile player like Sobers will have to be treated with equal respect even though he may be a new entrant into a team which already has Don Bradman in it. For the CEO, having both in the team is great as long as he is able to keep both motivated enough.

For those who are today neither a Bradman or  a Sobers, but are still recognized as a leading player, the role model to follow is clear…

To be a Bradman and open the innings and come back to contribute only in the next innings or To be a Sobers and come down the order and continue to contribute as a bowler even when the opposition is batting. A Sobers will be relevant in all the 4 innings of a test match while Bradman will be relevant in only two.

I suppose the argument of who you would like to be is clear…. the DPO is the preferred destination for every Information security professional or a Legal professional.

An opportunity to move in this direction strikes you now with the upcoming DPO training being offered by FDPPI… A 36 hour online training to accredit “Certified PDP-CMS Auditor” with the knowledge of Indian laws, foreign laws and Audit skills. .. Time to join without delay. (Registration closes on June 10, 2021)

Naavi

(P.S: Using the analogy to pay  tributes to the two legends of the game of cricket which has given endless hours of enjoyment to our life….Naavi)

To

All Chairpersons
Banks in India

Dear Sirs

It has been reported in the media as if RBI has granted a new relief to the Bitcoin community by stating that  “Banks should not quote the 2018 circular” for not allowing Banking transactions to Bitcoin exchanges.

The Bitcoin community is spreading the fake news that the Government is diluting its policy on Bitcoin.

To an independent observer RBI appears to have only warned the Banks that if they want to take any action in this regard, they should not quote the said circular since the Supreme Court in its wisdom held that the circular was not properly worded and had to be treated as withdrawn.

What this means is that the Banks are left to take their decision but as their own decision. They cannot either ban or  allow Crypto transactions taking  shelter under RBI regulations. They will have to stand on their own legs and have to face the consequences.

We are aware that the Bitcoin community has corrupted the thinking of many and only well informed Bankers can understand that allowing a private crypto currency to function is killing the currency system in India and causing chaos in the Indian economy.

RBI is under pressure from the lobby to give as much long rope as possible so that exchanges can do some business before the doors are shut. The Supreme Court through some strange logic struck down the circular though it did not declare Bitcoin as legal otherwise. Finance Ministry also wants to give as much time as possible to all the Bitcoin exchanges to push through as many transactions as possible.

All this will not alter the situation that Bitcoin along with all the private Crypto currencies represent digital black wealth and the main currency of Cyber Criminals, Cyber terrorists and enemies of the sovereign Government of India who want to undermine our currency system.

In the event any Banks fall for the propaganda of the Bitcoin lobby and considers that RBI clarification is a license for them to allow digital black money transactions through their Banks, they will be providing assistance for money laundering since substantial part of the trading of Bitcoins and other cryptos have once gone through an illegal drug trade or arms trade or a crime and as an asset which is not a negotiable instrument, will carry the tainted past with every further transfer. (There are no holder in due course for such assets).

Hence Banks which will allow transactions of Cryptos will be committing offence under AML regulations.

As an ex Banker, I request all the Bank Chair persons to instruct their branch managers to keep their distance from Bitcoins and other cryptos.

Regards

Naavi

Indian PDPB2019 has made “Consent” as a mandatory requirement unless it is exempted. On the other hand GDPR considers Consent as only one of the legal basis under which personal data may be processed. The six different recognized ways by which personal data can be processed under GDPR are,

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

On the other hand, at first glance it appears as if Indian PDPB has tied itself up by the “Non Scalable Consent” as a mandatory basis by stating under Section 11(1)

“The personal data shall not be processed, except on the consent given by the data principal at the commencement of its processing.”

However, Indian PDPB has considered a broad set of cases in which consent may be exempted.

For example the exemptions can be available

a) Performance of the functions of the State

b) for enforcing judicial orders

c) medical emergency and medical treatment (like Vital interest in GDPR)

d) for Disaster management

e) Related to employment for recruitment, termination, assessment etc (only non sensitive personal information)

f) Reasonable purposes (for non sensitive personal data) in respect of legitimate interest, public interest, detection of unlawful activity, information security, whistle blowing, mergers and acquisitions, recovery of debt, Credit scoring, search engine operations etc.

From the above, it is clear that Indian PDPB 2019 has thought more in depth to provide essential exemptions which GDPR has forced Data Controllers to interpret under the “Legitimate Interest” argument.

However, apart from these exemptions which dilute the argument that “Consent Dependency” may make it “Unscalable”, Indian PDPB 2019 has provided for “Consent Manager”  and “Sand Box” arrangements which can be used in appropriate occasions and also made the Data Controller a “Fiduciary” so that he has a duty to care and not merely go blindly by the consent which might have been obtained by clever misrepresentations.

