Naavi.org

The new year resolution that FDPPI is pursuing for 2025 is to further promote the urgency for DPDPA Compliance during the year.

Towards this direction, FDPPI continues to

a) Build Awareness

b) Build Expertise

c) Provide the framework for compliance

d) Collaborate with PET developers

Currently there are lots of activities by different individuals and organizations about creating awareness of DPDPA. We welcome all these initiatives though there could be some differences of views on some aspects of the law here and there. Essentially the differences may come because other professionals may still be under the influence of the GDPR while we try to have an independent Jurisprudential view on different aspects of law. 

Whether it is the definition of what is “Personal Data” , How to identify the “Significant Data Fiduciary”, How to work on the rights of Grievance redressal and Nomination, or Data Monetization,  FDPPI may have a slightly different  view than some of the other professionals.

However, FDPPI welcomes the efforts of all community leaders in making “Data Privacy” a buzz word in the industry.

FDPPI now focusses on the next generation of work which is the enabling of implementation through the suggested DGPSI framework which can be used for implementation as well as third party audit and certification.

When a new thought like DGPSI comes to the market, there will be many who will continue to stick by the old practices…. and say “You should have done what others have done for years”. 

It is time to leave such advisors to the past and move ahead with DGPSI. The Birla Opus paint advertisement provides a similar message which describes exactly the sentiments I echo on DGPSI vs other frameworks.

DGPSI is an implementation framework that focusses on compliance of DPDPA. It has some revolutionary thoughts related to data classification, process based compliance, distributed responsibility, data monetization etc. In the past few months we are already seeing that some of the practitioners of other frameworks shifting their stand and saying this is also our view and can be implemented in the current framework as well.  I welcome such softening of the stand on DGPSI and look forward to them adopting DGPSI as a whole or incorporate its principles within the other frameworks they would like to stand by.

We intend discussing this concept of DGPSI as a framework for DPDPA compliance in depth during the three  day workshop at Mumbai on January 24, 25 and 26. 

Contact today to register yourself. This could be a turning point in the career of all ISMS auditors who would like to become a DPDPA Auditor.

Say No to dogmas  and yes to the new generation framework of DGPSI.

Naavi

DPDPA is a law and compliance and by nature any legal provision is an area of uncertainty. There will be different interpretations to the law. The User’s perspective of the law is always in his favour and Consumer Courts often are biased in favour of interpreting law in favour of the data principals. Hence if a technology process is cleverly using the personal data to generate insights that deliver targeted advertising, the consumer may feel it is a “Dark Pattern Practice” while the technology perspective or business usage of the same usage could be more permissible.

If the same instance is referred to a High Court there may be an interpretation more in favour of the business. However, understanding technology could still be a challenge and depending on the seniority of the advocate and the ability to aggressively present his point of view, one counsel may score over the other in convincing the judge that his view only is correct.

In such circumstances, it is a challenge for the corporate management to take a view one way or the other. This is the interpretational challenge that every Data Fiduciary has to successfully negotiate.

Even if we look at the basic requirement of “Discovery” and “Classification” of data as “Personal Data to which DPDPA is appliable”. ( Protected Personal Information), Whether there needs to be a classificational difference between Personal Data is a business contact data or a transactional data whether it is coming under GDPR or DPDPA or both is always a difficult decision to make.

Each one of us as a Data Protection Professional may have our own view on this dilemma. It is not certain if the Judge in a Court will agree with our view.

Living with this DPDPA dilemma is therefore the toughest task for a professional. Often within the organization itself there will be a challenge in convincing the CEO that your view is the correct view.

This is the dilemma which DGPSI as a framework is trying to resolve. through an elaborate PPI Classification Matrix.

The DGPSI’s PPI Classification Matrix is oriented to DPDPA as an act and tries to tag the data with reference to a specific section to which it would relate to. At first glance this may look too elaborate but it simplifies the compliance at the next level.

Time will tell whether this type of DPDPA based classification could be incorporated into the automated data classification tools that are being built for DPDPA Compliance. Since the classification logic has to be different for DPDPA as compared to say GDPR, the data has to be first classified in accordance with the applicable law and then classified as PPI under DPDPA or not. Until the software tools can adopt this two level classification the tools need to be used with human supervision to avoid any mis classification.

FDPPI will be discussing this DPDPA Dilemma and how DGPSI tries to resolve this in the special three day training on C.DPO.DA. which FDPPI will be organizing at Mumbai on January 24/25/26.

Naavi

As we enter the dawn of 2025, we the data protection professionals in India shall adopt a New Year Resolution….to be DPDPA compliant within the environment in which we work.

As a starting point we request every Corporate professional who observes any breach of DPDPA principles within their organisations to send a request to their DPO to correct.

Such principles include

1. Define a purpose for every personal data collection.
2. Ensure only such information as is required for the purpose are collected.
3. Ensure that there are no uninformed extensions of subscription to services
4. Ensure that personal data is not retained beyond the purpose requirement.
5. Ensure that valid consent is in place for every personal data collection and processing.
6. Ensure that personal data disclosures are as per documented procedures.
7. Ensure that every grievance from a data principal is promptly attended to.
8. Ensure that Compliance to DPDPA is not neglected because the organisation is certified compliant already to GDPR or ISO 27001.
9. Ensure that when in doubt about any aspect of DPDPA, contact FDPPI on email naavi@ fdppi.in or call naavi

Our motto…No Excuses..Just Be Compliant ..

Naavi

The three day program for Certified Data protection professionals and Data Auditors will be conducted at Mumbai on January 24/25 and 26.

