Naavi.org

The Book, Guardians of Privacy is not another book on DPDPA 2023. It is meant to be a Transformation Agent for those who are today looking at GDPR and trying to understand DPDPA 2023 or looking at ISO 27701 and looking for compliance under DPDPA 2023.

There are a set of CIOs,CISOs or CEOs, who have not looked at the concept of Privacy serious enough to understand the obligations of being a “Data Fiduciary” and needs to go through the drill of understanding the concept of privacy and how it relates to the concept of Personal Data and the DPDPA 2023.

Law impacts on the society through not only what is written in the “Act” and extends to the interpretation provided by the Judiciary and is likely to be provided by the Judiciary. Presently the law of data protection in India is present in the form of “ITA 2000” and “DPDPA 2023”. It will get expanded when the rules are notified by the Government.

Judiciary has already spoken a lot on the concept of Privacy. Puttaswamy Judgement was a watershed moment in India declaring that Privacy is a fundamental right. It also did expand the meaning of Privacy through the individual detailed judgements which formed the “Obiter dicta”. The views expressed focussed on Privacy as a right as well as the Information Privacy which was specifically mentioned. It will take some time for Judiciary to expand on these concepts and how Information Privacy in practice need to be handled by the industry. This “Privacy Jurisprudence” will develop over time and it is the duty of experts to keep building up this Jurisprudential thoughts.

In the meantime, practitioners in the industry are looking at implementation of Information Privacy in a manner that they would remain compliant with the law. However the translation of law into implementation practice in an IT environment is a challenge to most technological people.

It is here that the title “Data Fiduciary” used in the law assumes importance. In GDPR, the comparative word used is “Data Controller”. One can control what is handed over to him to control. The GDPR therefore considers that “Personal Data” handed over to it by a Data Subject can be “Controlled” as desired by the data subject or as permitted under law.

One can recall the Privacy Standard under HIPAA which stated that “A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter.” The law then went into the details of how the act can be implemented. Hence this law was a self contained implementation framework.

However, DPDPA 2023 as well as GDPR do not have detailed prescriptions. The operating part is defined under words such as “Reasonable”, “Necessary and Proportionate”, “Risk Based” etc. This leaves a lot of responsibility to the implementation agency.

In this respect, Indian law goes a step further than GDPR by choosing to replace the Data Controller as a Data Fiduciary. This nomenclature essentially means that “Personal Data” is a property entrusted to the Data Fiduciary who is a “Trustee” with a certain objective. A trustee is bound by the objective of trust and not necessarily by the written instructions. In view of this, even where a “Consent” is taken, if certain action is not in the interest of the beneficiary (Data Principal in this context), the Trustee (Data Fiduciary in this context) has a duty to protect the interests of the Data Principal.

In discharging this obligation, Privacy Jurisprudence may have to define what is the “Beneficial Interest” that needs to be protected.

While the Act only talks of “Reasonable Safeguards” the “Safeguards” themselves may have to be determined on the basis of “Risks” and the “Risks” depend on the “Risk” and “Risk” depends on what the law expects as “Privacy”. This takes us back to the Judicial interpretation of “Privacy” though DPDPA 2023 meticulously avoids the word.

It is in this context that the Guardians of Privacy as a book tries to identify a “Compliance Framework” in the form of Digital Governance and Protection Standard of India (DGPSI) which is an attempt to capture the requirements of how a Privacy Protection System can be put in place, can be audited and assessed.

While the book discusses the top line requirements of the standard framework in the DGPSI-Lite and DGPSI-Full versions, the consultants are expected to absorb the concepts of the framework and design their own templates for implementation.

With the three components of Law, Governance and Audit, this book is expected to be an instrument for transformation of present ISO 27001 auditors into Data Auditors and present ISMS/PIMS systems to DGPMS.

In the coming days there could be updates for the book which will be not only because of the rules to be notified but because of other developments. We shall try to keep the readers suitably informed either through a supplementary E-Book or through a new edition.

Naavi

During the Sociawood congregation in Hyderabad on 17th December 2023, Naavi’s book…Guardians of Privacy was officially made public with the initial copies being given away to some of the dignitaries.

The book has discussions on

1. Privacy , Emergence of the concept in India and DPDPA 2023, useful for those who want to study DPDPA 2023 as the law of data protection in India
2. Concept of Data and Data Protection for Business Managers and the emerging BIS standard for Data Governance
3. The “Data Audit” under ISO 2700, ISO 27701 and the unique DGPSI, Digital Governance and Protection Standard of India.

