Naavi.org

Since 17th September 2018 when FDPPI was born, FDPPI has traversed a long journey in a relatively short time.

In order to keep on record some of the developments for the information of new members who are joining the organization, I try to give below a brief narration of the developments.

Details about FDPPI constitution, membership etc is available at different sections of this website.

In essence, FDPPI is an organization of the Data Protection Professionals, for the Data Protection Community.  The “Supporting Members” are the delivery channels through which FDPPI renders its services to the community.

Individual members are provided with many services for knowledge enhancement, Certification and Career advancement as explained here. Additionally Companies are provided with “Corporates Services”  to help them in implementing Data Protection

Jnaana Vardhini

One of the first objectives of FDPPI was to spread awareness of Privacy and Data protection in India so that India does not lag behind the world in the field of Data Protection. Accordingly, FDPPI started with a series of weekly webinars under the “Jnaana vardhini Series”.

Upto end 2020, 54 webinar sessions had been conducted and in 2021, so far 4 sessions have been conducted. In these 58 sessions, FDPPI has tried to disseminate knowledge about Privacy and Data Protection. Most of these sessions are available as video recordings in YouTube.

Additionally a messaging group “FDPPI Knowledge Group” functions on Telegram and doubles up as a communication between members and other guests who have been admitted to the group and also to spread knowledge through discussions. Since most of the members are themselves experts in the field knowledge acquired by sharing is immeasurable.

In addition to the weekly webinars FDPPI members have been conducting free educative sessions on many other forums and created a treasure house of knowledge for persons who would like to understand the Data Protection and related concepts.

Indian Data Protection Summit 2020

As a further step towards spread of professional knowledge, FDPPI conducted the Indian Data Protection Summit 2020 as a virtual summit along with the Bangalore Tech Summit held by the Government of Karnataka in November 2020.

CDPP Programs

In a further bid to provide professional certification programs, FDPPI created a series of Certification programs namely

a) Certified Data Protection Professional-Module I (Covering Indian Data Protection Law)

b) Certified Data Protection Professional-Module G (Covering Global Data Protection Laws)

c) Certified Data Protection Professional-Module A (Covering Data Audit Skills)

These certifications were offered independently as a part of a 5 module larger program in which modules on Technology and Behavioural Skills are due to be introduced in future.

Each of these programs were conducted as online training followed by an online examination. After the programs were conducted online, recorded sessions were made available through an “On Demand, Video Streaming Facility” so that the certifications can be availed on tap by interested persons.

Those professionals who have completed all the three programs were further recognized as “Certified Global Privacy and Data Protection Consultant” or “Certified Global Privacy and Data Protection Auditor”

The Consultant or Auditor so certified have been considered eligible to provide services related to implementation of data protection compliance in organizations and certification of organizations along with an assessment of DTS (Data Trust Score).

It may be noted that most of the persons who are certified under these schemes have also been professionals who might have the experience of similar certification programs conducted by other international orgnaizations like IAPP which conducts certification programs on GDPR and other international laws and have found the FDPPI certifications extremely valuable.

The objective of FDPPI certifications is to ensure that there is an distinctive knowledge enhancement and evaluation of understanding through examination so that the certified persons can be expected to be useful to their respective organizations. It is not simply experience based nor on mere attendance of training programs. This has been appreciated by all the professionals.

In the event the Indian Data Protection Authority introduces any criteria for accrediting Data Protection Auditors or Data Protection Officers, FDPPI certified professionals are likely to start with an advantage in terms of the knowledge requirements.

FDPPI has guaranteed that all those who have currently undergone the training for Module I on Indian laws will be provided with a one time n additional bridging session when the Personal Data Protection Bill 2019 becomes a full fledged laws.

Subsequently programs for continuing education would be introduced so that Certifications can be kept current.

Since CDPP programs of FDPPI also cover global laws such as GDPR, CCPA, Singapore PDPA, DIFC-DPA, LGPD-Brazil, HIPAA etc., the programs are considered “Made in India for the World” category of service.

PDPSI

The second most important contribution of FDPPI to the Data Protection world has been the introduction of the “Personal Data Protection Standard of India” or PDPSI. A concept which was pioneered by Naavi has been developed and fine tuned into a system which today provides a framework for compliance both as a self implementation mechanism by organizations as well as a Certifiable standard.

The uniqueness of PDPSI is that it is a “Unified” framework that can be used for simultaneous compliance of multiple data protection laws such as Indian PDPA along with GDPR. The sub modules of PDPSI framework provide the adaptability to different data protection laws that can be applied in an organization which has exposure to multiple jurisdictions.

