Naavi.org

When ITA 2000 was enacted and notified on 17th October 2000, technology made its entry into commerce with the recognition of electronic documents and digital signatures. Digital Signatures were also a tool of information security and non repudiable authentication. The concept of due diligence and section 85 had also introduced the concept of corporate responsibility for security for prevention of cyber crimes.

With the 2008 amendments the role of law on information security was further tightened and CERT In got notified as the apex cyber security organization in the country. Sections like section 43A, 69A, 69B etc highlighted the need for corporate compliance action.

However this legal intrusion into information security practice was brushed off by the industry and ITA 2008 compliance and IISF 309 (Indian Information Security Framework) remained only a wishful thinking of Naavi.

After 24 years, with the advent of DPDPA 2023, it appears that industry is now able to recognize this new field of information security combined with law. Just as AI enabled Data Analytics has become the corner stone of innovation in data driven organizations, ITA 2000 driven DPDPA 2023 has become the essence of the corporate information securty practices in the emerging times.

At the Empowering CxOs conference in Bengaluru on 5th September 2024, this aspect came for discussion in a panel “The Future of Data Privacy by Driving a Privacy-First Culture – Balancing Innovation and Privacy: A Strategic Approach.” which I had the privilege to moderate.

The entire event is available at https://www.youtube.com/watch?v=B5ZjUS77xms (Panel discussion is available at 7.10.46)

During the discussions it was clear that the future of technology related to information security would be embedded with DPDPA 2023 in a manner which the industry has fully realized and is trying to find ways to implement.

In this direction DGPSI comes out as a solution in the form of compliance framework to be considered and the training programs like C.DPO.DA. scheduled by FDPPI for information security professionals stand out as a timely introduction to the eco system.

We hope that this integration of Technology and Law in terms of “Information Security and Privacy Protection” will grow from strength to strength in the coming days.

Naavi

At a time, AI is threatening the credibility of the Internet as a medium of communication and perhaps even the human race, we at the “CXO Cywayz “are discussing the future of Data Privacy and how to strategize to bring balance Innovation and Privacy .

Like the ever lasting battle between Security and Privacy, Technology Innovation is also a continuing challenge to Innovation or vice versa.

Innovators often forget that they live in a society and all their innovations have value only if the society survives and functions in an orderly manner. Privacy regulations is one such aspect which should be considered as a necessity to be incorporated into all innovative outcomes of technology.

We in India are today in the period of dawn of DPDPA and Data related business and profession will never be the same again. What we did for the last decade need to be renewed. What we learnt may have to be unlearned because DPDPA is likely to disperse all our current strategy outcomes.

The output from the prism of DPDPA may look colourful but it comes in shades of red as well with a huge penalty lurking in the background threatening the existence of the company that ignores DPDPA.

Setting up a “Data Governance and Management System” (DGPMS) to respect law and ensure a balance between Innovation and Privacy is the way to go. The strategy for this approach lies in DGPSI the unique framework -Data Governance and Protection Standard of India. ISMS and PIMS associated with other frameworks need to yield the way to DGPMS powered by DGPSI.

Bringing harmony between Innovators in technology and the legal community fighting for “Namma Privacy” lies in the unique concept of DGPSI which speaks of “Compliance By Design” as a modified approach to “Privacy by Design”. Why this Compliance first approach is different from Privacy first approach requires a longer debate.

For the time being we can conclude that the future of balancing Privacy and Innovation through a strategic approach belongs to DGPSI and its adoption in the industry.

Naavi

At present there is a large section of professionals in India with expertise to conduct audits for Information Security and some of them are also engaged as “Auditors of CERT In Empanelled organizations”. The “Auditors of CERT In Empanelled organizations” were expected to be a hybrid type of auditors who were capable of assessing the Information System Controls from the perspective of compliance to the ITA 2000 provisions which was the law of the land. This required a “Techno Legal Understanding” that not all IS auditors could manage successfully.

With the need to now understand DPDPA 2023, the role of Techno Legal Auditors in India has undergone a further change and there is an urgent need to upgrade the expertise of “Technically qualified Information Security Auditors to understand the need to conduct audits with the Legal perspective”.

This transformation from Technical Information Security Audit to Techno Legal DPDPA audit is the need of the day and is being addressed by FDPPI though its C.DPO.DA. (Certified Data
Protection Officer and Data Auditor) Course.

