Naavi.org

DGPSI or Data Governance and Protection Standard of India is an approach that follows the principles of compliance that is indicated in the DPDPA 2023.

Compliance to DGPSI means not only being in compliance with DPDPA 2023 but also to ITA 2000 as well as the BIS standard for Data Governance.

Just as Lord Rama is a symbol of Good Governance , DGPSI endeavours to be the symbol of a Good Compliance Framework that towers over other compliance frameworks.

Our next physical program is at Pune on 6th January 2024.

Watch out for DGPSI training sessions at your city or online. Contact FDPPI at fdppi4privacy[@gmail.com]

Naavi

We wish all the visitors of Naavi.org a very happy and prosperous new year. At the same time we welcome the emergence of the Ayodhya Rama Mandira to be in Bharat.

In the last few months of 2023 we saw a spate of new laws being passed including DPDPA 2023 which is of direct interest to the Data Protection community. The new Criminal Code, IPC and Evidence Act also are very significant and are connected with DPDPA 2023 and ITA 2000. Probably we may see in 2024, rules of DPDPA 2023 being notified, new ITA 2000 being introduced and many other laws such as the Broadcast Bill being passed. Let us watch the legal space as it develops.

Naavi

The Discussion on “Nomination” gave rise to a debate on Linked In why we should consider that the “Right to Privacy” is only for living persons. I would like to explore this further.

DPDPA 2023 is not specific about whether the Act applies to only living persons like what GDPR has stated. The reason is that DPDPA 2023 is not a “Privacy Protection Legislation”. It is only a “Digital Personal Data Protection” regulation. Hence there was no need to clarify this point.

DPDPA 2023 expects that data needs to be protected under the CIA concept. This responsibility starts from the collection as a “Fiduciary” and continues until the data is effectively given back to a legal heir of the deceased. DPDPA 2023 imposes additional obligations such as “Notice”, “Consent”,”Data Breach Notification” etc. which also the Fiduciary has to fulfill.

Notice and Consent are obligations to the Data Principal while data breach notification is an obligation for the regulator and the data principal. The Notice and Consent are relevant only if there is a living being to whom the notice can be given and consent obtained. If the individual who can give his consent is not alive, no consent can be given. Hence this right has to be considered as extinguished on the death of the data principal.

What survives after the death is a need to dispose of the property of the deceased that the “Fiduciary” obtained on trust for a certain purpose. During the lifetime of the individual he had the right of withdrawal of the consent and death snatches away this right. Hence the permission granted while the right to withdraw consent was available becomes infructuous on the death of the data principal.

Now coming to the “Right of Nomination”, it is the desire of the data principal expressed during his life time but exercisable only after the death. It is therefore a complex thought that has an inherent contradiction that has to be sorted out by a Jurisprudential thought process.

To be consistent with the ITA 2000 which does not recognize any electronic document of the nature of a testate document and assuming that it is impractical to get written paper nomination in the digital personal data scenario, we need to give an acceptable meaning to the word “Nomination”.

If we consider “Nomination” as a “Transfer of right in a property”, it contradicts ITA 2000 (in electronic form). On the other hand, it is a burden for the data fiduciary to obtain paper instruction for nomination nor implement a claim settlement.

The legal status of “Nomination” is that it is a method to transfer the responsibility of disposal of property to the legal heirs through an intermediary who is trusted by the erstwhile property owner. Just as a Will provides a “Executor” of the will who is a trusted person of the deceased when he was alive the power to collect, encash and distribute the property to the legal heirs, the Nominee is expected to discharge a similar responsibility. This responsibility has two steps. First is the taking custody of the property without doing anything else with it such as encashing it. Second is encashing it.

In the digital personal data scenario where “Nomination form” is not a “Will” and “Nominee” is not an “Executor” of the Will, we must recognize only a limited responsibility for the nominee to take custody of the property without discharging any responsibility other than safe custody. He may have to send a suitable notification to the legal heirs to take over the property with rights of further disposal including monetization.

In summary, the jurisprudence that develops out of this chain of thoughts is

1. Nomination is indicating the choice of the data principal while he was alive of to whom his property should be given for safe custody after his death. This indicates that the permission given for processing to the data fiduciary is terminated and it has to be safely handed over to the nominee.
2. The Nominee cannot further instruct for continuation of the processing or monetize the data in any other form.
3. The nominee as a “Trustee” similar to the “Executor” of the will has the responsibility to find out the legal heirs and transfer the digital property to them.
4. Just as an executor is entitled to cover his expenses for discharging his duties, the nominee can recover costs if any from the legal heirs.

