Naavi.org

Professionals attend many conferences round the year on various topics. Currently it is the season of Data Protection in India and multiple conferences are being held at different locations.

For those who attend a paid conference where there is a “Delegate Fee” often wonder what do they take from the conference.

There are one class of attendees whose main purpose of attending a conference is networking with the peers and thereby enhancing their business prospects or employment opportunities. There is another class of participants who believe that attending a conference is for “Knowledge” and every hour spent is helpful in improving themselves. The concept of allotting CPE hours is based on this principle that some learning does take place.

FDPPI which has been advocating “Valuation of Data” in its compliance guidance, has been focussing on this “Knowledge” part of a conference in its events like the IDPS 2024 so that there is “Value for Money” for the participants.

Hence the two day program on November 30 and December 1 is meant to provide nearly 12+ hours of conference time (excluding lunch and tea breaks) involving listening to Key Note and Panel Discussions. Accordingly CPE hours are also allocated to the registered participants.

What is more important in the case of FDPPI conference is that in addition to the 12 hours of conference time, participants are provided with “Focus Group Sessions” of around 6 hours at the conference venue itself and an additional Virtual keynotes of another 4-6 hours. As a result, apart from the main conference time of around 12 hours, another 6 hours are being offered without any additional price.

The delegate fee of Rs 3000/- therefore covers nearly 18 hours of knowledge sharing time. If we consider that each knowledge hour in the conference is worth Rs 1000 and each focus group hour session is worth at least Rs 2000/- we are talking of a total value of Rs 12000+12000 equal to Rs 24000. This is a value multiple of 8 times on the delegate fee paid.

Between now and the conference time, we are trying to add another 12 hours of recorded videos so that the value multiple is raised further to around 12 times, valuing the virtual sessions at Rs 1000/- per hour.

FDPPI is proud that as a Section 8 company, it is its commitment to the Data Protection Community to provide such value addition.

For more information, visit www.idps2024.in

Register today and book your seat….here

One of the first Model Implementation specifications under DGPSI, the compliance framework for DPDPA Compliance by design is

“Organization shall designate/appoint, DPO/Compliance Manager with  necessary credentials and provide support in terms of people, budget and technology and external consultancy.”

This specification essentially focusses on “Necessary Credentials” for the compliance manager or the DPO. The discussion on what is the necessary and desirable credentials for a DPO has been a long debate ever since GDPR came into being in 2018. The laws cannot specifically define the credentials. At best it can only list the requirements to be fulfilled by the DPO.

GDPR has been a little more specific on the tasks of the DPO while DPDPA is very crisp and states DPO shall “represent” the Significant Data Fiduciary, be a “point of contact” for grievance redressal and “be responsible” to the Board of Directors.

If we put on the DGPSI’s Jurisprudential lens and start interpreting the words “Represent” and “Be responsible”, and “Point of contact”, we will be able to understand the credentials required for a DPO.

A “Point of Contact” can be just that and can be a postman who passes on grievances to some body who is designated as a Grievance Officer”. On the other hand, the DPO himself can be the Grievance redressal Officer. The ball is now in the court of MeitY that when it releases the much awaited “Rules” it can define the role of a DPO as either the “Postman” or the “Grievance Redressal Officer”. (GRO).

We should note that ITA 2000 already has a need for a “ITA 2000 compliance officer and a Grievance Manager” and hence it is natural to think that there will be a common GRO for both ITA 2000 and DPDPA.

However an organization also has the exposure to other laws such as Environmental laws, labour law or POSH Law, etc.

If labour disputes and POSH disputes are considered one class of disputes, the environmental laws as another class and added on to the ITA 2000 and DPDPA disputes, then a GRO would have to be a legal expert.

If however, ITA 2000 and DPDPA disputes are considered “Data Disputes”, the expertise required are the two laws ITA 2000 and DPDPA with additional knowledge of international laws and the technology aspects.

It is this expertise of ITA 2000 and DPDPA along with international data protection laws that the trainings like C.DPO.DA. try to develop. Most other DPO Certification programs may not even cover ITA 2000.

DGPSI understands and appreciates the need for a single GRO in a company who handles all types of disputes from employees and the public. However considering the requirements of DPDPA and the likely hood of large number of complaints under DPDPA, DGPSI recommends that the DPO himself/herself should be the GRO for data related disputes.