In order to expand the reach of such course, FDPPI is conducting a three-day offline program exclusively designed for Information Security experts including “Auditors of CERT In Empanelled organizations”. The first of such program will be held in Bengaluru, on 27th ,28th & 29th September 2024.

Venue:

Viveka Auditorium Yuvapatha,

#4, 31st Cross Rd, 4th T Block East, 4th Block, Jayanagar,

Bengaluru, Karnataka 560011

Contact:fdppi4privacy@gmail.com

Payment for Registration can be made here:

Fees: Rs 40000/-plus GST of 18%

Discount for CERT In empanelled auditors : 20%

Early bird discount (for others) : 15% (upto 15th September)

Kindly note that all participants would be eligible for Participation Certificate with 18 hours CPE. The participants are also eligible for attending the online examination within October 15 and obtain the full certificate C.DPO.DA.

The program would be lead by Naavi and would include several case study discussions and practical issues in the implementation of DPDPA Act and upcoming rules.

The program would also discuss the details of India based frameworks such as the Cyber Security Framework of CERT In and BIS standard (draft) for Data Governance and Data Protection. It may be noted that at present there is no other similar program in India with a focus on Indian requirements of data protection, particularly to the depth to which this program goes in.

Appropriate reading material would be provided during the program for the participants.

This program will further strengthen the approach of FDPPI to develop an indigenous approach to the compliance of DPDPA using DGPSI along with CSF of CERT-In for information security of applicable personal information.

Price with GST

(For the Bengaluru Program only)

Type	Discounted Price	GST	Total
Cert In Auditors	32000/-	5760/-	37760/-
Early Bird(till 15th September 2024)	34000/-	6120/-	40120/-
Full price	40000/-	7200/-	47200/-

The program is designed for “Auditors of CERT In Empanelled organizations” and the capacity is a maximum 25 numbers. A few auditors who are not “Auditors of CERT In Empanelled organizations” are being accommodated on specific request.

Payment for Registration can be made here:

We all know that the world around us is changing. Even to remain where we are, we need to keep running. Otherwise the world around us moves ahead and leaves us behind for no other fault of ours.

Transformation is therefore the key to professional success or even professional survival.

Naavi himself was once a Banker with relatively high expertise in accounting, tallying of books, customer service etc. Today I have moved through a marketing and advertising role , information security role, Cyber law role and landed up in the Privacy and Data Protection role. The journey has been exciting but changes were the essence of such journey.

With DPDPA 2023 in place, it is time for other professionals to also look at the need for transformation in their career. Whether they are experts in ISO 27001 or GDPR, whether they have certifications such as CISSP or CIPP, it is time to look at new horizons such as DGPSI and C.DPO.DA.

It is the duty of professionals who have made a few steps forward to try and take the others along this path of development irrespective of the competition that it could generate for themselves. Remember that a Cricket team requires both batsmen and bowler and specialist fielders in different positions. Even the batsmen and bowlers themselves are different by themselves. Likewise the Privacy and Data Protection Community requires multiple members to constitute a team. Unlike a cricket team with a limitation that only 11 players can plat at a time, Data Protection Profession can accommodate many more.

It is therefore necessary for organizations like FDPPI to assist professionals who are today in information security area or legal area or in Corporate Governance, to move into the area of Privacy and Data Protection. Some may aspire to be DPOs in companies and some may aspire to be “Data Auditors”.

One such community FDPPI is now addressing is the community of CERT IN accredited auditors. These audit firms are now engaged in different audit programs related to ITA 2000 and also whenever data breaches occur. With DPDPA coming into effect, the role of CERT IN auditors has undergone a change. Now data breaches need to be evaluated both for ITA 2000 and DPDPA 2023. IS audits have to be compliant both to ITA 2000 and to DPDPA 2023. With a penalty of Rs 250 crores plus, companies are keen that their DPDPA Compliance is in place. The buzzword therefore in the industry is “Compliance By Design” and “DPDPA Audit”. There will also be special “Conformity Assessment Certifications” that are required under DPDPA 2023.

FDPPI has therefore taken the first step to bring the CERT IN auditors into the domain of Data Audit and specially structured a Three Day offline program in Bangalore on September 27, 28 and 29 with the association of CERT IN.

This will be a first of its kind program that tries to engage experts in Information Security audit and make them take up a Techno Legal audit of DPDPA conformity.

