Naavi.org

DGPSI stands for Digital Governance and Protection Standard of India. It is designed as a framework for compliance for setting up DGPMS or Digital Governance and Protection Standard of India.

Just as we refer to ISMS in the context of ISO 27001, PIMS in the context of ISO 27701, DGPMS is the system that is built with DGPSI for the purpose of DPDPA Compliance by design.

DPDPA Compliance by design includes

a) Privacy by Design as required in India by DPDPA

b) Security by Design as required by ISO 27001 in respect of Personal Information to which DPDPA is applicable.

DGPSI is therefore a combination of PIMS for DPDPA and ISO27001 for PII under DPDPA.

DGPSI is built around 12 basic principles which form the foundation of the framework and comes in two flavours namely, DGPSI-Lite with 36 Model Implementation Specifications (MIS) for compliance of DPDPA 2023 and DGPSI-Full with 50 Model Implementation Specifications (MIS) which includes DPDPA 2023, ITA 2000 for PII and Draft BIS standard for Personal Data Governance.

MIS refers to the requirements that are suggested for implementation. DGPSI Lite is directly related to DPDPA provisions and hence is required to be implemented by all organizations that process Digital Personal Data for which DPDPA 2023 is applicable. We may refer to it as Applicable Personal Data or APD. All Data is not APD and all Personal Data is also not APD.

Flexibility in implementation of the MIS in respect of DGPSI Full is provided by the document “Deviation Justification Document” that is like the “Statement of acceptable Exclusions” and relates to the Statement of Applicability and Scoping in ISO 27001 framework. The Deviation Justification Document that is approved by the Management is considered as the “Implementation Charter” for the DPO for implementation of the DPDPA Compliance. The deviations are considered as “Accepted and Absorbed Risks” and to be also managed through appropriate Cyber Insurance covering first party and third party liabilities.

The Implementation Specifications that are part of the Implementation Charter is referred to as Adapted Implementation Specifications.(AIS)

At the time of third party audit, the auditor will evaluate the Deviation Justification Document and audit the implementation for a binary response of each of the implementation specifications.

For a maturity assessment of the implementation, implementation would be assessed over each of the 50 MIS assigning different acceptable scores which are weighted and aggregated for a consolidated score. For this purpose, the lowest acceptable score is assigned for the implementation specifications that are considered part of the approved deviation justification.

For the purpose of assigning the “Score” for each implementation specification, a scale will be adopted with different limits for “Policies and Procedures being established, “Technology Controls having been established” and “Organizational Culture and sustainability having been established”.

The consolidated score of an organization’s implementation is termed the “Data Trust Score” or DTS. The DTS will be assigned for every audit and reported to the management and the FDPPI as the audit certification agency. The Company is free to publish the DTS score at its discretion.

DGPSI therefore provides the three functionalities namely

1. Implementation Assistance
2. Third party certifiable audit
3. Assessment of maturity of implementation

The objective of this series of articles is to increase the awareness of DGPSI in the community and FDPPI would like to create a set of professionals who would be DGPSI Ambassadors who appreciate the nuances of DGPSI with reference to any other framework.

FDPPI is willing to fine tune the framework as required. The detailed implementation guidelines will be part of the responsibility of the auditors and the framework will only define the broad level of requirement for meeting the implementation. This preserves the scope for auditors to add their own value to the final implementation and certification and the customization required. For example a Privacy Notice under DPDPA developed for a Bank will be different from a Privacy Notice developed under DPDPA for a Hospital. This sort of customization cannot be built into the standards document and is left to the discretion of the auditor or implementation consultant.

At present Implementation Consultancy, as well as audit is considered as part of the common skills and until necessary, C.DPO.DA. will continue to be the Certification both for Implementation Expertise and Audit expertise. This may change in future and the two may be segregated into separate certifications like “Lead Implementor” and “Lead Assessor”.

Questions if any are welcome as we now go into the clarificatory mode for a few days.

Once this introduction is absorbed by the community, we shall go into specifics of the DGPSI Principles and MIS in subsequent articles.