Further PDPSI automatically incorporates the evaluation of the Data Trust Score (DTS) which is a measure of the Data Protection compliance maturity of an organization and is mandatory under the Indian law.

FDPPI has now set up a mechanism for Certifying an Organization through accredited PDPSI auditors.

A Unique feature of the PDPSI audits is that the audits are registered with FDPPI along with DTS and the auditee organization is provided with support subsequent to the completion of the audit through a “Mentoring” program with a limited quarterly consultation to clear any doubts in implementation. Though these are not “Review Audits”, they provide an opportunity for the auditee organizations to tap the experts of FDPPI to get some quick clarifications critical to their implementation of PDPSI compliance suggestions.

PDPSI is another unique “Made in India for the World” contribution of FDPPI. It is an open standard and will relieve the complying organizations from the burden of proprietary international standards.

DPERT

One of the recent services that has been introduced is the setting up of DPERT or Data Protection Emergency Response Team on the lines of the CERT organizations that function in the domain of Cyber Security.

The DPERT would be a team of experts chosen by FDPPI and would provide some quick suggestions for any reference from organizations who report any suspected Personal data breaches.

DPERT will work in close association with the law enforcement authorities and regulators and assist the companies in taking right decisions in times of a crisis.

DPERT will remain a free service to the society and where an in depth consultancy is required, will guide the companies accordingly.

DDMAC

DDMAC or Data Disputes Mediation and Arbitration Center is another unique service that FDPPI is bringing to the society and is in the final stages of introduction.

DDMAC is  a platform which can be used both offline and online for dispute resolution in the Data Processing industry. DDMAC will develop  a set of neutrals who are experts in data related regulations  and also trained in the art of Mediation and Arbitration. It will be available to be used by Data Fiduciaries and Data Principals to redress their grievances through ADR processes including Mediation and Arbitration.

DPJI

In order to ensure that knowledge dissemination to professionals occurs in a formal manner, apart from the information made available through the website of FDPPI, a journal titled “Data Protection Journal of India” has been started by FDPPI in 2021. The journal will be available at www.dpji.in.

Future Developments in pipeline

The above narration captures some of the developments in FDPPI till date. We will update this further. FDPPI is negotiating several collaborations some of which will fructify shortly. FDPPI is also working on additional projects including an award for the “Data Protection Champion” etc.

FDPPI has more than 150 professional members today and each one of them is an expert in his own domain. FDPPI being an aggregation of these professionals it has all the strengths of these professionals within its umbrella. FDPPI’s strength is therefore not limited to its employee force and hence when the full potential of its members is harnessed, it will be one of the biggest Data Protection Consultancy organizations in India.

Let us look forward to glorious days ahead and welcome more members to join this movement.

Naavi

FDPPI, the pioneering institution focusing on empowering the Indian community to be Privacy and Data Protection Compliant, has set up a Data Protection Emergency Response Team (DPERT) as part of its commitment to the Data Protection industry to assist in the development of a nationwide data protection environment.

The DPERT will be constituted as part of FDPPI which is a Not for Profit organization registered under Section 8 of Indian Companies Act.

DPERT will consist of a group of voluntary data protection professionals who would provide immediate guidance to any organization confronted with an emergency response requirement in the event of a suspected personal data breach event.

The members of DPERT will remain anonymous and the first response is a free service.

DPERT can be contacted through e-mail here: DPERT 

In view of the need for immediate contact, any person trying to contact DPERT may also send a message to Naavi through WhatsApp or Telegram or e-mail. On receipt query would be circulated to the Team members and a response would be sent ASAP.

Naavi

The Audit is always a “Snapshot concept”. The auditor gathers his observation and as on the date of his certificate adds his disclaimers that to the best of his knowledge and in good faith and based on the evidences  provided, he certifies that the organization is compliant. The Certification sponsors do their best to properly accredit auditors with training and imbibe a culture of responsibility and ethics  to ensure that audits are meaningful.

However industry practitioners know that some accredited auditors take their work lightly and issue certificates without proper assessments.

The auditor escapes his responsibility because the moment the audit is over, it is entirely the responsibility of the organization to maintain the controls suggested and taken on note during the audit. While we can understand that the auditor cannot take more responsibility on an ongoing basis, from the point of view of the CEO, it is often felt that audit is a money making game and it has no real value to the organization.  Organizations still go through audit certifications because the customer feels more assured and it has become a ritual to ask for certifications.

We need to change this perception of auditors and the perception on the system of audit. Audit is not a money making tool. It should be an instrument of change in an organization.