In view of this, DPO should not be considered as a mere postman whose contact information is available on the website just to receive, acknowledge and forward it to the GRO. Instead, the DPO should have the capability of “Dispute/Conflict Resolution Skills” which involve “Negotiation” and “Mediation”. Accordingly this skills is one of the requirements of a good DPO.

The interpretation of the word “Represent” under DGPSI is that DPO shall be the face of the SDF (Significant Data Fiduciary) as far as the external world is concerned. Hence, on the one hand he faces the Data Principals and on the other hand he faces the Regulator and the Media. Hence DGPSI expects that the DPO possesses skills of negotiating with the DPB and later the Appellate Tribunal.

The DPO also needs to face the Media as a PR Manager to handle any Data Breach Crisis. hence his required credentials include the external communication skills.

DPO being a senior person reporting perhaps to the Board directly, questioning the R & D projects, Marketing Contracts etc for compliance deficiencies, often develops conflicts with other CxOs and even with the CEO. Hence, ability to manage the internal relations without sacrificing the commitment of his obligation under law is essential.

At this point of time we donot know if the DPO will be personally held liable for any compliance issues. However DGPSI Jurisprudence suggests that since the organization is a “Fiduciary” the primary responsibility of the DPO is to protect the interest of the data principals and if he fails in this regard because of any reason including the pressure from the organization itself, it is considered as “Breach of Trust”.

In the GDPR there is a provision that DPO shall not be dismissed or penalised for performance of his duties. ICO UK even has a DPO registration system.

At present, India does not have a DPO registration system nor DPO protection system at the level of the Government.

Only organizations like FDPPI are planning to provide such support.

Considering these internal conflicts, ability to effectively communicate internally and maintain internal relationships are considered as other requirements of an ideal DPO.

In view of the above the following six credentials are considered essential for a Good DPO.

1. Legal Knowledge of DPDPA and other data protection laws along with ITA 2000
2. Understanding of technology to the extent of converting the law into technology practices or identify legal infringements in technology
3. Handling of Grievances with skills related to Conflict Resolution, Mediation etc.
4. Ability to communicate effectively and negotiate with the Regulators
5. Ability to communicate effectively and maintain good internal relationships with other CxOs
6. Ability to communicate effectively with the external agencies like Media.

FDPPI through its training programs is trying to provide such skills and expertise and recommend others also to follow suit. Alternatively the management has to ensure that the DPO designate is provided training not only with organizations like FDPPI but additionally appropriate organizations for Conflict Management, Mediation and PR.

Naavi

IDPS 2024 has planned its flagship event of FDPPI, in Bengaluru on November 30 and December 1 with several Key Note and Panel Discussions on Privacy and Data Protection with speakers from India and abroad.

Some of the topics listed for discussions are

1. Emerging Technology Challenges to Privacy
2. Privacy Enhancement Technologies
3. Global AI developments, an Introduction
4. Shaping the future of Data Protection and Influence of AI tech in EU and UK
5. Recent Developments in US Data Protection Laws
6. Guarding India’s Data Against Cyner Crime and AI threats
7. Social Impact of AI and Robotics
8. Is Industry ready for DPDPA?
9. Responsible AI-AI and sense of Self
10. Privacy Breach, Compensation through Adjudication
11. EU AI Act
12. DPDPA and the Emerging Rules

Apart from these discussions, IDPS has planned three focus group discussions on Impact of DPDPA firstly on Advocates, secondly on CIOs and DPOs the thirdly for Data Auditors separately as parallel sessions.

In these sessions the impact of DPDPA would be discussed with reference to the specific groups in terms of their roles, professional opportunities etc. These sessions will be valuable for the professionals to get all their doubts cleared in terms of the Act and its impact on their professions.

The profession of “Data Auditors” is a less known but is an activity important for current auditors in the Information Security area.

We hope these sessions will add lots of value to the program.

Naavi

Recently FDPPI conducted a three day offline course for C.DPO.DA. in Bangalore.

The following are the short feedback from the participants.

1. https://youtu.be/1DAeicKxdPI
2. https://youtu.be/i4S9fKqFsQ8
3. https://youtu.be/pOvmfx6qfEs
4. https://youtu.be/EiBVLqgaKio
5. https://youtu.be/5QOEuRCdp8A
6. https://youtu.be/oV27wvy5Fn8
7. https://youtu.be/I2RD6KsaZv4
8. https://youtu.be/Tl9UMb5heu4
9. https://youtu.be/YoC2Mm6GJKI

We thank all the participants who have recorded their views here.

