Naavi.org

Justice (Retd) Sri K.S. Puttaswamy, the person who initiated the Supreme Court petition on Privacy which finally ended up with the judgement on August 27, 2017 that Privacy is a Fundamental Right in India, is today 98 years old and lives a quiet life in Bengaluru. At a time when the industry is celebrating the advent of the new law, we considered it necessary to recognize the man behind this watershed moment in India.

Accordingly the Board of FDPPI passed a resolution that we should confer a title “Privacy Pitamaha” on him and today called on him at his residence to convey it to him through a simple meeting. Dr Avinash, Dean of of Manipal Law School joined FDPPI on this occasion to support the initiative.

We feel a sense of satisfaction that the contribution of this senior citizen who created history in India was recognized by FDPPI. We feel honoured by honouring him.

It has become a practice for organizations to send marketing e-mails with “Donot Reply” address. Today I came across the following email from Newsletter@indianexpressonline.org but the reply set to a non existent email address of emailers@indianexpressonline.org. Obviously the “Reply to” message bounced.

The Email was delivered through the AWS service namely Amazon Simple Email Service

Consequent to the DPDPA being a law in India, we need to debate the ethical and legal aspect of such emails.

Does this email of Indian Express constitute a communication without an appropriate notice and Consent? May be Indian Express may today say that the date of effectiveness of the provision of Section 5 of DPDPA is not yet announced.

But, could this also be considered as “Impersonation” and an attempted Section 66C -ITA 2000 offence? ..which is a cognizable offence with 3 year’s imprisonment?

To me it appears to be so.

Next, what is the role of Amazon SES which is the instrument of this crime? Is it to be considered as a “Data Processor” and an “Agent” so that the liability for impersonation and attempted impersonation lies only with Indian Express and not Amazon? or is Amazon a joint Data Fiduciary and has a liability under DPDPA while escaping liability under ITA 2000 where it is an undisclosed agent?

My view is that both Indian Express and Amazon are guilty of Section 66C offence of ITA 2000 which is effective today and also liable under Section 5 of DPDPA for which a penalty of upto Rs 250 crores could be imposed? …if DPB had been in existence?

Let’s Debate.

Comments are welcome

Naavi

FDPPI had introduced an implementation and Certifiable audit framework for Data Privacy in the name of PDPCSI (Personal Data Protection Compliance Standard of India). This framework created by Naavi was meant to assist the organizations towards compliance of the data protection laws in India.

Initially PDPCSI was made compatible with PDPB 2019 and then to DPDPB 2022 and now DPDPA 2023. Since Naavi has always been holding that ITA 2000/8 is the operative data protection law of India even before DPDPA 2023 became the law, principles of ITA 2000/8 compliance have been integrated with PDPCSI and the framework was also referred to as DPCSI (Data Protection Compliance Standard of India). Under DPCSI, data was classified as Personal and Non Personal and DPDPA was applied for Personal Data and ITA 2000/8 for non personal data.

Now even after removal of Section 43A from ITA 2000/8, ITA 2000 continues to be part of Personal Data Protection regime for various other reasons. Hence the present PDPCSI takes into account the ITA 2000/8 to the extent it applies to Personal Data. In this aspect sections like Section 72A, 43,65,66,66C,66D,67C,69,69A,69B,70B etc are considered applicable to Personal Data Protection also. Hence the PDPCSI-2023 already amalgamated compliance of ITA 2000 with DPDPA2023. The Non Personal Data after classification was being treated separately as ITA 2000/8 compliance issue.

Naavi had introduced a framework titled IISF 309 (Indian Information Security Standard) to meet the requirements of compliance of ITA 2000/8 though many organizations preferred to use ISO 27001 for the same purpose.

Now with the release of a draft Standard by BIS for Adequacy of Organizational Data Governance & Management Practices which includes under Risk Management domain, the scenario of framework needs to be reviewed.

This suggested standard requires that the organization must have a defined privacy policy that defines all data that is to be considered as personal data. It must describe how each type of personal data will be collected, processed and stored. In particular the framework for obtaining consent for collecting, processing and storage of personal data and the acceptable methods for protecting such data throughout its lifecycle should be clearly described.

The outcomes expected are

a) Availability of a documented privacy policy and consent management framework
b) Standardized process to assess whether information is PII and categorize PII based on associated privacy risks.
c) Limits the collection of PII to the minimum elements identified for the purposes described in the notice
d) Retention of PII for which the individual has provided consent
e) Compliance with privacy requirements
f) Management of privacy risks as part of managing the enterprise risk management function

In view of this we can say that this standard includes all requirements of Privacy Protection into this standard.

The standard also speaks of Data Regulatory compliance and hence includes DPDPA compliance as well as ITA 2000/8 compliance as part of this standard.

But this is not the ISO 27701 replacement but considers more of the Managerial responsibilities of Data Governance.

Hence this framework is in close alignment with FDPPI’s PDPCSI which has 30 of its 50 model implementation specifications dedicated to the Management, the DPO, the Legal and HR responsibility centers.

The current PDPCSI therefore is the existing framework which completely is in compliance with the new proposed BIS standard.

In FDPPI trainings on the Audit Module, more details of how PDPCSI can integrate with this new standard would be discussed. Further FDPPI is considering merging the PDPCSI and DPCSI into a larger canvas of “Data Governance and Protection Standard of India” (DGPSI) which covers both Governance of Data as well as Protection of Data.

