Naavi.org

For some time now a fraud is being attempted by some automated calls made from different numbers stating….” Calling from Telecom department …All your phones will be deactivated within 2 hours. Press 9 for more information” etc…

It is obvious that this is a fraud. However such frauds occur because telecom companies donot take preventive action and police donot come in except after some body who has lost money complains.

Just now I received such a call from the number 9900880457. Earlier such calls have come from other numbers also.

I want people to be careful about such calls. If possible the above mobile number (which may be fake) be traced.

Naavi

Yesterday we had an interaction with a large group of CIOs in Coimbatore and discussed the DGPSI framework as a solution to DPDPA compliance.

As a part of the discussion, a need has emerged for considering the manufacturing industries with only B2B services as a separate category/sector for which DPDPA compliance has to be specifically designed.

The DGPSI framework already has one simpler version called DGGPSI Lite with 36 implementation specifications and DGPSI Full with 50 implementation specifications.

Both frameworks are applicable across different sectors including manufacturing sector. DGPSI full version also addresses some Data Governance issues while DGPSI Lite is limited to DPDPA compliance.

While implementing these frameworks for manufacturing industries, the fact that their exposure to personal data processing is limited to employees is already factored in. In case the manufacturing industry has retail stores or e-commerce websites, their exposure to DPDPA 2023 increases.

However there are many industries who donot have e-commerce and donot have retail sales and hence their encounters with personal data is limited to employees, current, prospective and past.

Considering these restricted exposure of B2B companies, the DPDPA Gap assessment as well as implementation has been simplified leading to an assessment which is named “B2B-DTS”.

Hopefully this will enable a large number of eligible industries of this category meet the compliance certification quickly without the rigorous requirements of a company which has personal data collections on a large scale from consumers.

Companies interested in such assessments may contact Naavi/Ujvala Consultants Pvt Ltd for more information.

Naavi

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

As a natural development of technology there is a scramble by product manufacturers to create products and services to offer “Compliance Products”. Most of these vendors are focussing on developing a “Consent Management Solution”.

The essential feature of such software would be to record the consent for a given set of personal data, give it an identity tag and attach it to the personal data set so that it can be referred to whenever required. The consent has to meet the expectations of “Purpose Orientation”, Data Minimisation” and “Data Retention Minimization”.

One of the dilemmas the companies have is that whether they can take one perennial consent for collecting personal data for multiple purposes which is logically the most suited for business.

However the law does not support such an omnibus and omnipotent, omni present, ever alive consent.

Hence consent collection, use and retention mechanism has to be a carefully considered plan that should meet the legal requirements without seriously hindering the business operations.

Probably the appropriate use of AI should help. However, when an AI is developed on a faulty training data, the AI output will also be faulty. One option that thee ML program has is to parse all similar websites and the privacy policies and gather intelligence which can be incorporated in its own policy. Obviously the user will provide his own inputs on the purpose, data requirements, retention objectives etc so that the AI algorithm will develop a suitable privacy policy that can be used.

In such automation, it is important to recognize that a “Legal Compliance” is difficult to be successfully automated and a strict human supervision is essential.

As more and more such products surface, FDPPI will apply its “Product-DTS” tool to evaluate the compatibility of the product to Indian DPDPA system and provide a “DTS Score”. 

Data Fiduciaries need to be careful when selecting solutions since any purchase of such a product is likely to be a long term purchase and difficult to be changed subsequently.

When FDPPI auditors evaluate a Data Fiduciary, they look at such service providers as “Joint Data Fiduciaries”. But the product vendors themselves have an option to get their products evaluated as a pre-sales qualification criteria. Such evaluation takes into account the principles of EU-AI act, the ISO 13485 etc. Obviously this is a complex process which is perhaps more complex than a routine DPDPA audit for a Data Fiduciary.

FDPPI therefore operates such assignments through  a “Consortium” of its experts so that the technology intricacies are considered along with the Legal, Governance and Business issues. Exciting days are ahead in incorporating EU-Ai act with the DPDPA compliance and w look forward to the same.

Naavi

FDPPI has been conducting many programs around the country discussing the implementation challenges of DPDPA. We are happy to note that after initial hesitation many other consultancy organizations have shed their complacency that the rules are not notified and started conducting their own programs. This is a welcome development for the industry.

Most of these consultants have also accepted Naavi’s argument that DPDPA as a published law has become a due diligence under ITA 2000 and hence the law needs to be applied as of now by companies as part of their plan to be ready to face the next level of compliance where “Penalties” are a “Financial Risk” to be mitigated.

This is how the “Jurisprudence” becomes the “Best Practice” while law continues to the final version that is relevant for determination of penalties.

As we move towards our next program in Delhi on December 11th with the CIOKLUB and also on December 12th under the FDPPI banner, we will continue to discuss the other implementation challenges.

The next challenge that we need to address is that many solution providers have come up offering solutions for Compliance. We understand that some of them are also in discussion with the MeitY and are trying to also advise the ministry in the rule making.

It is a distinct possibility that some of the built in capabilities of these solutions may find expression in the rules to be announced by MeitY in the next few months.

As the competition in the product market increases, there is likely to be a bombardment of different views on the user companies. The users need to be able to understand what are the compliance requirements and how does each solution meet the requirements.

I suppose that during the Delhi event we will discuss how “Consent Management” solutions or “Data Classification Solutions” which are presently in the market address these issues. We may also discuss how to evaluate interesting offers of solutions who claim “AI based Automated Compliance” as their USP.

If you are in Delhi and are interested in understanding the compliance issues with which you can evaluate different solutions, you should not miss the FDPPI event.

Naavi

The concept of “Consent Manager” in DPDPA 2023 is not understood by many. It is obviously a registered Data Fiduciary with necessary infrastructure to get themselves appointed by data principals. The registration will require some conditions that Meity may prescribe.

Such conditions may include the Capital and Networth consideration, expertise, information security etc. The ownership of the consent manager as a company, whether it can be owned by foreign interests, will there be a “Fit and Proper Criteria” will there be a minimum period for withdrawal from business, the distance to be kept with Data Fiduciaries etc need to be specified or factored.

One of the recommendations we have is to encourage Consent Managers as sector specific experts so that they will be able to provide better assurance to the data principals.

DGPSI will be working on such sector specific compliance guidelines as part of its development of detailed guidelines.

In the process FDPPI may also develop Consent Manager-DTS or CM-DTS as an indicator of the maturity of compliance as a Data Fiduciary engaged in the service of a C0nsent Manager.

It is possible that the Meity may come up with its own version of rules without taking into account all the requirements that we may suggest. But we hope that the guidance developed by the DGPSI team being the experts in Data Protection will eventually be a “Best Practice”.

To enable this it is better if MeitY does not come up with rigid rules and leave flexibility for compliance.

Naavi