DPDPA Compliance Movement

During 2005, Naavi/Cyber Law College undertook a Cyber Law Compliance Movement across the country and more particularly in Karnataka. During the time several law colleges in Karnataka conducted awareness programs and introduced certification programs. As a result today most law colleges have Cyber Law as part of their teaching and awareness has reached some level of significance. While more work can be done in this field, today no body can say that people are not aware of ITA 2000.

In the year 2024, Naavi.org in association with Cyber Law College and FDPPI would dedicate itself to a movement of DPDPA 2023 compliance. This time the movement would not stop at creating awareness though it would be one of the major activities. But the focus would be on how the industry can be compliant.

There will be one section of the society which will keep pointing out the deficiencies of the Act and its rules. We may appreciate that there will be need for improvement and constructive criticism is essential. However, to the extent possible we need to accept what is available and try to be compliant.

This is a huge task but we would attempt it.

Hence 2024 is declared as the “Year of DPDPA Compliance”. Watch out for various activities directed towards this objective.

I request all professionals to support this initiative and help us in the projects associated with planning and implementing this movement.

This would be the New Year Resolution of Naavi/Naavi.org/Cyber Law College/FDPPI for the year 2024.

Naavi

Posted in Cyber Law | Leave a comment

DGPSI is the product of “Design Thinking”

“Design Thinking” is a relatively recent management concept that evolved from the experience of innovating ideas that affect the humans. It is considered as a “Methodology” which provides a solution based approach to solving “Problems”. In “Problems” we often encounter “Wicked Problems” that are difficult to solve because of its interconnected nature.

Solutions that emerge to difficult problems are often termed “Innovative” and hence “Design thinking” is considered as a practice that leads to the success of innovators.

In the technology world, often innovations are camouflaged as “Technology Innovations” and the community accepts them since “Innovation” is a fashionable word. Many of the innovations are simply crazy ideas that have no benefit to the society or even destructive to the society. But they are accepted and adopted because it is not fashionable to reject them. When managements are confronted with such ideas they find it difficult to either accept them or reject them. It is in those contexts that a structured “Design Thinking” methodology may help a manager to arrive at a proper decision.

“Design Thinking” as a systematic field of study emerged in the last few decades which tries to codify certain principles that answers the question of strategizing success.

The DGPSI or the “Digital Governance and Protection Standard of India” is a product that appears to have come through such a “Design Thinking Process”. DGPSI has evolved over a period with the application of the principles of need to have a “Framework” of assessment of compliance to the emerging data protection laws in India. Initially it emerged as PDPSI (Personal Data Protection Standard of India) and then into the DGPSI as is being used now.

When DGPSI was conceptualized, the concept of “Design Thinking” was not consciously followed. However, looking back at the development of this idea which is “Innovative” and “Revolutionary” in some sense, it appears that the “Design Thinking” concepts were involved in the process of its development. If this is validated, it is a validation that Design Thinking actually works in practice and is not a theoretical concept alone.

The proponents of the “Design thinking” identify 5 stages in design thinking namely

1.Empathize

2.Define

3.Ideate

4. Prototype

5.Test

The problem that DGPSI set to solve was the development of a “Framework” that could assist corporates or auditors to simplify the process of compliance to the data protection law in India. The industry had multiple frameworks like ISO 27001, ISO 27701 which were frameworks introduced by internally accepted standard organizations. The most natural course for the industry was to adopt them as near approximations to the required frameworks and use ISO auditors as also auditors for Data Protection Auditors.

However this was highly ineffective since it was like fitting a square peg into a round hole. Just because we have a square peg in our hands and a hammer, we cannot force it down to close a round hole. Even if we are successful, it leaves the corners which are porus and the plugged hole would continue to leak.

India adopted the Data Protection Law in the form of DPDPA 2023 (which is a evolution of ITA 2000/8, PDPB 2018,PDPB2019, DPA2021 and DPA 2022) on August 11 and presented it as the framework for legal compliance of Data Protection obligations by an industry, failure of which could lead to huge penalties.

In this context, trying to fit the ISO 27001/27701 as a framework of compliance just because it was available would have been a compromise. Though there are more than 140 countries around the world, we donot have an example of any country trying to adopt a framework of its own to meet their data protection obligations. The practitioners in those countries were happy to follow ISO 27701 which was indirectly considered as a compliance standard that meets GDPR compliance. They ignored that ISO 27701 : 2019 was aligned with ISO 27001:2013 while ISO 27001:2013 had itself given way to ISO 27001:2022 and hence was inherently not in synch with even the corresponding ISO 27001 standard.

