Naavi.org

FDPPI has embarked on the Certification Training for Module G and the sessions will start from 11th July 2020. 12 sessions of 90 minutes each will be conducted on week ends from July 11th to August 16th, 2020, at 4.00 pm every Saturday and Sunday.

Registrations for the training is now open for non members also under the following terms.

1. Interested persons may enroll for the training at a payment of Rs 6000/-
2. The trainees may opt for Certification by payment of Rs 12000/- of which  Rs 6000/- would be considered as membership fee if the person intends to become a “Foundation Member” of FDPPI. Those who donot opt to become a member would be considered as “Patrons”.
3. The total registrations for the current batch will be limited to 50 including the registration of members already completed.  Hence interested persons may register at the earliest.

Payment can be made through the following link.

The complete information about the program is available in the enclosed Prospectus.

FDPPI, Foundation of Data Protection Professionals in India was started in September 2018 to be an organization of the Data Protection Professionals, By the Data Protection Professionals and for the Data Protection Professionals. Since India was intending to come out with a specific data protection law in India at that time, there was a felt need to create an adequate appreciation of Privacy Rights and the role of a data protection professional  the Data Protection Eco system in India.

FDPPI stepped in to fill the void and lead the Data Protection Ecosytem in India with a clear focus on the Indian requirements. Though there were some other agencies who had a similar thinking, it was felt that there was a need to build a new entity by the professional community themselves.

Encouraged by a few like minded individuals, a core group of professionals set up FDPPI as a Section 8 Company (Not for profit) with “Limited By Guarantee” structure to align it with an acceptable structure of one member one vote as in a society structure.

Over the last two years, FDPPI has grown into an organization which has made substantial progress in educating the community on Indian Data Protection regulation as it exists today and emerging in the future. In association with Naavi’s 20 year old Cyber Law College, FDPPI rolled out its certification programs in December 2019 with the first Certification titled “Certified Data Protection Professional-Module I” (CDPP-M I)covering the Indian laws. But the goals were set higher to create an empowered community of “Certified Expert Data Protection Professionals” (CEDPP) with a a legal knowledge base covering Indian and global data protection laws, data protection technology and data audit skills along with an enhancement of behavioural skills required for Data Security Governance.

This enhanced vision of FDPPI to expand beyond the shores of India in terms of knowledge has gained a significant momentum today with the opening of its doors to membership from outside India and also launch of the next Certification module on Global data protection laws covering GDPR, CCPA, Singapore PDPA, HIPAA and Dubai DPL 2020. The certification training is set to commence from July 11th, 2020 and will lead to the title of “Certified Data Protection Professional-Module G”.

This is the second significant step for a professional to become a Certified Expert Data Protection Professional with a reasonable skill set of Legal knowledge supported by necessary technical, audit and behavioural skills to be a good Data Protection professional the community would be proud of.

FDPPI has placed emphasis on creating Ethical set of professionals empowered with the knowledge and skills and believes in Certification as a pointer to knowledge enhancement. Hence every module of FDPPI certification is associated with a mandatory training program to open the eyes of the professionals to a new area of their skill requirement.

India is yet to complete the formality of enacting the new Personal Data Protection Act, (PDPA) but by an innovative legislative framework, the currently available Information technology Act 2000 (ITA 200)) is functioning as the shadow of the proposed PDPA by the interpretation of “Due Diligence” and “Reasonable Security Practice” already enshrined in ITA 2000, of which the extension is the forthcoming PDPA.

In a way, PDPA India has become effective even before its passage as an Act and born out of the womb of ITA 2000 in the form of “Due Diligence”. This has been unique to India.

Several senior Corporate Professionals in the Privacy, Legal, Technology, Information Security and General Management domain have already been part of the FDPPI movement.

The journey has begun.. but there are many more milestones to cover in this local to global journey.

I invite all like minded professionals to join hands and expand this organization into a truly Indian originated global venture of Data Protection Professionals.

Naavi

FDPPI, Foundation of Data Protection Professionals in India (www.fdppi.in), a Section 8 company of the Data Protection Professionals, By the Data Protection Professionals and For the Data Protection Professionals is all set to continue its efforts in creating the NextGen Data Protection Professionals in India empowered with the knowledge of Indian Data Protection Law along with the key global laws.

Naavi and the 20 year old Cyber Law College which is a pioneer in Cyber Law education in India dedicate their support to the cause of supporting the FDPPI movement.

FDPPI successfully concluded its third certification program on Indian Data protection laws. Any enquiries for further training and certification of this module may be sent to us to enable further planning.

