Naavi.org

PDPSI was first developed for the purpose of compliance of PDPA. Hence it incorporated the following Six fundamental principles/requirements.

1. 1. Define Implementation Responsibility unambiguously with top management involvement
   2. Define the scope of implementation in terms of the laws that it needs to address
   3.  Incorporate measurability in the form of a Data Trust Score or its equivalent
   4. Incorporate Privacy by design through out the life cycle of personal information that the organization may encounter
   5.  Define the implementation charter  signed off by the organization at the highest level
   6. Incorporate an appropriate certification process –to meet the annual and sub annual requirements of Data Audit as required under the Indian laws

The second fundamental requirement mentioned above is relevant for us to extend PDPSI to GDPR compliance, which we can identify as PDPSI-GDPR.

One of the suggested implementation parameters is “Classification” of personal data and tagging the personal data set with the “Applicable Data Protection Law”.

This principle means that we are not going to apply GDPR to protecting personal data of Indian Citizens in India nor viceversa.

Each data protection law has a “Jurisdiction” and “Objective to protect the Privacy of the citizens of their jurisdiction”. Though there are “Extra Territorial Jurisdiction” in terms of making the Data Controllers/Fiduciaries/Processors irrespective of their location, the basic objective of the law remains protection of the citizen within the jurisdiction of the law making body.

As a result each personal data set has to be identified with the applicable law and protected as required there in.

In cases where an organization is a multi national body, is registered in one country but operates in another country, processing the personal data of the citizens of the countries other than the country where the company  is registered, there is a possibility of an overlap of the laws if the laws are not properly written by the law makers or the law makers arrogate to themselves the right to make a law for a foreign country.

Indian law makers have been alert to this possibility and having been a country which has the experience of colonial rulers who made laws such as “If an Indian King does not have a heir the kingdom belongs to the foreign ruler”, incorporated a specific clause to say that  we are prepared to exempt the processing of the personal data of foreign citizens in India from the blind application of Indian law.

Some of the foreign data protection laws have not  had similar provisions and therefore puts the implementing companies to doubt as to whether they should follow two laws simultaneously.

In order to provide a standard method of dealing with such situation, PDPSI suggests that Personal Data shall be classified incorporating the “Applicable Law” as a parameter to be tagged.

The suggested implementation which is a technical measure is to tag the “Personal Data Set” with different tags as indicated below.

What this suggests is that in a formal data base of personal data, a separate column is introduced to add the above attributes. Once properly tagged the personal data can be recalled into a specific bucket representing the compliance requirements applicable to that personal data set. Hence, if a Privacy Policy has to be displayed or a Consent form has to be obtained or a specific data subject’s right has to be identified etc., the “Applicable Law Tag” will determine which privacy policy or consent form or right to be made available to the specific data subject.

While the above applies to structured data, the unstructured data will be converted into structured data as soon as the personal data enters into the custody of one of the employees of the organization. The role of such “Data Gatekeepers” is discussed in a subsequent article but is mentioned here that under PDPSI no personal data set is allowed to remain in unstructured form for a long time and converted into a structured form with the relevant tags so that further compliance in the given context can be administered.

It is understood that the above method involves technical architecture to be tweaked but it is one of the suggested implementation specifications which can be over ridden by other methods by the organization if it deems fit. The efficacy of such technological controls of classification and identification of the applicable law will be a parameter that will determine the DTS score. (DataTrust Score).

In the current context of PDPSI-GDPR let us stop at the classification of incoming personal data set as belonging to the application of GDPR for data protection and not PDPA or CCPA or any other law.

Beyond this classification step, PDPSI-GDPR will merge with the requirements of data protection as provided also under ISO 27701 or BS 10012.

A few other innovations that PDPSI framework will bring in the PDPSI-GDPR extension will be discussed in further articles.

Naavi

PDPSI is the Personal Data Protection Standard of India developed by Cyber Law College as an open standard framework for Personal Data Protection particularly in compliance with the proposed Indian Personal Data Protection Act. Naavi has been explaining the different concepts of PDPSI through the articles in Naavi.org also collated at www.pdpsi.in.

Professionals working in the field of Information Security are used to the format of a framework followed by ISO and it is difficult to make them look at any new framework unless it is explained with reference to the known frameworks. Hence it would be necessary to explain the PDPSI framework with reference to ISO27701 or its predecessor BS 10012. However, Naavi urges professionals to look at PDPSI independently without being too much clouded by their experience with the ISO frameworks.