Naavi therefore suggests what could be a revolutionary concept in IS audits through the PDPSI (Personal Data Protection Standard of India framework that is being developed through FDPPI. (Foundation of Data Protection Professionals in India).

FDPPI has envisaged the engagement of PDPSI in two modes namely “Consultancy” mode ” Audit” mode. In the consultancy mode, a PDPSI consultant works with an organization to conduct a Risk assessment, develop a Gap analysis report. The PDPSI comes with a table of  “Model Implementation Specification” (MIS) and it could be basis on which the gap report emerges. But the organization may decide that they have a certain level of  “Risk Appetite”  and hence all controls in the MIS is not relevant for them and they would like to implement only a truncated version of MIS.

This truncated version is what is referred to as “Adopted Implementation Specification” (AIS) and is like the “Statement of Applicability” or SOA.  The AIS is supported by a “Variance Justification Document” (VJD)  where there is a documentation of why the organization thinks that a suggested MIS control is not relevant or needs modification. This concept is similar to the HIPAA concept of “Addressable implementation specifications” in its security rule.

The PDPSI consultant will work with the organization until this AIS with VJD is signed off by the top management. This AIS will then be the “Implementation Charter” for the DPO. If the implementation charter is faulty, then the responsibility is with the management. The DPO’s role is to understand and implement the AIS in good faith.

The PDPSI auditor when he enters the scene will ask for the AIS. If it is not available, the auditor will conduct his own risk assessment, develop a gap report and submit it as the first deliverable. He will then wait for the management to either give a go ahead for the gap report as presented which means that the MIS becomes identical with AIS. If not the management may come up with its own VJD and fine tune the MIS into its approved AIS which becomes the implementation boundaries set by the company for itself.

The Company may take a stand that they are only interested in the AIS as adopted and the auditor can check if they have done it properly.

The PDPSI auditor therefore looks at the AIS item by item, calls for evidences and decide whether the AIS items have been implemented “Satisfactorily” or “Not”. This is a binary decision and for an organization there has to be 100% satisfactory report. Where there is a “Not satisfactory” remark, the organization can justify its non compliance based on a new VJD. The auditor will go with the decision of the company and close his audit.

However, every PDPSI audit also involves a DTS (Data Trust Score) assessment and in this document, the auditor will express his own view on how good is the implementation with reference to the MIS. If an organization is callous and truncated the MIS to an unjustifiable AIS, then it will suffer from a low DTS. The auditor need not fight with the organization and forced to issue a “Satisfactory” report when he is really not satisfied. In effect in this system the auditor’s report only says “I am satisfied that the Company is in satisfactory compliance with whatever AIS has been adopted”. The DTS expresses the real assessment of the auditor which is provided to the auditee and it is open to them to hide it and not disclose it.

The DTS however is reported by the auditor to the FDPPI and hence it gets recorded and cannot be manipulated subsequently.

The PDPSI system envisages that at the closure of the audit, the auditee will send one “Audit Closure Feedback” to the FDPPI. In this if the auditee has serious reservations on the DTS, it can be sent so that an opportunity would have been given to the organization to object to any DTS element.

After this FDPPI would allocate a mentor for the PDPSI completed audit as an optional service so that the DPO of the organization can on a quarterly basis check with the mentor if there is some action to be taken. For this purpose the DPO may discuss any significant “Incident” in confidence and get a feedback whether he needs to make further investigations etc.

This “mentoring” service ensures that FDPPI continues to be in an engagement with the client and does not drop him like a hot brick once the audit is closed and payments are settled.

The role of a “Mentor” is however limited and lower than the role of the “PDPSI Consultant”. Also the Mentor will not be the same person as the auditor. He can however be a consultant if required. Mentor will fulfill the role of providing a quick feedback in crisis situations will be like an “Emergency Consultancy” service so that DPO will have a friend to consult in times of need. He will be a “Friend of DPO”.

The auditor and the mentor would be offering their services under FDPPI disclaimers. Consultant is engaged by the company on a contractual basis.

PDPSI is a pioneering system and the SOPs are under development. But the end objective is clear. The PDPSI is meant to support the Data Protection Eco system on a continuing basis and is not meant to be only a money scooping activity.

FDPPI will develop a “Data Protection Emergency Team” (DPERT) which will have a pool of mentors from whom the service would be provided. Only FDPPI certified consultants/auditors would be constituting this DPERT.

We are aware that in the sceptic world, the intentions of FDPPI will have to go through a process of testing and trust building. The team of FDPPI is working towards establishing the trust of the organizations and we welcome the views and suggestions of experts.