Thus though India depends on consent and rigidity in consent could cause some issues for the processors, PDPB 2019 has addressed the issue through alternate means. This is a welcome feature of the Indian law and makes it better than GDPR.

Naavi

CISO Platform has organized the 13th Virtual Summit on June 2nd and 3rd.  The event is accessible online and free. Interested persons may use this opportunity to attend and enhance their knowledge.

Naavi will be speaking on the topic DPO, A new destination for CISOs. In this discussion, scheduled at 19.30 IST to 22.30 on June 2nd, Naavi will be discussing why CISO has to look upto the DPO as the next destination and what are the requirements of a good DPO along with an overview of the Indian PDPB 2019.

Those who are interested in attending the event may visit here for registration.

Naavi

The much awaited comprehensive Certification Program for DPOs in India from FDPPI is set to commence on June 19, 2021 as per the following tentative schedule.

The program consists of 36 hours of online training covering the Data Protection laws of India in full detail, GDPR in reasonable detail and laws of several other countries.

The sessions would be primarily conducted by Naavi, a veteran who started virtual education way back in the year 2000 through Cyber Law College and is the founder of www.naavi.org, as well as Chairman of FDPPI.

The discussion on Indian law will be on the basis of PDPB 2019 and ITA 2000/8. As and when the Bill is passed, a free bridging session will be offered to all the participants to discuss the changes so that the participants would be fully aware of the Indian Law.

The focus of the program will be to equip a Data Protection Officer with relevant knowledge required to take on the responsibility . The participants will get a certificate as
“Certified PDP-CMS Auditor” or “Certified PDP-CMS Consultant” depending on their performance in the examination.

The online examination will consist of 3 papers which will be held  on July 31st (Paper 1 and Paper 2) and August 1st 2021. (paper 3)

PDP-CMS audit is an audit for “Personal Data Protection Compliance Management System” which will be mandatory to be implemented  by every organization in India handling personal data. Those organizations which are classified as Significant Data Fiduciaries would be required to mandatorily get an audit conducted annually by an external auditor.

The PDP-CMS audit will include Evaluation of “Data Trust Score” (DTS) which is a unique proposition of the Indian Law.

The Evaluation of DTS will be based on a unique system established by FDPPI under the Personal Data Protection Standard of India (PDPSI).

In view of the  collaboration between FDPPI and DNV, the globally recognized organization which is known for Management audits, the Certificates would be issued under the joint names of FDPPI-DNV.

The online examination will consist of thee separate online multiple choice examination for 90 minutes each. There will be two cutoff marks for certification. Participants who clear the higher cutoff would be provided the certificate as PDP-CMS Auditor. Participants who clear a lower cutoff would be provided the certificate as PDP-CMS Consultant.

Certified PDP-CMS auditors would be accredited by FDPPI under their PDPSI audit program and will be eligible to conduct audits in association with Certification Bodies who are organizations accredited with FDPPI. PDP-CMS consultants would be able to provide consultancy to organizations to prepare themselves for audit and also upgrade themselves to the auditor grade based on experience.

The total fees for the program would be Rs 40,000/- (Or approximately US$ 575/-)

The application can be completed here

The Fees may be paid here.

Registrations are set to close on June 10, 2021.

 P.S: It may be noted that the Minister of Law and IT, honourable Mr Ravi Shankar Prasad in an interview on 28th May 2021 with Times now has indicated that the Government will push the passage of PDPB 2019 in the next Parliamentary session. Excerpts from this interview is available here.

It is likely that the Government would provide some time for implementation and will require around 3 months to set up the Data Protection Authority. However it appears that Jurisprudence has already developed in India to consider the principles of Personal Data Protection  discussed in the PDPB 2019 as  “Due Diligence” under ITA 2000/8. (Refer court judgements referred to in this article) .

Professionals are also aware that implementation of a comprehensive privacy program for an organization is not as simple as drafting a Privacy Policy for the website. It involves establishment of a Privacy culture in the organization which requires time. Hence prudent professionals and organizations need to  start early to retain a competitive advantage.

FDPPI hopes that professionals would take advantage of this opportunity.

For more information contact fdppi@fdppi.in.

Naavi

The Net4India domain names which were stuck up due to the mishandling of the insolvency petition by NCLT, are now getting resolved in stages.

ICANN has transferred the domains to Bigrock.in and the company has been in the process of sending intimation to the erstwhile net4india customers.

It is expected that .com, .net etc are in progress and it would be completed in a day or two.

Those who are interested, may call the call center 0824 2868080 for more information.

Most of the registrants had left some balance in their accounts with Net4India. NCLT and its RPs might not have accounted these dues. We have to wait and see how this would be disposed off.

It is the duty of the NCLT and the RP to account for this money.

Naavi