PDPSI is meant to be an open standard document unlike the mesh of proprietary standards that are used in the ISO framework. It is our belief that what is a “Standard” should be for the benefit of the society and such standards should ideally be open standards. Professionals can still make money out of the standard in the form of implementation consultancy since any standard will require interpretation by an expert and adoption to a given context. This give enough room for our professional income generation rather than milking the standard itself for our revenue.

Today we shall highlight the special feature of this framework that extends beyond PDPA compliance into the domain of GDPR compliance.

The PDPSI framework is built on the following five key boundary implementations

namely Classification, Distributed Responsibilities, Development of the PIMS culture, supported by the policy documents and technical controls.

“If I certify for ISO 27701, will I be considered certified for GDPR?”.

Most professionals who look at ISO 27001 try to map its controls to GDPR and the frequent question we receive from IS professionals is that “If I certify for ISO 27701, will I be considered certified for GDPR?”.

A similar question has been raised in India also regarding ITA 2008 compliance with reference to ISO 27001. It is a history now that Naavi vehemently opposed the MeitY when it was working under Kapil Sibal that the Government of India should not give an impression that being ISO 27001 certified is deemed compliance of Section 43A. Though the department gave some vague answer as follows:

This was in reference to the rules under Section 43A notified on 11th April 2011 (Refer details here)

Despite the clarification, the MeitY has done nothing to expel the general impression in the community that being ISO 27001 certified is deemed compliance under ITA 200/8. ISO organization (which is not a Government body ) made full use of the misconception in marketing its certification in India.

Now there is a new attempt in the international scenario to project as if Certification for ISO27701 is deemed compliance of GDPR. In future this argument may be extended to “Deemed Compliance under PDPA” and hence this has to be flagged here and now.

It is important for professionals to realize that ISO standards are industry best practice standards and though they go a long way to meet the requirements of the law, the compliance to a data protection law is independent of the certification under an industry standard.

The same principle applies to PDPSI also when it is used as a means of compliance to either PDPA or any other law. Irrespective of the framework used, the data protection authority has a right to ask for a separate “Data Audit” or “Data Breach Audit” or “harm Audit” or a “Data Protection Impact Assessment” and ignore the certifications.

Hence let us first make a categorical statement that being certified under ISO 27701 (or PDPSI-GDPR being discussed here) is not to be considered as “Deemed Compliance” to GDPR.

Now we shall proceed further to discuss what is PDPSI-GDPR?… in the next article.

Naavi

The compliance of the DIFC data protection law 2020 is administered by the “Commissioner” of Data Protection who will be  the regulatory authority for the Data Protection regulation. The home of the regulator is found at here

Unlike the Indian DPA which will be a 7 member body, Dubai regulator will consist of one person namely the “Commissioner” who is appointed in consultation with the DIFCA Board of Directors and he shall be a person who is appropriately experienced and qualified. The appointment is contractual for a period of 5 years and the upper age limit for the commissioner is 75 years as against 65 years in India.

DIFC DPA 2020 however permits the delegation of powers and establishment of an advisory committee with its own chairman and secretariat.

The Commissioner may establish codes of practice and certification schemes.

One of the major changes that the new version of the Dubai law has brought in is the provision for appointment of a Data Protection Officer. According to Article 16, a Controller or a Processor “May elect” to appoint a DPO.

However DIFC bodies other than the Courts and Controllers or Processors performing “High Risk Processing” on a systematic or regular basis need to mandatorily appoint a DPO. For others appointment of DPO is optional but the Commissioner has the right to direct an entity to appoint a DPO if it finds it necessary. However where a DPO is not designated, the entity should still designate a person with responsibility for compliance.

Like in the case of GDPR, DPO may be an internal employee or an external contractual person.

The DPO must reside in Dubai unless he is a common DPO for the group entity.

The details of the DPO must be made public.

One of the responsibilities of the DPO is submission of an annual report to the Commissioner similar to the “Annual Data Audit” in the Indian PDPA.. DPO will also be responsible for overseeing the DPIA as and when undertaken.

As regards the role and tasks of the DPO, the law states that the DPO shall be provided with sufficient resources to carry out his duties and freedom to act independently and without conflict.

The DPO besides being the contact person for the Data Subject, is expected to monitor the compliance activities in the organization,inform and advise the organization and its employees, cooperate with the Commissioner, be the point of contact for the Commissioner etc.

It is noted that the Act specifies that the DPO shall be able to advise the entity not only on the Dubai Data Protection law but also on other relevant laws to which the organization may be subject to “including where the organisation is subject to overseas provisions with extra-territorial effect”.

Overall, the passage of the new law adds to the responsibilities of all organisations that have a presence in Dubai. Some of them may be “Controllers” or “Joint Controllers” and they need to take suitable steps for compliance.