India as a law maker did not fully follow GDPR and hence DPDPA compliance could not be equated with GDPR compliance. Hence using ISO 27701 as a framework for compliance is unfit for DPDPA 2023 compliance.

The need to create an exclusive framework was therefore imperative.

Having decided to create a framework, the problem to be solved was “Do we need to have one more framework and complicate the life of implementers and auditors?”

When we looked around, there were 93 control recommendations from ISO 27001 which ought to be implemented with 49 controls for PII Controllers and Processors under ISO 27701. But US would still go for SOC2 or sectoral regulatory compliance for say HIPAA. In between the Bureau of Indian Standards (BIS) came up with its own draft “Adequacy Standard” for Data Governance and Data Management with 71 desired outcomes of which 25 were related to data protection. Further ITA 2000/8 itself required a framework of compliance to meet its own requirements.

Hence it was observed that a corporate CEO had to support compliance from multiple laws and industry standards and go through with compliance audits and certifications from multiple agencies. An ISO auditor would give only a certification for ISO 27001 or ISO 27701 and not BIS standard or DPDPA 2023 or ITA 2008 or SOC 2. Each would be a different certification requiring deployment of cost and effort to be certified.

A more complex problem for the CEO was that ISO 27001 was owned in the organization by the CISO while ISO 27701 was owned by the DPO. DPDPA 2023 was to be assigned either to the DPO already appointed for GDPR compliance or to some body else. The BIS standard would obviously be the property of the Chief Data Officer, a new designation that would emerge after the standard is introduced. Inevitably the turf war and fight for limited resources would emerge within the company which the CEO had to resolve.

It was here that DGPSI tried to empathize with the requirements of the CEO/Top management and identified the need for a “Unified” framework that would be owned by not only the CISO but also by the DPO or CDO or even the CMO or CCO or CRO or CFO. Secondly the DPO-GDPR could itself be a different designation compared to DPO-DPDPA 2023 or ITA 2000 compliance officer and hence the “Unification” of responsibility had to cut across multiple senior executives.

DGPSI addresses this “Unification of Responsibilities” by making it a framework that addresses the DPDPA 2023 as well as the BIS standard, ITA 2000 requirements as well as ISO 27001 requirements for Personal Data Management, with distinct controls based on the applicable jurisdiction such as India, GDPR, CPRA etc.

This is the single most important reason why DGPSI can be considered as evolving out of the “Design Thinking” concept.

Having developed the framework, it has already gone through the stages of Definition, Ideation, an operating prototype and testing.

What is now being offered as DGPSI in two forms namely DGPSI-Full is a complete framework that unifies the requirements of the different organizational leaders like CISO, DPO etc., besides unifying the requirements of DPO-GDPR and DPO-India.

Further, by integrating the DTS (Data Trust Score) system, DGPSI is not only an implementation and certifiable framework but also an assessment framework.

I would not be surprised if it takes a few years for the industry to understand and appreciate DGPSI, as a concept, but there is no doubt that it would stand out as a worthy companion of the Made in India for the Globe concept that is today the essence of most of the policies of the Government.

No More surrendering our wisdom to the colonial frameworks such as ISO 27701 designed for GDPR compliance and adopting it to DPDPA 2023.

We shall stand on the strength of our own fundamental compliance framework made for DPDPA 2023 and extendable to GDPR.

I hope the professional community would support this indigenous framework by first understanding it, adopting it and also contribute to its improvement.

FDPPI would be conducting a series of programs in 2024 to transform the ISO auditors and CMA Auditors into DGPSI auditors. …May be we may even convert financial auditors of ISACA also to DGPSI auditors…..

Let 2024 be an year of transformation for auditors so that the Data Auditors envisaged under DPDPA2023 would be available in required numbers and quality before the Companies become desperate.

Reference articles:

The history of “Design Thinking”

“What is Design Thinking”

Naavi

27th December 2023

Posted in Cyber Law | Leave a comment

New Criminal Laws and Telecom Law get Presidential assent

The President of India has given assent to the three new laws, namely the New IPC, The New-CrPC and the The new IEA today the 25th December 2023.

Copies are available here:

The New IPC (Bharatiya Nyaya Sanhita 2023)

The New CrPC (Bharatiya Nagarik Suraksha Sanhita 2023 )

The New IEA (Bharatiya Sakshya Adhiniyam 2023)

The Telecommunications Act 2023 also got the Presidential Asset today,

The Dates of applicability and whether they will be entirely prospective or retrospective needs to be clarified. We can presume that the laws will be applied prospectively from the date of notification.

The Minister of IT Mr Ashwini Vaishnav has clarified that over-the-top (OTT)   services will not be covered under this Telecom Act and will continue to be regulated under ITA 2000.