FDPPI is now gearing up for the next Certification of Module G which will commence from July 11th. We expect that the knowledge of some of the international data protection laws such as GDPR, CCPA, Singapore PDPA, DIFC DPL 2020 and HIPAA which will be covered in this module will help enhance the knowledge level of the Data Protection Professionals who will be certified by FDPPI.

FDPPI believes that every certification should be backed by an incremental knowledge accretion and hence training is made part of the certification program. At the same time by keeping the fees for training and certification afforadable, FDPPI wants to take the knowledge to a larger number of professionals many of whom may be entering the Privacy and Data Protection Professionals for the first time.

One such person commented for the earlier certification program

“Great content and the questions are of international standards. Thoroughly based on understanding and not on rote system. Spending time on the materials is the key.”

We may recall that one of the objectives of FDPPI is to bring together Legal Professionals, IT Professionals, and others who work in different capacities in the Data Protection domain on this platform so that there is a better understanding and harmony between these different types of professionals. To some extent this is getting reflected in the profile of people who are taking the Certification program.

In the same spirit the next Module on Global laws will create a reasonable knowledge of how different countries have approached the data protection regulation , their relative strengths, weaknesses, the commonalities and differences.

We hope that this knowledge along with Module I will make a powerful combination of knowledge that empowers the next generation of data protection professionals in India.

Cyber Law College which had earlier conducted certification programs on Cyber Laws for SriLanka, Malaysia and Mauritius in a sporadic manner based on requests,  will continue to open new avenues of training on global data protection laws and ensure.

Naavi

Referring to all the articles on PDPSI-GDPR, the framework if it can be called so is suggested as a methodology for data auditors to adopt for conducting data audits. Most of the data audits are management decisions and for an assurance that appropriate measures are in place for compliance.

The Standards and Certifications are not to give any false impression to the regulatory authorities that they are in compliance. While the CISO can satisfy the Board that the Certifications indicate everything is fine, the owners of any business are always vary of the risks that persist despite the certifications. Hence any methodology which is robust and provides a better assurance should be preferred rather than whether it is certified by any particular standard.

PDPSI is a framework for Personal Data Protection and as a Standard that emanates from India, it is applicable for compliance of PDPA as per its initial design. However the same framework as an extension such as PDPSI-GDPR can satisfy the BS10012 and its clone ISO27701. Similarly PDPSI-CCPA can satisfy the CCPA or PDPSI-SGPDPA can satisfy Singapore PDPA or PDPSI-DIFCDPL2020 can satisfy the Dubai data protection law of 2020 etc.

The “Pseudonymization Gateway”, the “Classification tagging of Personal Data”, “Distributed Responsibility Structure for data protection” and “Measurability of compliance maturity” are innovations which can add value to the audit process and the assurance to the management more than what the other standards can provide.

Cyber Law College/Naavi are willing to share more insights to auditors to adopt to this framework.

Naavi

Reference Articles:

What is Pseudonymization Gateway

Governance and Implementation Structure under PDPSI-GDPR

What is PDPSI-GDPR

PDPSI-GDPR the replacement for ISO27701

Also refer www.pdpsi.in

Continuing our introduction of the PDPSI methodology for compliance and PDPSI-GDPR as a substitute to ISO27701 and BS10012, it is necessary to highlight one of the implementation specifications that PDPSI considers worth trying.

This is the implementation of the “Pseudonymization Gateway” along with the Internal Data Controller who controls the Pseudonymization gateway.

In many processing activities, the Data Processor receives a set of personal data which is processed and converted into a value added data set and returned back to the sender. In such circumstances the sender of the information is the Data Controller who sends the data to the data processor. But  within the data processor’s office, several employees get access to the personal data and compliance responsibilities have to be managed across the enterprise with corresponding risk of data leakage. In most of the processing the risk can be substantially reduced by using a Pseudonymization gateway which de-identifies the data to be processed and runs all the processes in the de-identified mode. The final product of processing can be re-identified in the gateway before it is released to the customer who may want it back with identification. If the customer only wants the processed data without identity then the processed data can be sent without re-identification .

In this process the identity of the data is known only to the team managing the gateway and the mapping table can be secured by a strong encryption and proper control. The rest of the organization is spared from the rigors of compliance.

PDPSI is expected to recognize such technology processes for data protection along with the methods used for storage, encryption, transmission etc and accord DTS score.

While DTS score is a concept introduced in the Indian system, it can also be applied to PDPSI-GDPR as it provides some kind of measurability to the compliance practices. This will also provide a flexibility to the Certification system that instead of painting all certified entities with one brush and branding them “Certified”, it can distinguish one certified entity from another.

The DTS system has been explained earlier  (Refer here) and auditors can either adopt the suggested system or develop their own systems as a guidance.