Naavi

In processing of personal data, it is common for data to be transferred from one entity to another either within the country or across borders. In such cases we identify the entities as either Data Fiduciary or Data Processor based on the definitions in the data protection laws.

For example if the entity determines the purpose and means of processing of personal data, it is called the “Data Fiduciary”. If the entity processes data on behalf of another entity and does not determine the purpose and means of processing, it is called the Data Processor.

DPDPA obligations are for the Data Fiduciary and even the responsibilities of the data processor is boarne by the data fiduciary through a data processing contract. Where there is a sharing of the purpose and means of processing between two entities, they become joint data fiduciaries.

In the event of a personal data breach and two data fiduciaries are involved, the liability may have to be determined based on the cause of the breach.

These requirements and role definitions are for processing of “Personal Data” and does not apply to processing of “Non Personal Data”.

We are aware that Section 72A of ITA 2000 applies when personal data is transferred from one entity to another under a contract and makes the processor liable for any contractual failures leading to compromise of data.

In this background we can discuss a very important jurisprudential issue in the data processing context involving two processors, the second processor is processing “personal data” or “Non Personal data”.

DPDPA considers Personal data as the alienable property of the data principal and the data fiduciary as having certain limited rights of processing of the data. The data elements that are part of the consent are deemed to have been passed on by the data principal to the data fiduciary by transfer of custody.

This part of the data of the principal for the purpose agreed, becomes the licensed property of the data fiduciary. If the entity transfers this custody to another entity for processing, it is as if it is the property of the data fiduciary that gets transferred to the data processor.

It is like a person owning 1000 Sft of land leasing 100 Sft to another person on lease and that person sub leasing it to another person for temporary use and return. The terms of the sub lease has to be within the permitted purposes of the main lease but otherwise it may or may not be necessary for the second lessee to directly recognize the presence of the first owner of the 1000 Sft land.

Similarly the data principal and the data fiduciary has a direct contractual relationship which may either directly or otherwise permit the Data Fiduciary to use a Data Processor. (If not prohibited, it may be a deemed agreement). But when the Data Fiduciary enters into a Data Processing contract with the Processor, it is a business to business transaction and hence the data processor is well within his rights to consider the data as belonging to the data fiduciary.

In this instance, Section 72A of ITA is applicable to the contract. Otherwise the data processor may not even know if the data is real or pseudonymized.

In such data contracts therefore following situations occur.

Data Fiduciary transfers identifiable personal data to the data processor and the data processor uses his proprietary means to process it. In this case, the data processor is in control of the “Means of process” and the data fiduciary can reasonably ask the data processor to be considered as a “Joint Data Fiduciary”. Otherwise he has to put lots of specific conditions such as that the data shall not be given to any other processor, shall be returned after the processing, shall be deleted after the processing etc. along with the power to audit. If he considers the data processor as a joint data fiduciary, there is no need to worry about the contractual terms since DPDPA applies in full to the data processor also.

On the other hand, if the data processor wants to safeguard himself from being held liable under DPDPA, he can insist that the data fiduciary pseudonymize the data and not share identifiable data with him so that he will not be liable as a “Joint Data Fiduciary”.

A parallel situation arises in HIPAA where PHI is transferred from one covered entity to another covered entity. This is considered as a permissible transfer. On the other hand transfer of data from a covered entity to a business associate is subject to contract.

Similarly transfer of personal data from a data fiduciary to another data fiduciary can be considered as a permissible transfer with a simple contract with the admission of the roles and we may call them as “Joint Data Fiduciaries”.

If the data transferred is not “Personally identifiable” because it is pseudonymized, then the transaction is completely out of DPDPA itself. If the pseudonymisation is done by the data fiduciary and the mapping data of real and pseudonymized data is held by hm, in the hands of the data processor, the data is as good as “Anonymised”. As an abundant caution, the contract may state that “The data processor shall not attempt to re-identify the pseudonymized data which will be considered as punishable offence under Section 43, Section 72A of the ITA 2000”.

This is not only applicable to DPDPA and perhaps applies to all other data protection acts including GDPR. perhaps we the professionals have not discussed this adequately and this has been a missing link between the data transfer contracts.

I would welcome the views of the experts….

Naavi