Naavi.org

The concept of Data Protection as management of Personal Data of individuals involving certain Privacy Principles in addition to information security concepts emerged from the need to protect the Privacy Right of the individual.

In protecting the Privacy the concept of Information Security got enhanced with the principles of providing a right of choice to the personal data owner on what are his preferences regarding the use of personal data by a third party. Hence “Consent” became the main parameter on which the personal data needs to be governed by any organization.

At the same time to be fair to the community there was a need to incorporate some of the legitimate interests of the business and the Government. Hence the final outcome of the data protection law is an attempt to balance the interests of the individuals along with the interest of the business and the Government.

This principle of “Fair Governance” is reflected in the DGPSI framework which is the only framework available on date for compliance of DPDPA 2023.

Some of the key principles adopted by DGPSI (Data Governance and Protection Standard of India) which reflects “Fair Governance” is

a) Need for Data Valuation policy to enable the Management understand the financial risks involved in the Governance of Personal Data

b) Need for a Data Monetization policy to represent the interest of the business where “Privacy Compliant Data Monetization” is pursued.

c) Need for “Data Disclosure Policy” to support the requirements of law enforcement and Government to ensure that the personal data is not misused.

d) Need for Responsibility Distribution so that the entire organization and its work force takes up the responsibility for compliance.

Understanding and implementing the requirements of different sections of Personal Data Users is also the concept of Fair Governance of a Kingdom which came to be recognized as the “Rama Rajya” concept which we may remember on the day when India is entering an era of awakening with the opening of the Ayodhya Rama Temple.

Naavi

While we are awaiting the civilizational event at Ayodhya tomorrow DGPSI of FDPPI takes a leaf out of the concept of Ramarajya as a symbol of Fair Data Governance as part of the Compliance framework of DPDPA.

Naavi

After DPDPA 2023 has become a reality, there is a scramble to find a framework of compliance which can assist organizations in implementing a Data Governance and Protection Management System (DGPMS) which can provide “Compliance by Default and Design”.

The key compliance requirement of the Act is contained in Section 4(1) of the Act which says

A person may process the personal data of a Data Principal only in accordance with the provisions of this Act (a) for which the Data Principal has given her consent; or (b) for certain legitimate uses.

Consent or legitimate use is a necessary aspect of the obligation but not “Sufficient”. The obligations cover all the other provisions of the Act which need to be taken into account.

An organization that needs to be compliant with DPDPA 2023 cannot rely on the existing frameworks such as ISO 27001 which addresses only one aspect of compliance namely how to preserve the confidentiality, integrity and availability of personal information to those who have a need to know or ISO 27701 which extends the ISO 27001 to legal basis of processing and rights of data principals under GDPR.

While there is always a possibility of adapting ISO 27001 or ISO 27701 to compliance of DPDPA 2023, if the implementer is innovative enough, the need for India to develop its own framework to directly address DPDPA Compliance has arisen with the passing of DPDPA which is not GDPR.

If DPDPA is not GDPR, it seems not logical that we should use ISO 27701 for DPDPA Compliance.

The TINA principle (There is no alternative) is unfortunately not applicable in favour of ISO 27701 since FDPPI has been working on the alternative in anticipation of the law being passed in India. Accordingly, PDPSI or Personal Data Protection Standard of India was introduced after PDPB 2018 was released and progressively upgraded to PDPB 2019, DPA 2021 and DPDPB 2022 is now available as DGPSI or Digital Governance and Protection Standard of India.

DGPSI recognizes that compliance of DPDPA 2023 requires also compliance of ITA 2000 since there are some sections of ITA 2000 which are relevant even after DPDPA 2023 comes into existence.

For example, we can recall Section 72A of ITA 2000 which states

(72A of ITA 2000) Penalty for Disclosure of information in breach of lawful contract

Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be liable to pay penalty which may extend to twenty-five lakh rupees

This section will continue to apply even after DPDPA 2023 comes into being.

Similarly there are several other sections of ITA 2000 applicable to Personal Data Breach that needs to be complied with by a Data Fiduciary as well as a Data Processor.

Hence DGPSI framework recognizes and incorporates ITA 2000 compliance requirements also to the implementation framework which ISO 27001/27701 may not consider.

As a bonus DGPSI also includes part of the Bureau of Indian Standard draft guidelines on “Adequacy of Data Governance and Data Management System” meant for data driven organization which recognizes Data as a valuable asset of a company which is recommended to be managed in a particular manner.

As a result, DGPSI has emerged as the Gold standard for a Compliance framework for DPDPA and perhaps the only standard for implementation.

The fact that it is also available for Certification makes it a TINA in the reverse. As of now there is no alternative to DGPSI as a framework for DPDPA 2023. The framework also accommodates Data Trust Score as a tool of assessment which can be expressed as a Score for good visibility to the management.

A Glimpse of what DGPSI represents can be captured in the 12 key principles that are the foundation of the framework depicted below.

