Naavi.org

Communication is an essential skill for all professionals and more so if one is in a senior position and has to discharge conflicting responsibilities.

The Data Protection Officer is one such professional who requires a high level of communication skill since he/she has to discharge multiple types of responsibilities such as

1. Dealing with employees below his/her cadre and advising on the legal aspects of data protection, querying on the operational aspects that may interfere with the legal requirements, making investigations etc,
2. Dealing with employees who are peers or even superiors and discussing business strategies that may interfere with the legal requirements or suggesting implementation of policies and procedures that may cause disruption in other official relations.
3. Dealing with the public (data subjects/Principals) who have complaints to be resolved.
4. Dealing with the regulatory agencies who may have the authority to impose penalties on the organization and seek cooperation and assistance of the DPO in conducting inspections where the depositions often lead to penalties against the company.

If the DPO does not handle communication effectively with the data principals it could result in a data principal getting angry and escalating the compliant to the regulatory authorities. If the DPO does not handle the communication effectively with the regulatory agencies, it may result in penalties on the organization and the company may find fault with the DPO for his inefficient handling.  If the DPO does not handle communication properly with subordinate employees, they may turn rogue and send out anonymous complaints to the regulatory authorities. If he does not handle the communication with the peers and superiors properly his job may be at stake.

Thus the DPO faces multiple challenges in communication where the strategy to be used may have to be different based on the context and the target of the communication. What is good for peers is not necessarily good for subordinates or outsiders or regulators.

At one place it may need “Tact” which can be construed as “Fraud” in another instance. At one place what is considered as “Confidence” may be treated elsewhere as “Arrogance”.

Thus “Effective communication” requires first the assessment of the situation, assessment of the parties involved, consequences of mis-communication and strategies to correct and track back when required.

Flexibility Vs Firmness

“Flexibility” in putting across one’s views is therefore one of the requirements of effective communication. However, “Flexibility” has to be balanced with “Firmness” where ever it is required and balancing the two would be one of the challenges. “An effective leader” knows when to be firm and when to be lenient and compassionate.

One of the requirements of leadership is to ensure that there is a spirit of “Cooperation” with the colleagues which can come from development of a “Superordinate goal” where each person accepts the common goal and understands his own role there in. In driving a train, the engine driver as well as the guard in the rear cabin both have a role to play and neither is superior or inferior if the superordinate goal is to successfully run the train to its destination. An Aircraft would never fly safely unless the maintenance staff and the  ground staff work with the Pilot.

Verbal Vs Written 

When communicating “Verbally” as against “Written” there is an element of “Voice Modulation” or “Body language” which by itself is an art and every body is not an expert of the same. Hence the base level communication that can be controlled is the written communication where the sender can take care through repeated checks and probably consultation with some body else whether the communication is achieving what it is expected to achieve.

In Oral or direct communication, the communicator is on his own and has to instantly react to the feedback from the target. If the target is an experienced communicator himself, he can easily manipulate the other through his skills which may be dysfunctional to the requirement of the situation.

Further Oral and written communication can be used in combination to achieve the desired result.

The choice of the mode of communication is therefore one of the decisions that needs to be taken by the DPO in vital communications.

Effective Listening

In most of the data principal’s communication, oral communication through a call back and listening to the complaint with  empathy can be an effective way of defusing the anger of the complainant.

But the same strategy will not work with peers or superiors because they may not listen to you nor be patient enough to explain what is their concern. Persistent queries may be construed by them as the DPO over stepping his limits and there may be a natural tendency to shut out exposure  of any of their own inadequacies. Keeping silent may also be construed as not being able to take a decision. Hence in many situations, it is damned if you speak and damned if you donot speak.

If verbal communication is not the strength of the communicator, he should play as per his strength and chose written communication.  Well-articulated and well considered written communication is often better suited for  handling peers, superiors and even the regulators.

Verbal communication in front of others has its own complications since a person may not mind an opposite view when expressed in private but when expressed in the presence of others, it could be rejected and misunderstood. In such cases also, a personal written note would be a better way to communicate since the recipient can ponder over the suggestions without the uncomfortable feeling that others are watching who gave the suggestion and whether it was a criticism of my own view point or  not.

Motivation is the Key

The principles of motivation … what motivates the other person… is it the basic requirements of security, or the requirements of self actualization could be used to design the communication. Getting things done by subordinates can be made through a veiled threat or an incentive. But one cannot motivate the regulator to toe your line by any thing other than nurturing a feeling of empathy and compassion by the regulator with the company or its executives.

Attitude

Similarly the principles of understanding the “Attitude” of persons, the analysis of behavioural aspects such as what triggers an adult to adult behaviour vs parent to child or child to parent behaviour is extremely important. The choice of the lingo, some key words may trigger different types of behaviour in different persons and the ability to wade through this maze is an essential skill of a good communicator.

Thus “Effective Communication” skills for DPO require discussion of multiple aspects  and development  of relevant skills. It is not always possible for a person to be perfect in communication since the recipient of a communication is always at liberty to mis understand you. Hence “Perfect Communication” can be a goal but not always achievable. If we fail occasionally, it is time to learn and move on rather than brooding over the past mistakes.