The registration requests are being received now through email at fdppi4privacy@gmail.com

More information is available in the following brochure.

The program will cover DPDPA 2023, in particular and the data audit measures required . It is both for being DPOs and also for being Data Auditors in coming days. It will cover also essence of GDPR, ITA 2000, as related to Personal Data Protection and even cover CPA 2019 as required. In the audit section it will take off from ISO 27001 but focus on CSF of CERT In. The framework of DGPSI is already covering these aspects including draft BIS standard of Data Governance and Data Protection which also is a part of the coverage.

In summary the course will truly be the first of its kind and those professionals who want to be ahead of others should take up this opportunity without fail.

The 3 day course is priced at Rs 40000/- but CERT In accredited Auditors have a 20% discount and others will have early bird discounts and also other benefits of complimentary membership of FDPPI and other benefits.

Act today if you want to be ahead of others…. Drop an email to fdppi4privacy@gmail.com

Naavi

For More Information

As the industry expects the “Draft Rules for DPDPA” to be released within the next fortnight, the draft of the draft rules released some time back selectively by MeitY to organizations like Meta and Google for their views provide us a glimpse of what the rules could be when it is finally released.

With the option given to MeitY to disown the publication, the draft of draft rules related to DPDPA is available for discussion at www.dpdpa.in/dpdpa_rules.

In the 20 rules and 7 schedules published here, rules 2 (definitions) 3, 4, 5, 10 and schedule I specifically relates to Notice, Consent and Consent Manager including verifiable consent for minors. A model consent artifact is also provided in schedule I.

In this connection, Data Fiduciaries need to focus on a few challenges highlighted below.

Firstly the Rules suggest that every consent shall carry the electronic signature of the data principal, the data fiduciary and the consent manager. Since the data principals may not have a digital certificate to enable such signature, and the onus of proof of consent is with the Data Fiduciary, the Data Fiduciaries need to make arrangements for the electronic signature like e-Sign.

While authentication of the consent is essential, provision should be made to use innovative but legally consistent methods to authenticate an electronic document without the use of electronic signature to reduce the cost incidence.

A positive aspect of the model consent artifact is an undertaking by the Data Fiduciary that the consent would be used only for the specified purpose. When this undertaking is also digitally signed, this constitutes a legal commitment.

The data fiduciaries need to ensure that they stand upto this commitment and introduce appropriate controls to ensure that the consent is automatically considered withdrawn as soon as the purpose expires and obtain fresh consent when the purpose is subsequently renewed. Otherwise they may be sued for “breach of Trust” under BNS 2023. (Refer Section 316 )

It is important to note that “Consent” is a document which has to be separately stored and may have to be retained for a period beyond the retention of personal data. In case of Consent Manager it may have to be retained for 7 years as per the draft of draft rules. Retention of consent for a data which itself is not retained is a vague concept and will lead to a dispute on what the consent is for. Hence the data fiduciary has to be meticulous to identify what data was part of a consent.

It is interesting to observe that the recognition that the “Consent” document is different from the data itself indicates that the ownership of the data lies with the data principal but the ownership of the consent lies with the Data Fiduciary and is not subject to the “Deletion” request from the data principal.

This supports our jurisprudential contention that “Data Ownership” of meta data lies with the platform and of transaction data lies jointly with the platform and the data principal.

It is doubtful how we can handle the issues such as when the data principal says “Consent is accepted but the data is erroneous and I did not give consent to this erroneous data”. This is another recipe for dark pattern usage.

The rules provide that the consent artifact is consistent with the DEPA framework provided by MeitY and every notice for consent has to be referred to the data principal and specific consent obtained. In such a scenario, the Data Principal is providing his signed consent and the role of the Consent Manager is only limited to the extent of forwarding the message to the data principal. This makes the role of Consent manager completely redundant.

There is a need to recognize the Consent Manager as similar to being a “Trustee” of a Data Principal and provide full rights to represent him for giving, modifying and withdrawing consent with an ability to assess the request for information against the purpose and challenge the Data Fiduciary on behalf of the data principal, monitor the use and demand deletion of the consent, the purpose of introducing the concept of Consent Manager is defeated.

It is at present not clear if the use of a “Consent manager” service is at the option of the data fiduciary or at the option of the data principal. This has to be clarified but requires the consent managers to be first set up and therefore a time line has to be indicated for adoption.