Naavi

We recognize that India is in the cusp of a new era of DPDPA. Whether we like it or dislike it, whether we think Government is serious or not, the reality is that soon we will have a notification of the rules of DPDPA.

The CFO of an organization should be the first to raise his voice that a new Financial risk has appeared before the Company that needs to be “Mitigated” and “Covered”. He may not know how and request his CISO or CCO to suggest. The CEO has to therefore start a new discussion in the business war rooms on how DPDPA is likely to impact business and what actions are required to be initiated.

There will always be one voice in the Corporate War room which says, “The rules are yet to be notified… We shall wait…”.

This will be music to the ears of some who revel in “Procrastination” and are happy to work on short term goals for the next quarter. But those who have the long term vision, DPDPA 2023 is already the “Due Diligence” requirement under ITA 2000 and hence the compliance by date has already arrived.

The Government may eventually release the rules first fas a draft for public comments. It may first notify the requirements of setting up of DPB (Data Protection Board) so that it can be constituted before further operational rules that affect the industry directly in terms of compliance can be rolled out. Even after the operational rules are rolled out, there could be different timelines under which different rules may become effective.

The wiser companies have already had the first discussions at their Board level to start working on “DPDPA Gap Assessment” so that they will understand where they stand and how should they strategize their next moves.

The second stage is for companies to look out for guidance on how to proceed with the compliance of DPDPA and adopting an appropriate framework for compliance.

In this context DGPSI emerges as the beacon of light as the only framework exclusively stitched together for compliance of DPDPA 2023.

As the realization of what DGPSI is and how it helps a company to find the shore of compliance, dawns, strategy war rooms in companies will reverberate with the words “DGPSI” and DGPSI would become the “Corporate Mantra” for the emerging DPDPA Era.

P.S: We will explore DGPSI point by point through this series of articles.

Naavi

Yesterday, I attended a ETCIO conference on Data Analytics and AI in Bengaluru. One of the takeaways from the conference is that while many exciting developments seem to be happening on the use of Data Analytics with the use of AI in consumer facing industries, there seems to be little appreciation of the impact of DPDPA on the current practices of Personal Data usage in the industry.

Most of the companies which included the likes of Myntra, PayU and many others discussed how they are leveraging Data Analytics and AI for better user experience as well as productivity.

In the discussions it was clear that most of the companies donot seem to have factored in the advent of the DPDPA 2023 in their implementation strategies.

It seems that it is a long long journey before the concept of Privacy by design is considered by these companies since the commercial benefits of current practices of “Free for all PII processing” are overwhelming. Most of them are sitting on a pile of legacy data without consent which is being processed and converted into business intelligence. Though many may claim that the usage is anonymous, it is difficult to believe.

The DPOs in these companies will have an uphill task in bringing in brining discipline in the PII processing of these companies. The difficulty of building a Privacy Compliance culture in the euphoria of the Data Analytics with AI is evident.

The Conference noted that the combination of Data Analytics and AI leads to Intelligence² . But Naavi did remind the assembly that the Square root of Intelligence²  could be postive or negative value of (intelligence), as per the principles of Complex numbers, hinting the DPDPA risk that needs to be confronted.

Not sure if the message has been assimilated by the assembly. But it is clear that if the Government wants, they can fill up some of the budgetary deficit by strictly implementing DPDPA in the first few years when almost all companies will be found short of compliance. I wish the industry wakes up before it is too late.

The DPB also has the uphill task of making companies realize their responsibilities in ensuring Compliance by Design through some strict action as soon as they become operative.

At the same time it appears that the time for DGPSI has come and it is time for us to declare that DGPSI is the corporate mantra for the AI era.

Naavi

Organizations are increasingly harnessing Data for Business Growth. The new found enthusiasm in making better use of Data and increase its productivity has made “Data Analysts” key contributors to innovation in an organization. The Business discussions in organizations is therefore becoming a ground for understanding new “Data Transformation Strategies” so that available data can be grouped and re-grouped for better business performance.