Naavi

Posted in Cyber Law | Leave a comment

Guardians of Privacy…Content

The Book “Guardians of Privacy” by Naavi which was formally launched at Hyderabad on 17th of this month is a treatise on “Privacy”, “Personal Data Governance”.

It covers the legal concepts of Privacy and the recently passed law in India namely the DPDPA 2023. It also discusses the DGPSI (Data Governance and Protection Standard of India ) framework for implementation and certifiable audit of DGPMS(Data Governance and Protection Management System).

The book contains 386 pages spread over 29 chapters and one Appendix as follows:

Chapter I: Legislative History behind DPDPA 2023
Chapter II: Concept of Privacy and Protection of Privacy through Data Protection
Chapter III: DPDPA 2023
Chapter IV: Obligations of a Data Fiduciary: Notice and Consent
Chapter V: Obligations of Data Fiduciaries-Legitimate Use
Chapter VI: Obligations of Data Fiduciaries-General
Chapter VII: Rights of the Data Principal
Chapter VIII: Compliance By Design
Chapter IX: Processing of Personal Data of Minors
Chapter X: Special obligations of Significant Data Fiduciary
Chapter XI: Cross Border Transfer of Personal Data
Chapter XII: Exemptions from Applicability of DPDPA 2023
Chapter XIII: Data Protection Board of India
Chapter XIV: Penalties
Chapter XV: Miscellaneous
Chapter XVI: Compliance of ITA 2000
Chapter XVII: Compliance of GDPR
Chapter: XVIII: Managerial Perspective of Data
Chapter XIX: Data Monetization, Valuation and Insurance
Chapter XX: Managerial View of Data Security
Chapter XXI: Approach to Data Protection
Chapter XXII: Concept of Privacy and Compliance by Design
Chapter XXIII: Data Audit
Chapter XXIV: Essence of ISO 27001 for Business Managers
Chapter XXV: ISO 27701.
Chapter XXVI: Essence of BIS draft Standard for Data Governance
Chapter XXVII: Indigenous Framework for Data Protection Compliance -DGPSI .
Chapter XXVIII: Data Trust Score as a Measurement of Compliance
Chapter XXIX: Business Opportunities under DPDPA 2023
Appendix-The DPDPA 2023

The copy of the Act as passed is available in the Appendix.

Chapters I and II provide the background to DPDPA 2023 in the form of evolution of Data Protection law in India.

Chapters III to XV discusses the different provisions of DPDPA 2023.

Chapter XVI discusses the compliance requirements under ITA 2000 as applicable to Personal Data.

Chapter XVII discusses the GDPR and how it compares with DPDPA 2023.

Chapters XVIII to XXII discusses the different aspects of Data Management including Data Valuation and Data Security.

Chapters XXIII to Chapter XXVIII discusses the different aspects of Data Audit.

Chapter XXIX discusses the business opportunities arising out of DPDPA 2023.

The approach of the book is to introduce the law as well as the Governance and Audit aspects in one comprehensive handbook. The approach can be considered as slightly unconventional but hope it would be useful for a Corporate executive to appreciate the compliance requirements under the law.

(Link for purchase is available on the right menu as well as Amazon and Flipkart)

Naavi

Posted in Cyber Law | Leave a comment

DPDPA@Institute of Cost Accountants, Bangalore

Posted in Cyber Law | Leave a comment

An Explanation that dilutes the law… NIPC-2

Section 335 of the New IPC covers “Making of false document” and includes “Electronic Document. Currently, the section 4 of ITA 2000 was already extending any laws which applied to a paper document to the electronic document and there was no need for the NIPC to re-iterate this in multiple sections. At best one reference under the definition clause referring to Section 4 of ITA 2000 and stating that whatever provisions applied to paper documents also applied to electronic documents except where specifically excluded. However without understanding the benefit of the bridging clause in Section 4 of ITA 2000, New IPC states time and again applicability of a section to electronic documents.

One such reference is found in Section 335, Explanation 3 which states

For the purposes of this section, the expression “affixing electronic signature” shall have the meaning assigned to it in clause (d) of sub-section (1) of section 2 of the Information Technology Act, 2000.

This explanation restricts the meaning of “Electronic Forgery” and limits it to digital/electronic signatures under Section 3/3A of ITA 2000.

We may recall the case of The Government of Tamil Nadu Vs Suhas Katti which was historically the first case of conviction under ITA 2000 where “Writing the name of a different person below the message text was considered as Forgery”. This would now be available under Section 336 under the new IPC.

Your comments?

Naavi

Posted in Cyber Law | Leave a comment