The measurability of compliance with a score for the time of audit and the trend as recommended would improve the system of certification as it exists now under ISO 27701 or BS 10012.

Other than the major points indicated in the preceding few articles, the auditor will examine the various controls for implementation of different aspects of compliance as envisaged in the regulations.

There is a tendency now for some professionals to take the ISO 27701 as the base and map its controls to the different provisions of a law. Instead, it would be better if we take the law as the basis and map the different controls. In such case, the number of headings to be monitored would be less.

The major heads under which a data protection law has to be verified for compliance is

1. Identification of stake holding data and the roles of the organization vis a vis the data supplier.
2. Collection as per law with appropriate consent, notice, lawful basis, legitimate basis etc.
3. Storage, Transmission, retention and deletion as per law
4. Supporting the Rights of the Data Principal/subject and the grievance redressal
5. Governance Structure
6. DPO appointment
7. Cross border transfer
8. Vendor/Processor management
9. Security safeguards along with incident management system and risk assessment
10. Interaction with the regulator
11. Interaction with the data principal
12. Documentation

I would urge audit professionals to work on this new approach and develop an indigenous Personal Data Management and Audit system.

Naavi

Reference Articles:

Governance and Implementation Structure under PDPSI-GDPR

What is PDPSI-GDPR

PDPSI-GDPR the replacement for ISO27701

In continuation of our earlier articles explaining the PDPSI-GDPR that encompasses the ISO 27701 and BS10012, we shall now look at the first of the six fundamental requirements listed earlier for PDPSI namely the implementation responsibility.

A) Define Implementation Responsibility unambiguously with top management involvement

B) Define the scope of implementation in terms of the laws that it needs to address

C)  Incorporate measurability in the form of a Data Trust Score or its equivalent

D) Incorporate Privacy by design through out the life cycle of personal information that the organization may encounter

E)  Define the implementation charter  signed off by the organization at the highest level

F) Incorporate an appropriate certification process –to meet the annual and sub annual requirements of Data Audit as required under the Indian laws

PDPSI suggests as in other frameworks that there would be a Data Protection Committee (DPC) appointed by the Board which will have at least one of the Board Members as part of the committee, preferably the independent Director.

There will be a designated DPO or Data Protection Officer (or a compliance officer if DPO is not mandatory) who will be part of the DPC.

Beyond these two Governance roles, PDPSI differs from all other frameworks in identifying a “Distributed Model of Data Protection”.

What this model suggests as an optional implementation specification is that the organization should identify the “Data Gates” in the organization through which personal data comes in either in one full set or in individual personal data elements.

In the simplest sense there could be a web page on which there is a form for submission of personal data after accepting the “Privacy Policy”. In such a case the entire set of personal data comes in one bunch and there will be one internal executive who receives it first in the company before transferring it to different process owners. That person will be recognized as an “Internal Data Gate Keeper” and will be responsible for receiving it and tagging it appropriately before releasing it to the rest of the processes. He has to identify if which is the applicable law, whether it is the data of an employee or not, whether it is sensitive or not, whether it belongs to a minor etc and add the appropriate tag before committing it to the internal data base, and simultaneously erasing from his cache space.

Where the personal data comes in an unstructured form the receiver will have the responsibility of transferring it immediately to the appropriate person within the organization where the information tagging can be made and at the same time deleting the personal data at his end. To the extent that he has the control of the personal data as a receiver and until he removes it as per the policy of the organization, he would be responsible for data protection and hence he would be an “Internal Data Controller” just like the “Data Gate keeper” who receives the web forms.

The receivers of personal data by virtue of their activities as either the web master or HR executive etc, may be referred to as a Subordinate Internal Data Controller as distinguished from the “Principal Internal Data Controller” who maintains a “Pseudonymzation Gateway” which we shall discuss separately.

Thus the Governance model recommended  under PDPSI incorporates the involvement of the top management along with a distribution of responsibilities. The principle here is that though externally the DPO holds the responsibilities for data protection, internally every employee who has access to personal data will be a subordinate internal data controller. Only those who handle de-identified or anonymized personal data escape the responsibility for personal data protection.

In this model therefore a Work From Home employee is the “Data Protection Manager” for whatever  personal data he manages and he has to apply all precautions to secure the data as required.

To the extent possible, it is the responsibility of the technical team to create an architecture where personal data is centralized so that portability and right to forget can be effectively handled as well as implement the Pseudonymization aspects that are discussed in the following article.

The PDPSI-GDPR will also adopt the above Governance structure which is a step above what ISO 27701 or BS 10012 may expect.

Naavi