While Business is interested in monetizing every bit of data in the control of an organization, the laws of data protection create their own hurdles to be navigated. Everybody is going through a congested traffic. The skill of a driver is not only to reach the destination fast and ahead of others but also ensure that he avoids accidents and traffic challans.

The discussions in the Data War Rooms are therefore no longer limited to what fanciful things can be achieved by AI and Data but identifying the problem areas.

There is need to recognize that “Personal Data” has the high potential of monetization but is like a “Hazardous Inventory” which can blow out if not properly handled . Since this is a new development in India, it is likely to cause the greatest friction in the Data war rooms.

While the Data Analyst proposes a beautiful concept of how he can develop insights to consumer behaviour using Generative AI applied to the company’s vast data lake created over decades, the marketing manager gets excited at the opportunities and the CEO is happy with the prospects of a new revenue stream, it is the duty of the Compliance officer and the DPO to stand up and point out where the plan could clash with the new DPDPA 2023.

The DPO may point out that all the Personal Data which we have now was acquired for a purpose did not include the purpose which we are now discussing, and therefore unless we obtain a new consent, the project needs to be deferred. Alternatively the DPO may give a new challenge to the team to develop a scheme of using “Anonymised Data” or “Publicly Made Available Personal Data” and achieve the objectives. The residual risks if any arising out of the legitimate use or process related information security risks may need to be covered with a new Cyber Insurance Plan which could require a re-working of the economics of the suggestion.

This will be the new discussions which will arise in the exchange of ideas in the Data War Rooms with the entry of the new elephant in the room namely the DPDPA 2023.

P.S: (Data Analytics + AI)=Intelligence² but Square root of (Intelligence²) could be a complex number . The imaginary number ‘i’ is the consequence of DPDPA 2023.

(Agenda)

Naavi

To Honourable Minister of IT, Government of India, New Delhi

Dear Sir

I refer to the Business Standard news today stating that the DPDPA rules is expected in another month, my first reaction was that this could be a fake news. Refer here:

 We have heard this “One Month” phrase so many times and this time it comes with the extension of public consultation period from 30-45 days to 45-60 days. Any AI news robot can generate such news articles periodically and we feel this could be one such AI created news.

If  MeitY is expecting that Meta and Amazon or Google will give their approval before MeitY releases the draft,  I am afraid it will never happen. Probably their head offices will not approve the draft till their Presidential elections are over. We have waited for our elections to be over and now we have to wait for elections in US to be over.

I am also not aware why MeitY tries to consult the same companies who file cases against MeitY for any rule or law published. It is a shame that we see the lawyers of FaceBook and WhatsApp challenge the Intermediary Guideline in the Court in the morning and MeitY invites them in the afternoon for discussions on the next set of laws on DPDPA which we know they may challenge in the Court.

It is a tragedy that there is a feeling that  MeitY lacks self confidence about its capability of functioning without consulting the vested interests.

Kindly change this perception.

We as professionals are embarrassed at the procrastination, which was the hall mark of the MMS Government and we do not want it to be inherited by Modi 3.0. You were once a professional and hope would understand our predicament when we interact with peers from other jurisdictions. I suppose you are as embarrassed if not more to say again and again that the rules will come next month.

We have lost all our excuses of why Modi Government is unable to give effect this law since 2018. Kindly give some reasons for the delay rather than giving new timelines.

Naavi

It is a common adage to say that “Law is always behind the Technology” ..and also to add, “like the traditional Hindu wife”. But all of us know that the “Tradition” has changed. Modern wife drives the bike while the husband sits on the pillion. DPDPA refers to “She” and “her” instead of the traditional “he” and “him” when referring to an individual in terms of a pronoun. This is the indication that times have changed and we need to change with the times.

In the field of law, we used to recognize that “Ethics” comes first and is converted into “law” in due course. Today we have the concept of “Due Diligence” built into many laws which is nothing but “Ethics” as “Self adopted law”.