In case of a will, Courts can grant a “Letter of Probate”. At present there is no equivalent document that can be called a “Letter of Administration of digital personal data issued by any judicial authority”.

A jurisprudential advise in this regard is that the Data Fiduciary shall issue a “Letter of Administration of Nomination” to the nominee which entitles him to contact the legal heirs and dispose of the property. It should be his discretion to approach a Court and validate the “Letter of Administration of Nomination” with a civil court and convert it into a “Letter of Probate” like document.

This would be a suggestion in the DGPSI toolkit by Ujvala Consultants Pvt Ltd.

It would be good if the MeitY incorporates such thoughts in the form of its own rules. Once the full set of rules are released by the MeitY, Naavi will release a toolkit for compliance of DPDPA 2023 based on DGPSI framework in which such thoughts would be included.

In the meantime, comments are welcome.

Naavi

The passage of DPDPA 2023 with a provision for “Nomination” of personal data as a right of the Data Principal has given raise to a debate on what is the nature of “Personal Data” in law.

“Nomination” obviously means that personal data is a “Property” that can be transferred on the death of a person. The instrument of transfer is the “Nomination form which has to identify the property being nominated and the identity of the person to whom it is nominated for further disposal to legal heirs.

It is the principle of “Nomination” that the “Nominee” is an agent for disposal of the property and not necessarily the undisputed owner of the property. The ownership of the property on death should get transferred as per the laws of transfer of property.

“Nomination” is considered as an instruction to the custodian of a third party property that in the event of the death of the owner, the property should be entrusted to the nominee for disposal to the rightful owners of the property. The rightful owners of the property would be determined by the “Will”or in the absence of the “Will”, by the provisions of the appropriate law.

A question arises if “Nomination” document itself can be considered as a Will. But this is not the accepted legal position. The purpose of “Nomination” is to help the custodian of the property to easily dispose of the property from his custody to another person chosen by the deceased during his life time. It is meant to discharge the custodian from any claims of wrongful disposal by persons other than the nominee who may have ownership rights on the property.

The nomination document should be more appropriately considered as a document that creates a “Trust” of the property of the deceased in the hands of the custodian for the rightful beneficiaries of the property. The trust gets created on the contingent event of death of the owner of the property.

In the Indian law, immovable properties are transferred as per the transfer of property act. Movable properties and actionable claims are transferred during life time through contractual instruments. Any document that transfers the title on the contingent event of the death of the owner is called the “Will”. Under ITA 2000, “Will” cannot be in electronic form and hence a nomination document taken as a part of the “Consent” for personal data collection is not valid in law.

On the other hand, “Intellectual Property” is a separate category of property recognized as an intangible property associated with “Creativity”. The derivative of “Intellectual Property Right” can be physical or virtual. The law related to intellectual property is fairly well developed from the point of view of valuation and transferability as well as sharing of value during the life cycle of the development of intellectual property.

The principles of valuation, used in intellectual property can be a good guide even for valuation of “Personal Data” as has been used in the Naavi’s theory of data, as hypothesis 3 titled “Additive Value Hypothesis”.

The uniqueness of “Personal Data” as property recognized by DPDPA 2023 is that it is a unique property which can neither be considered as physical or virtual, neither movable or immovable. Hence we can not confidently apply either the immovable property related laws or movable property related laws or intellectual property laws to personal data.

Jurisprudence on what kind of property is “Personal Data” needs to be developed over time.

If we consider the definition of “Personal Data” as any information that is about an individual that includes the name, address, the IDs such as biometric, Government IDs like PAN or Aadhaar numbers, or Employee numbers, Phone numbers, E-Mail addresses , Health information, Financial information, Educational information etc., we can say that it is created by a number of individuals other than the individual to whom it relates. Hence the ownership assignment is ambiguous.

For example A sees B and creates a mental profile of B. Is this the property of B to whom it relates or to A who creates it is a question which is not easy to answer. A Health report may be paid for by the individual so that the ownership can be considered as bought by the individual from the hospital that creates it. But an Employee ID/E-Mail etc , which is assigned by an employer to the employee is not created by the employee nor paid for by him. It is created and extinguished at the discretion of the employer. In such a situation, is it correct to conclude that the property belongs to the employer?. If so, unless the employer declares through a contractual document that the property right is transferred to the employee either as a limited period right until he/she is in employment or permanently, it remains the property of the employer.