Naavi

PDPSI is a unique framework for Personal Data Protection as per prevailing data protection laws.

Its 50 implementation specifications cover the data compliance requirements under multiple data protection laws and is more than what other best practice standards such as ISO 27701 tries to accomplish.

Some of the PDPSI model implementation specifications try to put certain best practices hither to not being part of such frameworks into the radar of the organization. Details of these are already available in the PDPSI handbook.

There are three other innovations that PDPSI has introduced and FDPPI has adopted in order to further improve the assurance of the PDPSI audits in the industry environment.

First is to register the audit with FDPPI along with the DTS computation worksheet so that FDPPI is aware of the PDPSI certifications that are in the market.

Second is getting a feedback on the auditee  including a permission if agreeable for disclosure of DTS.

Additionally, it is observed that after completion of an audit and its certification, the auditee often neglects to maintain the required data security discipline resulting in data breaches. At that time a question will be asked on whether the organization was audited, and if so whether the audit was deficient etc.

In order to make PDPSI audits more reliable, FDPPI will therefore introduce a system whereby the auditee will be required to send a quarterly report to FDPPI in which it will share any major incidents during the period and major changes in the business profile.

It is quite possible that the organizations may not send such reports in which case the responsibility of FDPPI would be reduced. If the organization considers it useful they may use this opportunity. In a way this will be like AMC service on the audit already completed.

FDPPI may charge a fee for such Audit AMC as it may deem fit.

Hopefully this would at least keep the need to be vigilant even after the audit certification will be ingrained in the auditee organization and this by itself be good for the auditee organization.

The details of the kind of reporting to be done etc are being finalized.

Naavi

Naavi.org has been highlighting that pending the passage of PDPB 2019 for whatever reason is a reason for the ongoing data loot that is happening in the country. The MobiKwik incident where 10 crore customer’s data has been stolen and posted on the darkweb is a manifestation of the negligence of Data Fiduciaries in implementing appropriate data security.

The large companies with millions of data are the targets of international data looters as we have seen in the case of Breach Candy hospital, Juspay,  DrLal Pathlabs and now MobiKwik and this will continue.

While RBI has issued a notice now to MobiKwik, it is not known what RBI did in the case of Juspay or what CERT-In did in all these cases so far. It is fair to presume that they remained quiet and decided not to disturb the industry.

This is hypocrisy of these institutions.

To this list of “Facilitating Data Loot” through apathy, we should add four other instances of deliberate procrastination or inaction by the RBI, the Ministry of Finance and Ministry of IT  as well as the honourable Supreme Court of India and the NASSCOM which have surfaced earlier.

They are

a) The Data loot  by TransUnion through a secret and probably a fraudulent takeover of CIBIL in which RBI, the Ministry of Finance and a number of Indian Banks are involved.

b) The continued delay in passing the Banning of Crypto currencies bill which is the currency of  the dark web and cyber criminals in which the Ministry of Finance and the Supreme Court are parties

c) The continued delay in passing of the PDPB 2019 in which the Ministry of IT is involved.

d) Move of Nasscom/DSCI to lobby for exclusion of financial data from the category of “Sensitive Personal Information” in the PDPB

The details of how CIBIL which was once owned by Indian Banks and in that context it was given a permission to exchange data of Bank customers for the purpose of “Prevention of bad debts” became part of a US commercial company has been documented in these columns earlier ( See here) 

TransUnion-CIBIL is now a commercial “Credit Rating” company holding half a billion or more personal and financial data of Indian Citizens held and operated under the control of the US company in violation of the sovereignty principle applicable to data as an asset of the nation and the Data localization principle.

Inaccurate CIBIL data has put many customers in a “Credit Freeze” situation and is used for harassment by credit card companies as a threat to debt recovery.

Unfortunately the PDPB 2019 does not help us here since there is an “Exemption” for “Credit Rating” under the PDPB 2019 which can be misused by TransUnion-CIBIL or even MobiKwik to avoid penalties either for cross border transfer or for data breach.

But the PDPB 2019 2019 has a provision to define a “Significant Data Fiduciary” which can include a company like TransUnion CIBIL. But we have to wait and see if the JPC or the Parliament recognizes the need to put a regulatory framework on such companies.

Unfortunately, NASSCOM and DSCI which are expected to protect the interest of Indians and Indian data principals have taken the side of the business and are even putting pressure on MeitY to exclude “Financial Data” from the list of “Sensitive Personal Information” so that “Explicit Consent” and “Maintenance of a copy in India” does not apply to such processors of financial data.

