“Design Thinking” is a relatively recent management concept that evolved from the experience of innovating ideas that affect the humans. It is considered as a “Methodology” which provides a solution based approach to solving “Problems”. In “Problems” we often encounter “Wicked Problems” that are difficult to solve because of its interconnected nature.
Solutions that emerge to difficult problems are often termed “Innovative” and hence “Design thinking” is considered as a practice that leads to the success of innovators.
In the technology world, often innovations are camouflaged as “Technology Innovations” and the community accepts them since “Innovation” is a fashionable word. Many of the innovations are simply crazy ideas that have no benefit to the society or even destructive to the society. But they are accepted and adopted because it is not fashionable to reject them. When managements are confronted with such ideas they find it difficult to either accept them or reject them. It is in those contexts that a structured “Design Thinking” methodology may help a manager to arrive at a proper decision.
“Design Thinking” as a systematic field of study emerged in the last few decades which tries to codify certain principles that answers the question of strategizing success.
The DGPSI or the “Digital Governance and Protection Standard of India” is a product that appears to have come through such a “Design Thinking Process”. DGPSI has evolved over a period with the application of the principles of need to have a “Framework” of assessment of compliance to the emerging data protection laws in India. Initially it emerged as PDPSI (Personal Data Protection Standard of India) and then into the DGPSI as is being used now.
When DGPSI was conceptualized, the concept of “Design Thinking” was not consciously followed. However, looking back at the development of this idea which is “Innovative” and “Revolutionary” in some sense, it appears that the “Design Thinking” concepts were involved in the process of its development. If this is validated, it is a validation that Design Thinking actually works in practice and is not a theoretical concept alone.
The proponents of the “Design thinking” identify 5 stages in design thinking namely
1.Empathize
2.Define
3.Ideate
4. Prototype
5.Test
The problem that DGPSI set to solve was the development of a “Framework” that could assist corporates or auditors to simplify the process of compliance to the data protection law in India. The industry had multiple frameworks like ISO 27001, ISO 27701 which were frameworks introduced by internally accepted standard organizations. The most natural course for the industry was to adopt them as near approximations to the required frameworks and use ISO auditors as also auditors for Data Protection Auditors.
However this was highly ineffective since it was like fitting a square peg into a round hole. Just because we have a square peg in our hands and a hammer, we cannot force it down to close a round hole. Even if we are successful, it leaves the corners which are porus and the plugged hole would continue to leak.
India adopted the Data Protection Law in the form of DPDPA 2023 (which is a evolution of ITA 2000/8, PDPB 2018,PDPB2019, DPA2021 and DPA 2022) on August 11 and presented it as the framework for legal compliance of Data Protection obligations by an industry, failure of which could lead to huge penalties.
In this context, trying to fit the ISO 27001/27701 as a framework of compliance just because it was available would have been a compromise. Though there are more than 140 countries around the world, we donot have an example of any country trying to adopt a framework of its own to meet their data protection obligations. The practitioners in those countries were happy to follow ISO 27701 which was indirectly considered as a compliance standard that meets GDPR compliance. They ignored that ISO 27701 : 2019 was aligned with ISO 27001:2013 while ISO 27001:2013 had itself given way to ISO 27001:2022 and hence was inherently not in synch with even the corresponding ISO 27001 standard.
India as a law maker did not fully follow GDPR and hence DPDPA compliance could not be equated with GDPR compliance. Hence using ISO 27701 as a framework for compliance is unfit for DPDPA 2023 compliance.
The need to create an exclusive framework was therefore imperative.
Having decided to create a framework, the problem to be solved was “Do we need to have one more framework and complicate the life of implementers and auditors?”
When we looked around, there were 93 control recommendations from ISO 27001 which ought to be implemented with 49 controls for PII Controllers and Processors under ISO 27701. But US would still go for SOC2 or sectoral regulatory compliance for say HIPAA. In between the Bureau of Indian Standards (BIS) came up with its own draft “Adequacy Standard” for Data Governance and Data Management with 71 desired outcomes of which 25 were related to data protection. Further ITA 2000/8 itself required a framework of compliance to meet its own requirements.
Hence it was observed that a corporate CEO had to support compliance from multiple laws and industry standards and go through with compliance audits and certifications from multiple agencies. An ISO auditor would give only a certification for ISO 27001 or ISO 27701 and not BIS standard or DPDPA 2023 or ITA 2008 or SOC 2. Each would be a different certification requiring deployment of cost and effort to be certified.
A more complex problem for the CEO was that ISO 27001 was owned in the organization by the CISO while ISO 27701 was owned by the DPO. DPDPA 2023 was to be assigned either to the DPO already appointed for GDPR compliance or to some body else. The BIS standard would obviously be the property of the Chief Data Officer, a new designation that would emerge after the standard is introduced. Inevitably the turf war and fight for limited resources would emerge within the company which the CEO had to resolve.
It was here that DGPSI tried to empathize with the requirements of the CEO/Top management and identified the need for a “Unified” framework that would be owned by not only the CISO but also by the DPO or CDO or even the CMO or CCO or CRO or CFO. Secondly the DPO-GDPR could itself be a different designation compared to DPO-DPDPA 2023 or ITA 2000 compliance officer and hence the “Unification” of responsibility had to cut across multiple senior executives.
DGPSI addresses this “Unification of Responsibilities” by making it a framework that addresses the DPDPA 2023 as well as the BIS standard, ITA 2000 requirements as well as ISO 27001 requirements for Personal Data Management, with distinct controls based on the applicable jurisdiction such as India, GDPR, CPRA etc.
This is the single most important reason why DGPSI can be considered as evolving out of the “Design Thinking” concept.
Having developed the framework, it has already gone through the stages of Definition, Ideation, an operating prototype and testing.
What is now being offered as DGPSI in two forms namely DGPSI-Full is a complete framework that unifies the requirements of the different organizational leaders like CISO, DPO etc., besides unifying the requirements of DPO-GDPR and DPO-India.
Further, by integrating the DTS (Data Trust Score) system, DGPSI is not only an implementation and certifiable framework but also an assessment framework.
I would not be surprised if it takes a few years for the industry to understand and appreciate DGPSI, as a concept, but there is no doubt that it would stand out as a worthy companion of the Made in India for the Globe concept that is today the essence of most of the policies of the Government.
No More surrendering our wisdom to the colonial frameworks such as ISO 27701 designed for GDPR compliance and adopting it to DPDPA 2023.
We shall stand on the strength of our own fundamental compliance framework made for DPDPA 2023 and extendable to GDPR.
I hope the professional community would support this indigenous framework by first understanding it, adopting it and also contribute to its improvement.
FDPPI would be conducting a series of programs in 2024 to transform the ISO auditors and CMA Auditors into DGPSI auditors. …May be we may even convert financial auditors of ISACA also to DGPSI auditors…..
Let 2024 be an year of transformation for auditors so that the Data Auditors envisaged under DPDPA2023 would be available in required numbers and quality before the Companies become desperate.
Reference articles:
The history of “Design Thinking”
“What is Design Thinking”
Naavi
27th December 2023