Naavi

Reference articles:

The New Dubai Data Protection law stresses on Compliance Accountability

The New Dubai Data Protection Law is Bigger, Better and Will bite harder
Dubai Data Protection Law

The new Dubai Data Protection law in comparison to the 2007 version has given a lot more emphasis on Compliance.

Legitimate Interest

Article 8  of the old Act and Article 9 of the current Act speaks of the General Requirements. It may be observed that most of the requirements in the 2007 law has been carried over to the 2020 law with the addition of “Transparency”.

Additionally “Lawfulness” has been separately expanded in Article 10 and Accountability and Notification separately explained under Article 14 (2020). Six basis have been identified under “Lawfulness” and “Anyone” of them is considered acceptable. This follows the GDPR model and includes

a) Consent

b) Necessity for performance of a contract in which the Data Subject is a party

c) Necessity for compliance of an applicable law that a “controller is subject to”

d)Necessity for protecting the vital interests of a data subject or of any natural person

e) Necessity for the functioning of DIFC

f) Legitimate interest

The 2020 law also defines  genetic and biometric data as additional to the list of special categories defined in  the earlier version which requires “Explicit Consent”.

The Consent and Notice has been elaborately covered along with the Accountability. The onus of proving that Consent has been obtained, lies on the Data Controller.

Article 10(1)(f) states that one of the lawful basis on which personal data can be processed includes where

“Processing is necessary for the purpose of legitimate interests pursued by a Controller or a Third Party to whom the Personal Data has been made available, subject to Article 13, except where such interests are overridden by the interests or rights of a Data Subject.

Article 13 on the other hand states

(1) A public authority subject to DIFC law may not rely on the basis of legitimate interests under Article 10(1)(f) to Process Personal Data.

(2) A Controller that is part of a Group may have a legitimate interest in transferring Personal Data within its Group for internal administrative purposes.

(3) Processing of Personal Data shall be considered a legitimate interest of a Controller if it is necessary and proportionate to prevent fraud or ensure network and information security.

In terms of compliance therefore, a Data Controller should always look for “Consent” and when in doubt bring the processing into the legitimate interest argument preferably by an appropriate internal documentation.

Accountability

One of the areas of emphasis in the new version of the law is Accountability of the Data Controller. The Controller needs to establish data protection by design and default taking into account the risk assessment and establishing a compliance program. The law repeatedly emphasizes “Proportionality” in respect of data collection to the purpose of collection.

Article 14(7) states

“A Controller or Processor shall register with the Commissioner by filing a notification of Processing operations, which shall be kept up to date through amended notifications.”

Article 14(8) also states that the above notification shall be kept in a publicly available register maintained by the Commissioner.

This provision has similarity  to the Indian provision of “Privacy by design policy” being filed with the DPA and is a significant change to be noted.

(To Be continued…)

Naavi

Earlier Articles

The New Dubai Data Protection Law is Bigger, Better and Will bite harder
Dubai Data Protection Law

From July 1st 2020, life will not be same for Companies who opened offices in Dubai International Financial Center (DIFC) for various reasons. The New Data Protection Law of 2020 will become effective and will totally replace the earlier milder law of 2007.

The law will basically apply to processing of personal data by automated means and where the personal data is part of a filing system and will apply to all companies incorporated in DIFC irrespective of the place where personal data is processed. At the same time it applies to companies irrespective of incorporation if personal data is processed in DIFC as part of a stable arrangement for the processing of personal data in the context of activity in DIFC. It excludes processing of personal data by individuals exclusively for domestic purpose.

While we can discuss the changes in the Grounds of Processing or Data Subject’s rights and Compliance requirements separately, it may be immediately noticed that the new law enhances the remedies available to the Data Subjects and also imposes administrative fines in the form of fines from $50,000 to $ 100,000 for various contraventions, besides directions for cessation of business or reprimands. Additionally the Commissioner can also award compensation to the data subjects or the data subjects may make a claim for compensation through a grievance redressal process or with the intervention of the Court.

Where more than one Controller or Processor is involved, the liabilities will be applicable jointly and severally.

It is therefore time for Companies in India who have their Dubai offices to take a fresh look at their Data Protection Obligations. Many Indian companies might have entered into a business agreement with local companies but they will continue to be liable as either a Joint Controller or a Data Processor and hence have to make an assessment of their liabilities under the new law.

(More discussions will follow)

Naavi

Early Bird Discount: Upto 30th June 2020

Membership : Rs 5000 only

Full waiver of Training fee of Rs 6000/-