No Communication

Finally some times, “Not Communicating” is also “Communication” and as long is it is not amounting to “Procrastination” or “Avoidance of decision”, delaying on the spot responses when it is not critical is also an effective way of handling a crisis. But deciding when to speak and when to remain silent or when to write down instead of picking up the phone or walking into the cabin for a discussion is an art of communication.

I welcome a debate on these aspects.

Naavi

When India adopted Information Technology Act 2000 as the law that first recognized electronic documents and also introduced the concept of “Vicarious liabilities/Due Diligence” for organizations, Naavi came up with the concept of “Cyber Law Compliance.

Then when the amendments of 2008 came into effect, Naavi upgraded the concept of Cyber Law Compliance with a specific framework IISF 309 or Indian Information Security Framework so that organizations can have a specific framework to work on compliance.

When the PDPB 2018/2019 were introduced as a bill in the Parliament and sought to replace Section 43A of ITA 2000/8 with a complete act Naavi and FDPPI worked on the concept of PDPSI or the Personal Data Protection Standard of India as a framework for being compliant with PDPB 2019 as an extended due diligence under ITA 2000/8 to be rolled over to the compliance of PDPB 2019 when it became an act.

The JPC however made a surprise modification in the PDPB 2019 by renaming the PDPB 2019 as DPA 2021 and calling it a common law for “Data Protection including Non personal Data protection”. Though ITA 2000/8 will lose only one section namely Section 43A on the passage of DPA 2021 and the rest of the Data Protection aspects continue to be covered by ITA 2000/8 under the supervision of the CERT-In and the Adjudicators, the change of name of the Act as Data Protection Act and introduction of Section 2(d) stating that the Act is applicable also to non personal data brought in a significant difference to the compliance requirements under the Act.

At present though the title has been changed and Section 2(d) has come into reckoning the only operative change is in the reporting of Data Breach under Section 25 where breach of non personal data also has to be reported to the DPAI along with the breach of personal data if any.

Where in a single data breach incident both personal and non personal data is breached, the data fiduciaries and Non personal data processors need to report the breach to the DPAI. The DPAI reserves the right to give any directions to the reporting company/organization on the action to be taken.

So far there is no indication whether the obligations of a data processor under ITA 2000 has been modified in respect of the data breach report to be sent to the CERT IN. It can therefore be presumed that in case of data breach involving both Personal and Non personal Data, report has to be sent to both CERTI In as well as DPAI. Both may come back with their own directions on what the organization needs to do. Probably CERT IN will leave it to the DPAI to provide directions regarding how the data principals need to be informed etc. In the case of non personal data breach, the DPAI may leave it to the CERT In to provide whatever directions it wants to provide. Any other approach will be not in conformity with Section 56 of DPA 2021 according to which CERT IN would be deemed as a “Sectoral Regulator” having concurrent jurisdiction under a law of the Parliament.

While the regulatory agencies would be able to coordinate between themselves, the PDPSI and IISF 309 also need to reconcile as frameworks that could guide organizations for compliance of ITA 2000 and DPA 2021.

PDPSI itself was built on the principle of “Unified Framework” to have a single framework for PDPB 2019 and GDPR or other data protection laws to which an organization is simultaneously exposed to  and hence it is natural to ensure that between IAT 2000 and DPA 2021 also there has to be a “Unification” of compliance requirements.

Some of the other systems of frameworks create multiple frameworks for different instances of requirements of an organization so that there is a greater focus. It also helps in certification so that multiple certification requirements can be created for the security compliance industry. However from the perspective of a compliant organization, trying to get certified for multiple standards all leading to “Information Security” whether it is “Personal Information Security”, “Non Personal Information Security”, whether the system being audited is “ISMS”, “PIMS” or “DPMS”, is a over lap of efforts leading to additional cost and effort with marginal benefit.

FDPPI would therefore like to stick to its principle of a framework for “Compliance of the Data Protection Law”. Earlier PDPSI was meant to certify the PDP-CMS (Personal Data Protection Compliance Management System) and now it has to transform itself as a means of being certified for compliance with the new “Data Protection Compliance Management System”.

Accordingly necessary minor modifications are being made to the  erstwhile PDPSI standards and implementation specifications to accommodate

a) Consent for anonymization

b) Reporting of Data breach of non personal data

and any other measures that the DPAI may include in its future notifications.

Compliance to ITA 2000 will be an extension like the current extension for GDPR, CCPA etc and will be handled with the classification of data into

a) Personal Data under DPA 2021

b) Non Personal Data under DPA 2021

c) Personal Data under GDPR

d) Personal data under CCPA… etc

Having classified data to which DPA 2021 is applicable into two categories, personal and non personal data, the first level compliance will be as per DPA 2021 which will only cover the data breach notification requirement as of now. Where compliance to ITA 2000/8 needs to be assessed, the controls will be interpreted from the requirements of ITA 2000.