The same dilemma confronts a mobile or an e-mail service provider who may exercise right over the mobile number or email ID and decide to re-allocate it to another person under certain circumstances. In such a situation, what happens to the PII nature of the information?

Similarly can a parent who has assigned the name to his child withdraw the name at some point of time in the life of an individual?

Can we consider some information like “Address” to be “Temporarily personal”?

What are the identifiers which can be considered wholly owned by the individual or assigned by the parents, assigned for temporary use by employers?

It appears that personal information that is wholly owned by an individual is close to being called an “Intellectual Property” of the individual or “Bought out property” from other creators.

…..Open for debate

Naavi

During 2005, Naavi/Cyber Law College undertook a Cyber Law Compliance Movement across the country and more particularly in Karnataka. During the time several law colleges in Karnataka conducted awareness programs and introduced certification programs. As a result today most law colleges have Cyber Law as part of their teaching and awareness has reached some level of significance. While more work can be done in this field, today no body can say that people are not aware of ITA 2000.

In the year 2024, Naavi.org in association with Cyber Law College and FDPPI would dedicate itself to a movement of DPDPA 2023 compliance. This time the movement would not stop at creating awareness though it would be one of the major activities. But the focus would be on how the industry can be compliant.

There will be one section of the society which will keep pointing out the deficiencies of the Act and its rules. We may appreciate that there will be need for improvement and constructive criticism is essential. However, to the extent possible we need to accept what is available and try to be compliant.

This is a huge task but we would attempt it.

Hence 2024 is declared as the “Year of DPDPA Compliance”. Watch out for various activities directed towards this objective.

I request all professionals to support this initiative and help us in the projects associated with planning and implementing this movement.

This would be the New Year Resolution of Naavi/Naavi.org/Cyber Law College/FDPPI for the year 2024.

Naavi

“Design Thinking” is a relatively recent management concept that evolved from the experience of innovating ideas that affect the humans. It is considered as a “Methodology” which provides a solution based approach to solving “Problems”. In “Problems” we often encounter “Wicked Problems” that are difficult to solve because of its interconnected nature.

Solutions that emerge to difficult problems are often termed “Innovative” and hence “Design thinking” is considered as a practice that leads to the success of innovators.

In the technology world, often innovations are camouflaged as “Technology Innovations” and the community accepts them since “Innovation” is a fashionable word. Many of the innovations are simply crazy ideas that have no benefit to the society or even destructive to the society. But they are accepted and adopted because it is not fashionable to reject them. When managements are confronted with such ideas they find it difficult to either accept them or reject them. It is in those contexts that a structured “Design Thinking” methodology may help a manager to arrive at a proper decision.

“Design Thinking” as a systematic field of study emerged in the last few decades which tries to codify certain principles that answers the question of strategizing success.

The DGPSI or the “Digital Governance and Protection Standard of India” is a product that appears to have come through such a “Design Thinking Process”. DGPSI has evolved over a period with the application of the principles of need to have a “Framework” of assessment of compliance to the emerging data protection laws in India. Initially it emerged as PDPSI (Personal Data Protection Standard of India) and then into the DGPSI as is being used now.

When DGPSI was conceptualized, the concept of “Design Thinking” was not consciously followed. However, looking back at the development of this idea which is “Innovative” and “Revolutionary” in some sense, it appears that the “Design Thinking” concepts were involved in the process of its development. If this is validated, it is a validation that Design Thinking actually works in practice and is not a theoretical concept alone.

The proponents of the “Design thinking” identify 5 stages in design thinking namely

1.Empathize

2.Define

3.Ideate

4. Prototype

5.Test

The problem that DGPSI set to solve was the development of a “Framework” that could assist corporates or auditors to simplify the process of compliance to the data protection law in India. The industry had multiple frameworks like ISO 27001, ISO 27701 which were frameworks introduced by internally accepted standard organizations. The most natural course for the industry was to adopt them as near approximations to the required frameworks and use ISO auditors as also auditors for Data Protection Auditors.

However this was highly ineffective since it was like fitting a square peg into a round hole. Just because we have a square peg in our hands and a hammer, we cannot force it down to close a round hole. Even if we are successful, it leaves the corners which are porus and the plugged hole would continue to leak.

India adopted the Data Protection Law in the form of DPDPA 2023 (which is a evolution of ITA 2000/8, PDPB 2018,PDPB2019, DPA2021 and DPA 2022) on August 11 and presented it as the framework for legal compliance of Data Protection obligations by an industry, failure of which could lead to huge penalties.