Partitioners of Technology however defy “Ethics” and support the concept of “Innovation” at any cost. Technologists want to be exempted from legal bindings so that they can “Innovate” without hindrance. This attitude breeds trouble which we have called “Technology Intoxication” in the past.

One compromise solution the industry that has developed at present to prevent the adverse effect of bad software release is to enable a “Sandbox” where a new software can be tested in controlled environment before it is released to the open.

Despite the availability of this “Sand Box” concept and “Beta Releases” which was a norm earlier, it is common to see that Software normally carry “Zero Day Vulnerabilities”.

Some organizations try to provide “Bug Bounty” programs so that vulnerabilities observed after release can be reported, rewarded and corrected. However there are many companies who donot show even this courtesy.

Also the rewards of Bug Bounty are not good enough to meet the competition from the hacking community where the vulnerability information is sold in dark web for much larger value than the Bug-bounty rewards.

In this context a time has come to discuss if there should be a mandatory sandbox routine before any software is released to the market for direct consumption by the consumers. “Beta Testing” cannot be an option and if so it will always be abused or neglected.

Hence we need to debate a suggestion to create a new “Sand Box Law” to mandate that every software has to go through a “Sand Box” cooling period. It will be necessary for this purpose to create the required infrastructure both by the Government and the industry.

In case of software which is used by the industry as a B2B product, the responsibility for vulnerabilities should be borne by the user (Buyer or licensee) who can get himself indemnified by the developers.

The Consumer protection laws need to be strengthened for this purpose if required.

Advent of AI

Now with the advent of AI, we are aware that all Cyber Crimes have started using AI for making the crime more sophisticated. The information on the Internet today has become completely unreliable since fake news is becoming extremely common. Whether it is political news or war news, nothing seems to be true unless otherwise proved. This is a very sad state of affairs.

India is now considering regulations of AI. Hence this is the right time to consider whether the concept of “Mandatory Sandboxing” is extended to the AI law.

The Government of India has already given an advisory that AI developers and users need to register with the MeitY. But probably this has been ignored by the industry.

The consequences of not complying with the advisory would become a “Lack of due diligence” and loss of “Section 79-ITA 2000” protection or “Non Compliance of the obligations of a data fiduciary” under DPDPA 2023.

To make the law more effective, the deterrence available under the laws need to be highlighted in such context. ITA 2000 has the criminal provisions and depending on the adverse consequence, an AI user organization and the AI developer organization may be liable for upto life imprisonment which can be extended to the executives of the organization. Simultaneously the civil penalties under both ITA 2000 and DPDPA 2023 may also become effective.

We suggest that instead of Naavi.org releasing the note of warning, CERT IN should release a notification in this regard. We can then expect that the industry takes note of this provision. People say, unless there is at least a few cases of imposition of penalties, industry will not respect law and therefore CERT In should order some prosecution in some cases so that people become aware of their responsibilities.

Call for a Debate

I therefore call upon a debate on how “Innovation Can be Bound within a mandatory Sandbox law” with severe penalties both civil and criminal for the consequences arising out of software.

I also call upon a debate on penalizing and punishing those security researchers who identify a vulnerability and sell it to the dark web instead of handing it over to the company simultaneously reporting to the authorities.

In such cases, the Government itself should impose penalties which should be shared with the security researchers as “Incentives” which should reduce the incentive for selling the same in the dark web.

I am certain that this thought is considered revolutionary and perhaps even revolting. But the need for ending the irresponsible behaviour of software developers who have today converted the internet into a large Fake Information factory, which is percolating into AI software because of machine Learning is urgent.

If this is not controlled, AI will kill whatever little trust remains on the Internet. Just as people deride the “WhatsApp University”, the time is not far off when people start deriding “Google University”.

Software industry should for their own existential reasons become more responsible and stop claiming that “Innovation is our job, Protecting the Society is somebody else’s job”.

Innovation that hurts the society has no place and has to be thrown out if not voluntarily, by a new set of laws.

Let’s Debate.

Naavi