Henceforth companies in India can consider only FDPPI’s DGPSI as the Corporate Data Management standard and the IT system they develop on the basis of DGPSI which may be called DGPMS (Data Governance and Protection Management System) which will be audited by the certified auditors of FDPPI.

This is the future of Data Protection Audit in India. This is the reason why we stated yesterday that Data Protection Professionals are seeing another new and exciting development.

Now Forget all other frameworks and focus on FDPPI’s DGPSI.

Naavi

On September and october 2019, Naavi posted a series of articles on “Data Governance”. At that time a committee had been formed to develop a Data Governance Framework. This was also the time when Naavi embarked on his exploration of the “Theory of Data”

In order to follow up what I am now going to discuss which I have called a new and Exciting development, kindly read through the following articles

https://www.naavi.org/wp/committee-on-data-governance-1-is-it-relating-to-anoymized-personal-data-or-non-personal-data/
https://www.naavi.org/wp/what-is-data-governance-framework/
https://www.naavi.org/wp/data-governance-framework-as-it-exists-in-india-now/
https://www.naavi.org/wp/data-productivity-vs-data-security/
https://www.naavi.org/wp/the-journey-to-the-development-of-the-theory-of-data-begins/

What I am now going to discuss is not the DPDPA 2023. It is something different.

A part of this is going to be incorporated in our ongoing CDPP training on Module I and the forthcoming training on Module A and the Course being conducted at IIM Udaipur starting on September 11. This will be another pioneering effort of Naavi after Cyber Laws in 2000, Personal Data Protection since 2018.

Naavi

In the earlier three articles, we covered three steps towards DPDPA compliance namely

1. Board to pass a resolution for conducting a Business Impact Assessment (BIA) consequent to the passing of DPDPA
2. Entrusting the conduct of BIA to an appropriate DPDPA Project Manager (DPM)
3. Undertaking an initiative for a Leadership Initiative for DPDPA consciousness (LID)

Let’s now discuss the concept of BIA.

We have earlier heard the concept of PIA (Privacy Impact Assessment) and DPIA (Data Protection Impact Assessment).

In PIA we evaluate the impact of a new process or event on how it affects the Privacy rights of the data subjects/Data Principals. If we are following GDPR, we may look at the legal basis of processing, how the rights are affected and whether there is any cross border transfer etc.

DPIA also follows a similar objective in a given process. DPIA is process centric while PIA may be enterprise centric

BIA is more in tune with DPDPA and focusses’ on the impact of an event (including a new process) on the overall business of the organization.

The overall business objective of an organization is preserving the shareholder value by ensuring that “Penalty Risks” arising out of non compliance are mitigated, a suitable Governance Structure is created to maintain the Compliance Status and obtain an appropriate third party audit certificate as an assurance.

The “Penalty Risk Management” objective requires an understanding of the law and its requirements, taking an inward look and conducting a Gap Assessment and then initiating measures to bridge the identified gaps.

“Bridging the gaps” may require many policy initiatives, managerial changes and technological measures. This is the Compliance journey the starting point of which is the BIS.

BIS itself can be conducted at multiple levels since the organization may have to first identify priority aspects, bridge the gaps and then identify further measures that are required. The journey of Compliance therefore goes through a cycle like the PDCA cycle used in other audits

Get an assessment done, consider the risk appetite and adopt a mitigation charter, implement the adopted measures, evaluate the implementation. This will be a spiralling cycle since with each cycle, new risks emerge with the changes in the environment and internal business structure and hence the evaluation leads to a re-assessment of risks and a re-adoption of another mitigation charter, re-implementation of mitigation measures and re-evaluation.

The DPDPA suggests multiple internal audits as well as an external third party audit. Possibly the external audit may be considered as an annual requirement where as the internal audit may be more frequent.

Presently the need to conduct DPIA and appoint a Data Auditor is restricted to Significant Data Fiduciaries and hence annual Data Audit and quarterly internal audit is likely to be a recommended system.

As a first step the BIS-1 needs to have a high level assessment of the impact of the Act on the entity and the key questions to be answered are

1. Am I processing Personal Data relevant to DPDPA compliance?
2. What is my status under DPDPA, Data Fiduciary (DF) or Significant Data Fiduciary (SDF) or Data Processor?
3. Is my status as DF/SDF applicable across all my activities or should I identify specific activity centers in which I am a DF/SDF and other activity centers where I am a Data Processor for a different DF
4. Am I able to segregate my Data into Personal and Non Personal, DPDPA relevant and others (GDPR Relevant) etc?
5. Do I have a Cyber Insurance to cover part of the Risks?
6. Do I have a designated person accountable for the compliance or Does the CEO take the responsibility?
7. Do I have enough expertise within the organization or should I take the services of an external consultant?

Naavi

“Awareness” is a common word used by the industry whenever new developments like the DPDPA happens. We all start conducting more and more “Awareness Training Sessions”.

But Awareness is often a surface level understanding and does not get deep into creating a behavioural change. When awareness is absorbed by an individual and internalized, it becomes “Consciousness”.

From now onwards the objective of all training initiatives of Naavi will be called “Building Consciousness instead of Building Awareness”.

This will be the distinguishing aspect of all Naavi, Cyber Law College and FDPPI efforts.

naavi