In this context, trying to fit the ISO 27001/27701 as a framework of compliance just because it was available would have been a compromise. Though there are more than 140 countries around the world, we donot have an example of any country trying to adopt a framework of its own to meet their data protection obligations. The practitioners in those countries were happy to follow ISO 27701 which was indirectly considered as a compliance standard that meets GDPR compliance. They ignored that ISO 27701 : 2019 was aligned with ISO 27001:2013 while ISO 27001:2013 had itself given way to ISO 27001:2022 and hence was inherently not in synch with even the corresponding ISO 27001 standard.

India as a law maker did not fully follow GDPR and hence DPDPA compliance could not be equated with GDPR compliance. Hence using ISO 27701 as a framework for compliance is unfit for DPDPA 2023 compliance.

The need to create an exclusive framework was therefore imperative.

Having decided to create a framework, the problem to be solved was “Do we need to have one more framework and complicate the life of implementers and auditors?”

When we looked around, there were 93 control recommendations from ISO 27001 which ought to be implemented with 49 controls for PII Controllers and Processors under ISO 27701. But US would still go for SOC2 or sectoral regulatory compliance for say HIPAA. In between the Bureau of Indian Standards (BIS) came up with its own draft “Adequacy Standard” for Data Governance and Data Management with 71 desired outcomes of which 25 were related to data protection. Further ITA 2000/8 itself required a framework of compliance to meet its own requirements.

Hence it was observed that a corporate CEO had to support compliance from multiple laws and industry standards and go through with compliance audits and certifications from multiple agencies. An ISO auditor would give only a certification for ISO 27001 or ISO 27701 and not BIS standard or DPDPA 2023 or ITA 2008 or SOC 2. Each would be a different certification requiring deployment of cost and effort to be certified.

A more complex problem for the CEO was that ISO 27001 was owned in the organization by the CISO while ISO 27701 was owned by the DPO. DPDPA 2023 was to be assigned either to the DPO already appointed for GDPR compliance or to some body else. The BIS standard would obviously be the property of the Chief Data Officer, a new designation that would emerge after the standard is introduced. Inevitably the turf war and fight for limited resources would emerge within the company which the CEO had to resolve.

It was here that DGPSI tried to empathize with the requirements of the CEO/Top management and identified the need for a “Unified” framework that would be owned by not only the CISO but also by the DPO or CDO or even the CMO or CCO or CRO or CFO. Secondly the DPO-GDPR could itself be a different designation compared to DPO-DPDPA 2023 or ITA 2000 compliance officer and hence the “Unification” of responsibility had to cut across multiple senior executives.

DGPSI addresses this “Unification of Responsibilities” by making it a framework that addresses the DPDPA 2023 as well as the BIS standard, ITA 2000 requirements as well as ISO 27001 requirements for Personal Data Management, with distinct controls based on the applicable jurisdiction such as India, GDPR, CPRA etc.

This is the single most important reason why DGPSI can be considered as evolving out of the “Design Thinking” concept.

Having developed the framework, it has already gone through the stages of Definition, Ideation, an operating prototype and testing.

What is now being offered as DGPSI in two forms namely DGPSI-Full is a complete framework that unifies the requirements of the different organizational leaders like CISO, DPO etc., besides unifying the requirements of DPO-GDPR and DPO-India.

Further, by integrating the DTS (Data Trust Score) system, DGPSI is not only an implementation and certifiable framework but also an assessment framework.

I would not be surprised if it takes a few years for the industry to understand and appreciate DGPSI, as a concept, but there is no doubt that it would stand out as a worthy companion of the Made in India for the Globe concept that is today the essence of most of the policies of the Government.

No More surrendering our wisdom to the colonial frameworks such as ISO 27701 designed for GDPR compliance and adopting it to DPDPA 2023.

We shall stand on the strength of our own fundamental compliance framework made for DPDPA 2023 and extendable to GDPR.

I hope the professional community would support this indigenous framework by first understanding it, adopting it and also contribute to its improvement.

FDPPI would be conducting a series of programs in 2024 to transform the ISO auditors and CMA Auditors into DGPSI auditors. …May be we may even convert financial auditors of ISACA also to DGPSI auditors…..

Let 2024 be an year of transformation for auditors so that the Data Auditors envisaged under DPDPA2023 would be available in required numbers and quality before the Companies become desperate.

Reference articles:

The history of “Design Thinking”

“What is Design Thinking”

Naavi

27th December 2023