At the end of this short discussion organizations need to only ask themselves ….

Why run around searching for compliance framework. Why Not DGPSI?

Naavi

(Continuation of the previous article)

One of the key aspects of DPDPA 2023 is the recognition of some Data Fiduciaries as “Significant Data Fiduciaries” (SDF). The SDF would have responsibilities to appoint a DPO, a Data Auditor and conduct DPIA periodically in addition to other obligations.

Since the Act has not defined “Sensitive Personal Information” but incorporated “Sensitivity” as a criteria for defining the SDF, it is expected that the Government is thinking of a combination of “Sensitivity” and “Volume” to define an SDF.

When we define the role of an organization as a “Data Fiduciary” or “Data Processor”, we take note that an organization is an aggregation of multiple processes involving personal data processing and in all those processes, they may be determining the purpose and means.

In most cases they may be using the services of data processors to process the data for the purpose for which it has been collected by the data fiduciary but in a manner which is at the discretion of the processor and protected by their Intellectual Property right. In other words, the “Means of Processing” will be under the control of the processor. In such cases the “Processor” is to be recognized as a “Joint Data Fiduciary”.

Similarly there are processes in which an organization may be a Data Processor of some other Data Fiduciary.

If we place the tag of “Data Fiduciary” and “Data Processor” on the entity as a whole, it will not reflect the role of the entity in the specific context.

This raises the question Why Not we recognize the role of an entity with reference to the specific process? so that the entity can be a data fiduciary in one process and a data processor in another?

This concept can be implemented by considering an organization as an aggregation of processes and the focus of compliance being placed on a process. Every process has an input of personal data, certain modifications that occur within the process and thereafter creation of an output which is stored or disclosed or fed into another process as an input. With this concept of a “Compliance Entity being an aggregation of processes”, we can make the role definition “Process Centric”. This requires an inventory of processes to be developed with identification of input, purpose of processing and output. If the role of the entity in that process is as a “Processor”, then the compliance requirement would be based on the processing contract issued by the data fiduciary who has entrusted the processing to the entity. If the role of the entity in the process is that of a Data Fiduciary, then the compliance framework has to be the DPDPA2023.

In this approach, the entity will be considered as a “Hybrid Entity” of process centric role as a data fiduciary or a data processor. Different compliance controls will be applicable to the different processes.

I hope the discussion upto this point is non controversial and implementable. People will recognize that even GDPR wants a creation of ROPA (Record of Processing Activities) and this suggestion adopts the ROPA principle. However, I am not sure if a thought has been given to the fact that an organization can be both a Data Fiduciary (or Data Controller) and a Data Processor at the same time.

This multiple identity recognition is essential since if we recognize the role of a Data Fiduciary and Data Processor at the entity level, then every organization would be a data fiduciary and here is no pure data processor. In such a case all entities under GDPR would be liable for obligations of a Controller and all entities under DPDPA 2023 would be liable as Data Fiduciaries since we can find at least one personal data processing in every organization where it would determine the purpose and means of processing by itself.

I hope we can now ask the question Why Not an entity can be a data fiduciary and a data processor at the same time for different processes and manage its compliance with reference to DPDPA 2023 in certain processes and with reference to the vendor contract in other processes?

Having crossed this stage of debate, we now come to the more difficult part of segregating processes themselves on the basis of “Sensitivity” and “Volume”. In other words, Can some processes be more sensitive than others? Obviously yes. If so, Why Not distinguish processes on the basis of “Significant” and “Not Significant”?.

If so, we can consider an entity as a SDF in one process, ordinary data fiduciary in another process and a data processor in yet another.

Some will say ..Oh! we are suggesting a system of Compliance with a concept which even the GDPR has not mandated.

But I would like to ask the question Why Not?

The solution that emerges is that the operations of an organization shall be considered as an aggregation of multiple processes and in each process, identify the purpose and its sensitivity and classify the “Process” as a “Significant Process”. The entity will be a “SDF” only in the context of this process and not otherwise.

This means that the DPO need to be a leader of all Significant Personal Data Processes and mandatory conduct of DPIAs applies only to that process.

Since the classification of processes into Significant or otherwise is part of the “Risk profiling” of the Company, the Data Auditor would audit the system of how some processes were classified as significant and others were not. But there after his focus also could be only on the Significant Data Processes.

This thought process of SDP (Significant Data Process) instead of SDF (Significant Data Fiduciary) will simplify the compliance and appears logical.

This suggestion takes a fresh view of the “Data Flow Diagram”. The Personal Data Flow diagram need to indicate the flow from process to process and hence instead of recording from which device data flows into which other device, it has to record from which process it moves to which other process. Each process however represents an application executed in some device and will have a Process owner (who may also be a device owner) and associated with the details of the process similar to what is indicated in the Article 30 of GDPR. The Controls need to be established in such a manner that they are associated with the relevant processes based on the Compliance requirements related to the process.

Comments are welcome.

Naavi