Though Naavi has brought this to the notice of the JPC, we cannot be confident that the industry lobby may not prevail over the political masters.

We in Karnataka have repeatedly seen how the CM Mr Yeddyurappa often succumbs to the pressure tactics of the film industry so that people like Puneet Rajkumar can persuade the Government to take Covid Risks on the population because the “Yuva Ratna” has to make money. Mr Ravi Shankar Prasad may not be too different from Mr Yeddyurappa and would easily retract on hard decisions if sufficient pressure is applied. We need leaders with conviction and courage to take India out of the vicious circle that holds back the Government from taking hard decisions.

PDPB 2019 is still the hope that many in India hold for bringing some responsibility to the data fiduciaries. After the CIBIL experience and more so when the hackers first announce the hacking and even publish some data to later on retract and say that the data has been deleted etc., we can suspect that some of the Indian Companies who announce the data breach before they come under the PDPA radar, may actually be using the cover of a hacker to transfer their data to a foreign location.

This possibility could even be at the instance of the investors who have the managerial control of some of these Fintech start ups since the Government may not have a proper regulation for the investors to be insulated from data transfer related decisions. The PDPB 2019 does not have a mechanism to prevent say a Chinese investor asking for an audit by a Chinese firm as a part of its due diligence and in the process install a back door to facilitate further data loot.

But the delay in the passage of PDPB 2019 is an indication that until the business is ready and has successfully ported the personal data of all Indians as of date, PDPB 2019 would not be passed. Then like we say “Locking the stable after the horses have bolted”, Government may come up with PDPB 2019 as an Act.

In the meantime the continued procrastination by the Ministry of Finance in not passing the Banning of Crypto Currency is another indication that the Government of Mr Narendra Modi has weak points one of which is the Ministry of Finance. Even during the time of Mr Arun Jaitely, we had pointed out that the ministry is not taking the right decisions. This continues even now. Mr Subramanya Swamy has repeatedly pointed out the possibility of moles in the department who work for Mr Chidambaram more than Mr Modi  and the decision not to kill the Bitcoin and Crypto currencies and also not initiate any action on CIBIL-Trans Union deal may be attributed to such a possibility.

I suspect that the PMO has been successfully kept in the dark about some of the above apprehensions and hence we are not getting any response from the Government to our frequent complaint dumps in the “Write to PMO” section of the PM s website or through the twitter handles.

Government perhaps only responds to political opponents and only if Rahul Gandhi or others make a comment, the issue is taken note of.

I would be happy to be proved wrong  and Let’s hope that after the Bengal election at least, Mr Modi, Amit Shah and Mr Nadda get time to look into some of these issues which are eroding the confidence of the public in BJP and take remedial actions.

Naavi

As expected, Delhi High Court has been dragged to adjudicate on the issue of the February 25th guideline on Digital Media ethical code and Intermediary guidelines.

See here for more information

In India Courts keep piling up cases and complain of shortage of judges but if Courts have to keep adjudicating on every administrative notice issued by the Government, then it is obvious that Courts cannot do what they are expected to do… to render justice to ordinary citizens.

No doubt there are lofty ideals quoted behind the petition. For example the petition states that ITA 2000 is not the Act under which these regulation should have been issued and there should have been a different legislation for the purpose. Well this is only a technical ploy to proliferate laws in the country. If a lawful objective can be served  by an existing law then there is no reason why it should not be accommodated within the provisions of the current law instead of drafting one more law.

It is therefore an over reach by those who donot want the Government to do anything positive to try and scuttle this notification. It is true that the ITA 2000 was meant to be an E Commerce promotion Act. But the amendments of 2008 extended its scope to security of the Cyber society. The time to challenge was in 2008 and the amendments of 2008 has converted ITA 2000 into a Cyber Security act. Now it is a matter of common knowledge that Digital Media does not follow any self regulation or ethics and is a tool of spreading disharmony in the society. Hence the need to regulate the digital media is part of the Cyber Security objective and is well within the scope of the revised version of ITA 2000 as per ITA amendment act of 2008.

The Delhi High Court has presently issued a notice to the Government in admission of the petition and if a proper response is given by the Government, the petition can be dismissed in the initial stage itself.

In most of the civil litigations courts try to suggest mediation for the parties and in the present case also the aggrieved party may be advised to have a dialogue with the Government and try to find out the objectives of Governance which require such measures before the Court can spend its time.

Let’s wait and see how the Court responds at the next stage.

Naavi