More on this would be presented in due course.

Naavi

It appears that the delay in the announcement of rules under DPDPA2023 is partly due to the hesitancy of the Government to take the lead in defining the rules but depend on the BigTech to tell how they are to be regulated.

It appears that the Government is holding closed door discussions with the industry an euphemism for the Big Tech lobby before finalizing the rules.

As per this report in Indian Express Government is likely to adopt an Aadhaar based age determination system to identify minors and the need for parental consent. However this may have a conflict with the Supreme Court decision which restricted the sharing of the Aadhaar information with private sector.

The proposed regulation of using Aadhaar may require both the aadhaar of the minor and their parent/s to be shared with the private sector.

We need to wait how the rules will overcome this conflict.

It may be easier to use “Consent Managers” as the gate keepers for minor’s data and regulate the Consent Manager in accordance with the Supreme Court regulation.

We may however caution that it is inappropriate for the Government to depend on the industry for advice on the implementation of DPDPA 2023 knowing fully well that the industry would only look at their self interest first.

Industry will be happy to be permitted to collect Aadhaar information of every user so that they can identify who is a minor and who is not so that they can thereafter decide who has to give consent.

It may be possible to make this a “Voluntary” proposal from the user but is fraught with risks of complete aadhaar data base being officially coming to be disclosed to the private sector data fiduciaries.

Instead, developing a Consent Manager who could use Virtual Aadhaar and provide Minor Consent mandatorily through such consent managers would be a more meaningful proposition.

Naavi

In a glittering function at T-Hub, Knowledge City, Hyderabad, EndNow Foundation of Hyderabad presented a “Life-Time Achievement Award for Contribution to Privacy” to Naavi.

Mr Suman Talwar the well known Cine Artist gave away the award.

Mr Anil Rachamalla, the founder of End Now Foundation was present during the occasion along with several other dignitaries.

The Occasion was celebrated as an event of the “Sociawood” as an industry of Social Media contributors, a term similar to Hollywood, Bollywood, Kollywood, Sandalwood, Tollywood etc. Several Social Media Influencers with millions of followers were also honoured on the occasion.

At a time India is discussing the Data Protection Act, the Information Technology Act, Artificial Intelligence, Deep Fake issues, Social Media Influencers need to ensure that they follow ethical and legal principles to ensure that their contributions to the society are beneficial.

Naavi.org has been advocating responsible behaviour for bloggers and had even recommended a “Self Regulation for Cyber Law Compliant Bloggers” in the past. A similar movement to develop a “Cyber Law Compliant” Social Media Influencers is required at present.

Naavi

Also see: Lifetime achievement award for Cyber Jurisprudence

End Now Foundation, Hyderabad is presenting an unique event in Hyderabad on 17th December 2023 bringing together Social Media Influencers in a summit which is first of its kind in India.

The following video may give a glimpse of what is being planned.

The event is expected to be graced by the Tollywood Star Mr Chiranjeevi .

During the event, organizers are intending to recognize some of the Social Media Influencers for their contribution in different areas.

Naavi.org wishes all the success for this event.

Naavi would be present during the event.

Naavi entered Internet some time around 1984-85 when Internet was considered an “Information Super Highway”. Internet as an interactive medium was limited to “E-Mails” and Message Boards. As Message Boards developed into Groups, the second dimension of Internet as a “Social Media” gathered momentum. With the advent of FaceBook and Twitter and later the WhatsApp, and YouTube, today’s youngsters are initiated to Digital Society more as participants of the Social Media rather than seekers of information.

At the same time the development of AI has transformed the Social Media from a human led platform to an AI led platform introducing an element of manipulation which is only growing by the day.

In order to retain the benefits of the Social Media as a positive influence on the society, it is necessary for all of us to remember the original motto of Naavi.org namely “Let Us Build a Responsible Cyber Society”. Today it is the responsibility of Social Media influencers to build a Responsible Social Media.

Retaining “Trust” in the media is essential for the relevance of the Social Media in the coming days. This requires that the slow poisoning of the content on the Internet by fake media contributors need to be curbed and called out by the more responsible elements of the Social Media society. As in the physical society, “Bad Influencers” even in small numbers can spoil the reputation of the society even of “Good Influencers” and hence Good Influencers should ensure that fake and bad content is marked and removed to the extent possible. Otherwise the future search engines, Machine Learning models will pick up bad and wrong content and magnify them to an extent that an unreal social community would be developed.

