Naavi.org

Naavi has through FDPPI indicated its intention of undertaking a large scale “Data Protection Awareness Program in India” through education programs built around the core concept of “Data Protection”.

One of the first programs taking this concept ahead was conducted in the form of the Virtual Seminar with GK Law College yesterday and will continue today.

This program was organized in  collaboration with the GK Law College Hubballi, which is part of the educational conglommerate namely the KLE Society.

KLE Group of educational institutions has in the past collaborated with Naavi in spreading the knowledge of Cyber Laws in India and the first program titled “Certificate in Cyber Law by Cyber Law College in association with ……” started in collaboration with KLE Law College, Bangalore (Now called Bengaluru).  It then spread to GK Law College in Hubli (now called Hubballi), SDM Law College, Mangalore and JSS Law College, Mangalore.

Now KLE has again become instrumental in the current generation of knowledge dissemination, this time on Personal Data Protection.

FDPPI is proud to be associated with this prominent educational institution in Karnanataka which has over 100 years of service to the society behind it and over 265 different institutions in its educational fold.

The Virtual Seminar was organized by GK Law College, Hubballi on “Cyber Security and Data Protection” in association with FDPPI as the knowledge partner. The program was inaugurated by the Commissioner of Hubballi and Dharwar, Sri R.Dileep, IPS  and Naavi delivered the Key Note Address.

The program was well attended by not only people from Hubbali but from the rest of India and even abroad. It was also live broadcast on Youtube.

We feel that this would be a trend setter in the Jnaana Jyothi program  concept undertaken by FDPPI.

A Link to the key note address delivered by Naavi on the occassion is available here:

Naavi

Sessions would also be live on Youtube at https://www.youtube.com/channel/UCUFNYkGDFAM1woPx8sdqVhQ

Foundation of Data protection Professionals in India is pleased to announce that it has become one of the first organizations in India to have appointed a Data Protection Officer to take care of the compliance requirements of FDPPI.

Dr Rakesh Goyal who is a well known information security professional has been appointed for the position.

Presently FDPPI does not collect personal data except in the context of membership and certification programs.

However in the coming days, with additional activities planned, the possibility of FDPPI collecting personal data if not the sensitive personal data is high. Hence acting in advance FDPPI has appointed a DPO.

The DPO will initially work on compliance on the basis of Section 43A of the Information Technology Act 2000/8 and also the compliance requirements as applicable under the Personal Data Protection Bill 2019, which is expected to be a law soon.

Naavi

Jai Shriram

DPO or Data Protection Officer, is the coveted corporate position that many professionals are after at this point of time. Every country wants to introduce a law to protect the Privacy of their citizens through a data protection regime. Along with the data protection law comes the need for compliance and under a threat of heavy fines.

This has generated a new senior corporate position of the DPO who is responsible for the compliance of the law in the organization that may be called a Data Controller, Data Processor or Data Fiduciary or by any other name.

DPOs are executives who have to monitor the data processing activities of the organization carried out by the technology team, sold by the business team and secured presently by the Information Security team and provide advise on how it should not be done. With the threat of large penalties for non compliance hanging like a Damocles sword, no CEO or the Board can ignore the need to identify and designate a competent person to hold the position which comes with a legal empowerment to supervise the activities of the CTO, CISO, CMO etc

With the Indian Personal Data Protection Act around the corner, GDPR, CCPA, Singapore PDPA, DIFC-DPA etc already in place, there is a scramble for appropriately skilled manpower to hold the important position of DPO in many organizations.

While Naavi has been urging the community to understand the Personal Data Protection and be ready before the bill becomes the law, complacency in some parts of the industry continued and many preferred to wait for the law to be enacted before getting prepared.

Now as some organizations are looking out for recruiting the right candidates, there is a likely hood of these laggards losing opportunities to other swift movers who have already taken steps to acquire relevant skills.

The manpower agencies are finding it difficult to put together a proper job specification because there is lack of understanding of the requirements even amongst them. As a result, reputed organizations are trying to recruit DPOs in India without even recognizing that the knowledge of Indian regulation for data protection (as it exists today in the form of ITA 2000 and as is emerging in the form of PDPA) is of paramount importance for such candidates.

Many prospective candidates are rushing to read the Personal Data Protection Bill 2019 now  after seeing an advertisement for DPO recruitment so that they can at least try to attend the interview and take their chance.

While Naavi along with Cyber Law College and Foundation of Data Protection Professionals (FDPPI) is conducting in depth training programs leading to “Certified Data Protection Professionals”, from last December, there are many who have started running now to catch the bus of opportunity which has already started moving.

To ensure that such of those people who are making their last minute efforts to prepare for their DPO interviews, Cyber Law College has created a ” Certified DPO Foundation”  Program.

The program will cover a gist of  Indian and Global data protection laws, Relevant Technology aspects, Data Audit aspects and Behavioural Skills all of which are relevant for an effective DPO.

This program for Aspiring DPOs will be conducted by Naavi  through web interactions. The program will be specifically tuned for the requirement of different aspirants and may run for 3-5 hours.

This would be a unique program for those professionals who are trying to catch up with an opportunity before it is too late. It will involve Counselling as well as transfer of key knowledge elements with problem solving skills to mentally prepare the aspirants for the responsibilities of a DPO.

Interested persons can contact Naavi for more details.

Naavi

In the PDPA version 2018, India had provided that a copy of all personal data has to be kept in India before it can be transferred out of the country. At the same time the transfer of sensitive and critical data was not allowed. Standard Contractual Clauses and Binding Corporate Rules were to be used along with consent for transfer of data outside India.

However succumbing to the pressure from vested business interests, the 2019 version of the Act has now allowed transfer of Non sensitive data without keeping a copy in India and sensitive data after keeping a copy in India.

The recent developments in the Court of Justice of EU invalidating the US Privacy shield and also expressed serious reservations on Standard Contract clauses and Binding Corporate Rules as alternatives to “Adequacy” decision of the EU Commission, it would be impossible for EU to transfer any personal data to US on the basis of the existing mechanisms such as the Privacy Shield, the Standard Contractual Clauses or Binding Corporate Rules.

The “Explicit Consent” of the data subject is the only possible method of transfer of personal data outside EU. We can therefore say that EU has now slipped into a very strict data localization norm much harsher than what PDPA 2018 comtemplated.

It is therefore time for the Joint Parliamentary Committee to also introduce similar data localization measures that

a) Without keeping a local copy, personal data cannot be transferred out of India

b) Explicit Consent would be mandatory even when a local copy is maintained.

c) Critical personal data will not be transferable even with explicit consent except for derogation such as medical emergency, fraud investigations, national security or an approval of the process by the DPA.

I hope the JPC takes note of this.

JPC should also note that in the emerging EU-US tussle, US companies will impose impossible and unreasonable conditions in their contracts on the Indian data processors and a mechanism should be built into our PDPA to protect the local data processors from such unconscionable contractual clauses.

Naavi

Refer Earlier Articles

EU Privacy -EDPB Clarifications