If the consent manager system is delinked from the current DEPA concept, the issues of digital signing, language issues, dark patterns in obtaining consent can be effectively handled. But this requires a complete re-thinking of the concept of Consent Manager by MeitY.

Further it is suggested that the Notice and Consent are structured in such a manner that “Purpose wise Collection of personal data elements” is enabled under one single consent. It would be more practical for the data fiduciaries to design different consent artifacts for different purposes rather than create one consent artifact for multiple purposes under one consent ID and dividing it into multiple permissions. The possibility of mis-application of permissions is very high in this system.

The model consent artifact is misleading and does not address the requirements properly. Hence it is preferable to delete the schedule I .

It is for this purpose that DGPSI recommends that Notice and Consent should be linked to different processes and managed process wise. In this system there would be multiple consents from a single data principal to a data fiduciary.

The next important challenge is to obtain the consent renewal for legacy consents. Since the rule in this regard is applicable to all previous data for which “Consent has already been obtained”, it does not apply to such cases where the data fiduciary may not be able to prove the existence of past consent. Hence all such data needs to be discarded.

It is therefore essential for data fiduciaries to use a “Legitimate Use” basis and current legal obligations to continue to hold the data in their archive while removing it from the processing activity.

Provision should be made for release of notice through public notices and continue secure archival for a reasonable time before deletion. Since “Deletion” could result in unintentional violation of other laws it is recommended that the Government should notify a “National Archival of Personal Data” and after a limitation period in which the personal data is securely archived at the Data Fiduciary, it may be transferred to the new National Archival created.

The next problem arises regarding the rule which requires “Verifiable Consent” for minors. Most Data Fiduciaries are considering that this would apply only if their services are directed to minors. However Section 9 of DPDPA applies to Minors and Disabled persons and the first verification required is whether the data principal is a minor or disabled person or not. This means that in every consent there has to be a “Due Diligence Verification” that the person is not a minor or mentally disabled person. Then there has to be another verification of who is the guardian. A third verification is required when the person attains majority when the now turned adult has to be identified and consent switched back to him.

In case of Minors, it may be possible to use the “Age Pass” created by checking with UIDAI but the identification of disabled persons requires a new judicial process to be introduced.

Yet another challenge is to understand the concept of “Legitimate Use” for processing personal data.

It must be remembered that a Data Fiduciary is by nature a “Trustee” and not a “Manger” of data appointed by the Data Principal. Hence irrespective of the consent, a Data Fiduciary should independently evaluate the legal basis and take a view in the interest of the “Data Principal”.

Legitimate use can be applied by non-Government agencies when the data principal has provided the data “Voluntarily” or when it is required for employment purpose or obligation of any law or for medical emergency.

There is no specific manner in which its “Voluntary” action of the data principal can be effectively recognized. Every collection of personal data is for a purpose and the purpose is to deliver a “Consideration”. Hence the question of providing any data “Voluntarily” does not arise. If this is not clarified, this will be a provision which is grossly abused. The illustrations provided are irrelevant. The provision essentially boils down to an automatic “Opt-in” without any indication of a positive intention.

In the illustration provided in the Act, (pharmacy), the primary service of the pharmacy is receiving the money without service and the augmented service is receipt of money with acknowledgement. Hence the Data Principal is actually opting for the augmented service for which the additional data is being provided and not “Voluntarily”. Similarly, in the second illustration of the real estate broker, the broker provides a service to receive the additional data which the data principal has to share .

These are purpose oriented collections and donot have a “Voluntary” nature. Even the “Publicly made available personal data” provision is potentially liable to be misused and the rules fail to provide the required clarifications.

Use of personal data for legal obligation is a genuine requirement but the Data Fiduciary needs to have a policy support and case to case authorization from the legal department before discarding the consent mechanism for establishing legal basis. DGPSI provides for this.

The legitimate use in employment circumstances relate to safeguarding the data fiduciary and is a genuine need. However the data fiduciary needs to understand that there is a relationship in employment which starts before the person is onboarded and after he is terminated. These have to be structured into the controls besides establishing on a case to case basis how the processing safeguards the data fiduciary. DGPSI provides for this.

In summary, the “Consent” is a challenge and unless an organization understands the full implications of how to take a valid consent, retain it for reference and retrieve it when required and how to use the consent manager service and whether the use of consent manager is optional etc.

Naavi