We therefore need to develop a “Trust Seal” for ” Honest Social Media Influencers” so that “Ethical Social Media Influencers” develop as a community within the community where quality of information dissemination and usefulness to the society becomes the criteria for determining success than mere numbers.

We need to therefore develop a criteria for prescribing a self regulation of ethical standards, monitor them by a committee of leaders and develop a demonstrable visual symbol of “Trusted Social Media Influencer”.

Hopefully, this first summit of Social Media Influencers adopt a “Declaration” to create the “Trusted Social Media Influencer Seal” with three essential ingredients, Be truthful, Do Good to society and Prevent harm to the society.

Those who are self regulated and contribute to the good of the society may develop as a new subset of Social Media Influencers who are ethical and may be called the “White Social Media Influencers” who will preserve the respect and usefulness of the social media.

The Government of India has already mandated that Social Media Contributors can insist on their identity being verified and displayed on their content. This seal of Trust will be a higher level of identity to which all Social Media Influencers should aspire for.

Let us discuss this further….

Naavi

(This article is written in the light of my participation in a panel discussion titled “Guardians of Data-Navigating the future with India’s Data Privacy Bill” in the upcoming Cloud Security Alliance conference in Bengaluru on December 13, 2023 and the publication of my book Guardians of Privacy- A comprehensive handbook on DPDPA 2023 and DGPSI)

The professional community that guards data includes those who primarily occupy the position of CISOs in organizations. Quality Managers, CTOs do assist the CISOs in discharging their duties as “Guardians of Data”. The goal of a “Guardian of Data” is the preservation of the confidentiality, integrity and availability of data. In pursuance of this objective, the data guardians are required to treat all data equally.

However with the advent of DPDPA 2023, the Guardians of Data need to sharpen their focus to identify what kind of data they are guarding and whether it includes “Personal Data”. If so, the guardians of data have to also consider an additional responsibility to be “Guardians of Privacy” of such data principals whose personal data is being guarded.

The requirements of “Privacy” are dependent on the relevant laws applicable which requires a “Classification of Personal Data” on the basis of the jurisdiction of law to which it is exposed. The security safeguards to be applied to personal data could differ from what is applicable to non-personal data. Since the IS professionals may not have adequate exposure to data protection law and may have a conflict with the protection of “Privacy” of an external person, laws often demand that personal data protection has to be entrusted to a person with a specific designation of DPO and further that a CISO may not hold the joint designation as DPO. This means that “Guardians of Data” and “Guardians of Privacy” need to be different in an organization. The Guardians of data probably hold designations such as DPO or CPO.

Law also specifies that DPO should be probably reporting to the Board while no such legal mandate exists for the operating level of a CISO. As a result the DPO stands a shade ahead of CISO in the Corporate hierarchy and the “Guardians of Data” look at “Guardians of Privacy” as as an aspirational destination.

The segregation of responsibilities between the CISO and DPO start with “Classification” of data, first as personal and non personal. The Non Personal Data needs to be guarded under the CIA principle while the Personal Data has to be guarded under CIA+Privacy principles. The responsibilities of DPO are therefore wider though the stock of data to be managed may be lesser.

One of the tough challenges before the management is to ensure that the CISO and the DPO maintain a harmonious relationship without a turf war between them.

DGPSI (Data Governance and Protection Standard of India) assists this development of harmonious relationship between the CISO and DPO besides taking into consideration of a futuristic conflict that may arise with the Chief Data Officer (CDO) who may have his own claims to decision making related to Data.

The frameworks such as ISO 27001 which guide the Guardians of Data are insufficient for the requirement of the Guardians of Privacy. At present there is only one guideline that can be used by these Guardians of Privacy in India which is DGPSI. Even the ISO 27701 falls short of the requirements of Indian DPOs since their principal target is DPDPA 2023 compliance.

Professionals need to first accept that being in compliance with GDPR is not compliance with DPDPA 2023 and hence a certification for ISO 27701 (2019 or any modified) is not Certification for compliance of DPDP 2023.

On the other hand Compliance Certification under DGPSI can be an assurance for compliance of DPDPA 2023, ITA 2023 and the BIS Draft standard for Data Privacy.

Naavi

Explore how a Guardian of Data can transform himself as Guardian of Privacy. To add this additional repertoire to your portfolio and enhance career prospects, Guardians of data may read the accompanying book and/or undergo the DGPSI lead auditor course.

For those who are attending the CSA conference, a special discount of 20% would be available. If interested, obtain the discount code by contacting naavi.

Naavi