The program is open for registration now at https://fdppi.iletsolutions.com/c-dpo-da-training-2025/

Those who attend the program will be provided with participation certificate and will be eligible to take the online examination for full certification.

Naavi

The reported breach of 6 million data sets of Ascension Health Systems opens up certain discussion points.

The data breach followed a ransomware attack from Black Basta indicates caused by an accidental downloading of a malicious file. It is reported that the breach happened on February 29, 2024 but came to light some time in May 2024 when the systems were disturbed. The Organization seems to be now in the process of notifying the affected data principals/patients.

What is important to note is “What happened after the data breach?”. If we look at the website of Ascension, there is no prominent notice on the website. The notice is available on an inside page.

On the HHS website there is a mention that “HHS is aware of a cyber incident involving Ascension Health and is in communication with Ascension Leadership to understand their efforts to minimize any disruptions to patient care.”

According to this report in hipaajournal.com, the breach has caused significant set back to the Company.

Initially the Company claimed that there was no data exfiltration but has now admitted and reported the data breach with a possibility of data theft.

The breach has affected 142 hospitals, 40 senior living facilities and more than 2600 care sites in 10 different states besides the District of Columbia. An estimated 5, 599,699 patients have been affected as per the report filed by the Company to OCR. There are already a couple of law suits filed against the Company and the full impact of the breach is yet to unfold.

In the meantime, the Company has announced that affected individuals will get 24 months of credit and CyberScan monitoring, as well as $1,000,000 insurance reimbursement policy and fully managed ID theft recovery services. Normally such services may cost nearly $20 per month though this cover could be treated as a group cover under a much lower cost. However, given the quantum of data breach the company which had made a loss of $79 million last year could be in for a huge trouble in the year 2024-25. At present HHS has not imposed any fine of its own and if it finalizes its penalty there could be another $600 million or more as regulatory fine.

In the context of the incident, it would be interesting for Indian Cyber Insurance Companies to come up with appropriate policies that provide for such liability insurance under DPDPA. At present we often look only at the penalty of Rs 250 crores as the liability for data breach.

However the cost of compliance which includes such complimentary credit monitoring and Cyber crime cover, could be much lager. If 6 million people are to be sent a registered letter by post the cost could be about Rs 12 crores. The Credit monitoring and Cyber Crime coverage insurance if available may cost about Rs 3000/- per person or around Rs 1800 crores. (Assuming an average coverage of around Rs 5 lakhs).

Naavi

We opened up a discussion yesterday on the challenges before a digital marketing or a digital advertising company after the advent of Data Protection laws such as DPDPA.

Advertising is focussed on the five principles namely creating Awareness, Interest, Desire besides informing about the availability and enhancing the post purchase satisfaction.

The Advertising has the responsibility of converting the marketing strategy through appropriate communication to bring desirable changes in the buying behaviour. The advent of Artificial intelligence (AI) has enabled advertisers to analyse the buying behaviour of a prospective consumer and derive better communication strategies.

On the other hand the approach of Privacy and Data Protection is to provide the consumer a choice of decision making and any attempt to persuade the consumer to change his buying behaviour may be considered as ‘manipulation’ of the consumer’s mind and invoke the complaint of the use of “Dark Pattern” methods which are considered undesirable and a punishable offence under the Consumer Protection Act.

Consumer goods organizations who depend on Advertising need to balance their need for marketing with the risks of their campaigns turning out to be considered as “Manipulations” of the consumer mind.

At the same time, in structuring the appropriate advertising messages, an organization needs to have a good understanding of the current state of mind of a consumer and hence “Profiling” of a Consumer is the starting point for any marketing activity. Understanding the buying behaviour and tailoring the advertising messages to maximize the desire to purchase is the essence of marketing.

Attempting to understand and document the buying behaviour of a consumer is what is referred to as “Profiling”. The DPDPA and other data protection laws consider profiling of visitors on a website as an infringement of Privacy rights. GDPR Compliance therefore considers “Cookie Management” as an important activity of Compliance.

In DPDPA Compliance therefore, we need to strike a balance between the advertising needs and the avoidance of privacy infringement. Many times the Data Fiduciaries entrust their advertising responsibilities to specialized agencies and donot have a clear visibility of what an Advertiser is doing to gather information.

The DGPSI, the golden standard for DPDPA Compliance suggests many effective steps to mitigate the Privacy Risks in Profiling of prospective customers including visitors to a website or Visitors to a retail product store, conducting marketing surveys etc.

a) Manage the Advertisers as Joint Data Fiduciaries

b)Develop an exclusive “Data Monetization Policy” which includes the Profiling and Advertising policies

c) Develop a suitable Pseudonymization/anonymization policy for Personal Data Processing

When we look at the risks of advertising, it is clear that people mind “Friendly Alerts” but are concerned about “Spamming”. When does a “Friendly Alert” become “An Annoying Spam” and how do we recognize it is the art of Digital Advertising in the Privacy Era.

In the years around 2011, Naavi was pursuing a patent on “Adview Certification” and though Privacy was not a concern at that time, had incorporated an element of Consumer Consent and incentivisation. The thought seems to have a value even now with the added aspects of Anonymized processing of information and the use of AI.

Perhaps this new thought requires to be merged with the DGPSI framework into the “Data Monetization Strategy”.

This would however require technology back up where gathering of profiling information is done in a manner that it has the consumer consent and the delivery of advertisements is done in such a manner that it cannot be classified as “Spam”

Watch out for more action in this front as the “Privacy Compliant Digital Advertising” as a concept is unfolded. Probably there is scope for new Privacy Enhancement Technology Products in this area as well.

Naavi