 ITA 2000 compliance requirements will  basically revolving around Confidentiality, Integrity and Availability of non personal information along with the Section 7A (data integrity audit), Section 3/3A (Authentication) , Sections 69.69A,69B, Sections 65-75 etc.

The Certified PDP CMS auditors have presently been trained in PDPB 2019 compliance and will adopt to DPA 2021 requirements. They have been exposed to ITA 2000 compliance only to a marginal extent. Hence it would be necessary for the PDP CMS auditors to undergo an additional training on ITA 2000/8 compliance requirements.

Measures are being initiated to ensure that this change of PDPSI auditors to DPSI auditors is being worked out.

Naavi

The 5th issue (first of 2022) of the Data Protection Journal of India has been released.

Last year FDPPI started the Data Protection Journal of India as a quarterly journal. The journal has now completed one year of its existence.

The latest issue released today discusses the changes between PDPB 2019 and the JPC corrected version of DPA 2021 which if passed in the budget session would be perhaps called DPA 2022.

I hope readers would enjoy the information contained in the journal.

Naavi

As the world rallies around the  International Privacy Day with activities of creating awareness about Privacy, India awaits the beginning of the budget session in the next couple of days with the hope that the long awaited Data Protection Act is passed by the Parliament.

The Personal Data Protection Bill has been in the Parliament in different versions since 2006. The new versions post Supreme Court decision of 2017 and the  Justice Srikrishna Committee report  in the form of PDPB 2018 and PDPB 2019 is now back in an updated version as Data Protection Act (DPA 2021).

Data Privacy legislation is a complex legislation that has a huge impact on the industry as well as the functioning of the Government. Privacy activists always like to have a law that allows for little freedom to Government or the Business to make any use of personal data either for national security nor for business considerations.

The recent decisions of the EDPB in directing the Europol to delete substantial parts of the  surveillance data held by them and further passing adverse order on the EU Parliament itself for allowing data transfer from EU to US, indicate a tendency of the regulators to get carried away with their own thought process of “Privacy Above All”.

 But it is necessary for all Privacy enthusiasts including the regulators to retain their feet on the ground and remember that no  legislation can ignore that the law has to maintain harmony between different rights such as Right to freedom of information, Right to security. Individuals whose privacy needs to be protected have to accommodate the existence of other citizens who are concerned about the security of the state and also the right of the business to exist and grow.

Several of the observers in India were critical of the constitution of the selection committee of the DPA in the earlier version of the Bill. They felt that there is a need for a completely independent authority who can take on the Government if required. However,  the developments with the EDPB appears to indicate that  “Unlimited power with the DPA” is a danger by itself and if the powers are not balanced, there is a danger of the DPA becoming an Anti India institution.

Fortunately the DPA 2021 tries to understand this need of the society and tries to balance the needs of the different stake holders.

Let us therefore enjoy a balanced view of Privacy as is projected by the DPA 2021.

Naavi

We the Indians often forget our own history but remember the colonial history. This is true as much of the story of Indian independence as the story of India’ journey to the era of Privacy Protection and Data Protection.

Today most of us recognize as the “Republic Day” when the Constitution was adopted in 1950 and we remember January 28 as the International Privacy Day.

We must recognize that the “Right to Privacy” which was upheld as the fundamental right by the Supreme Court of India on 24th August 2021 is extracted out of the Right to Life and Liberty under Article 21 of the Constitution. The Supreme Court did not pass a new law recognizing the right to privacy. It just re-iterated that the right is already there and we did not know it. (Remember the Advertisement of Amazon Pay!).

Hence January 26 should be rightfully recognized as the Indian Privacy Day though the International Privacy Day is celebrated on January 28. This will at least establish that India did not wake up to Privacy only after GDPR but had recognized the concept at the beginning of our democratic life itself.

If however we want to celebrate the concept of “Data Protection” or “Information Privacy”, perhaps October 17, 2000 (Date when ITA 2000 was notified) is the right day . On this day Electronic documents got legal recognition and the recognition that Privacy protection extends to protection of personal information came with the passage of the Information Technology Act 2000.

On this day, we started recognising that  personal information in electronic form needs to be secured for protecting the privacy of an individual. The law stated that failure could result in penalties under Section 43, imposed by the Adjudicating officer who is the regulatory authority.

Again since the focus of ITA 2000 was more on Cyber Crimes, we did not recognize it as a Data Protection Law.

Even when the amendments were passed in 2008 and made effective on 27th October 2009 with the introduction of Section 43A and 72A,  we failed to recognize that the Data Protection Act had become operative in India.

We even missed the 11th April 2011 when more detailed “Reasonable Security Practice” under Section 43A was released containing a summary of what we recognize today as DPA 2021 did we realize that India’s Data Protection day had arrived.

But it is never late to realize the truth. Just as it took us 75 years to realize that Netaji Subhash Chandra Bose has a legitimate claim to be called  the first Prime Minister of India, January 26 has the claim to be called the Indian Privacy Day and 17th October has the claim to be called the first Data Protection Day of India.

Hopefully this truth will start sinking in with the professionals now.

Naavi