Naavi.org

I often receive enquiries about how to respond when there is a cyber crime. I advise you to contact 112 and file the complaint as soon as you notice the crime.

In case of financial frauds through bank account, credit cards etc., also file a complaint with the relevant Bank demanding immediate reversal of transactions as per the “Limited Liability Circular” of RBI dated July 6, 2017

In case you contact the police early with the necessary details , they may be ale to help you. If there is a transfer of funds from your bank account, they may be able to stop its disbursal.

When you lodge the complaint about a financial fraud, please also add the name of the app through which the fraud occurred and the bank from which the money was transferred out.

Some of the complaints are related to small amounts of a few thousands of rupees. It would be difficult to proceed against such frauds through proper legal means such as Adjudication.

Also the adjudication system at present in all states is not working efficiently and hence it should be invoked only when large amounts has been lost and you have a good advocate to back you.

In all such complaints ensure that your complaint includes the Bank and all intermediaries as respondents.

Naavi

Ujvala Consultants Private Limited has now introduced a GDPR Compliance audit service which incorporates Data Importer’s Assurance Certification and DTS evaluation.

This “Augmented GDPR Compliance Audit” is being conducted on the DPCSI framework (Data Protection Compliance Framework).

DPCSI framework consists of 50 implementation specifications that cover all requirements of GDPR compliance including all the obligations stated under Chapter IV and Chapter V of the GDPR.

For more details, contact Naavi.

Naavi

Ujvala Consultants Pvt Ltd has introduced a mechanism for self assessment of an organization for GDPR Compliance and arriving at a Data Trust Score which reflects the effectiveness of compliance.

GDPR has been in existence since 2018 and there are established mechanisms to implement a compliance system. ISO 27701 is in the forefront of this evaluation as an audit system. However ISO 27701 is an extension o ISO 27001 and could be difficult to adopt with by SMEs/MSMEs. Hence an attempt was made to establish a more affordable and modularly implementable system of “Gap Assessment”, “Summary Assessment” and “Certification Audit” through the DTS-GDPR mechanism (Refer ujvala.com).

The system of reducing the compliance assessment to a number in the form of a DTS score is a concept introduced in the Indian law and not in GDPR. However there is no reason why this should not be applied to GDPR compliance assessment also as it brings some clarity to the complex mechanism of compliance assessment though it could be considered subjective to the auditor’s assessment.

After GDPR came into existence, there have been many online services which are like “Self Assessment Check List” and have been helpful to some extent. Ujvala’s attempt is not different from such services. However, in a techno legal compliance evaluation, it is difficult to keep the subjective evaluation of an expert out of the evaluation system. Hence any attempt to automate the assessment cannot avoid dilution of the assessment.

Ujvala DTS system acknowledges the inherent difficulty of a techno legal assessment based only on self assessment but tries to provide for better evaluation through the “Summary Assessment” based on scrutiny of policy documents  before a proper audit examination can be made.

The system therefore uses a set of around 239 questions which are self answered by an organization. The objective of these questions is to enable the organization to reflect on their own systems and bridge gaps indicated by the questions. It is agreed that this self assessment is not good enough for third parties such as the Data Exporters to accept blindly. But it is a good starting point in the journey towards compliance.

When policy documents are submitted for review, Ujvala as a consulting organization needs to evaluate the policies and provide an “opinion” which is a “Reasonable Assurance” for the Data Exporter sitting in EU.

Additionally, Ujvala may expect certain basic technical tools to be adopted by the organization for better management of Privacy By Design and Default.

The effort of Ujvala is to assist the management of the organization to improve its own confidence regarding presenting itself as a “GDPR Compliant Organization” to the data exporters so that it can be a “Data Importer” and offer its services as a joint controller or data processor.

GDPR authorities are  making their own efforts in ensuring smooth data transfers to “Non Adequacy” countries and this is taken note of by Ujvala as a guidance for implementation with the Indian data importers.

One such effort is  the suggested “Certification as a tool of transfer”.

Under this scheme, it is envisaged that a specific data transfers can be enabled based on a “Certification” that the transfer carries the necessary assurance as required under Article 46 (2)(f)  of GDPR.

Though Ujvala is not an accredited Certification body under this scheme, Ujvala is trying to adopt an assessment of data transfer mechanism so that it can be incorporated as an assessment criteria.

Ujvala will therefore introduce a “Data Importer Assurance Certification” which a data importer may share with the data exporter as an extension of the DTS-GDPR service. We hope that this “Data Importer Assurance Certification” (DIAC) will be both a GDPR Compliance assurance and the Data Importer’s specific assurance to the data exporter about the compliance of the Cross Border transfer requirements.

At present this will be an extension of DTS-GDPR self assessment followed by the Summary Assessment based on the policy documents submitted by the organization.

Naavi

Ujvala Consultants Pvt Ltd launched an online evaluation of Data Trust Score indicating the compliance of an organization for Indian data protection law namely the JPC modified version of PDPB 2019 or DPA 2021.

The evaluation is available through an online completion of questionnaires leading to a self evaluation which will be reviewed and fine tuned bu Ujvala Consultants Pvt Ltd on submission.

Now a similar facility has been extended to compliance of GDPR with the computation of DTS-GDPR with the completion of similar online submission process.

Details are available at www.ujvala.com

The DTS-GDPR would provide an opportunity to organizations to understand the policy requirements for GDPR compliance.  On submission of the self evaluation, a quick review of the DTS with adjustments for certain weightages would be provided.

On submission of existing policy documents, a general review of the “Adjusted DTS” would be provided indicating areas which need improvement. (Cost for this document review would be extra)

Subsequently, full fledged audit may also be conducted under the FDPPI certification program.(Cost for this audit would be extra)

We hope that this would be useful for SME/MSMEs since the cost of GDPR compliance at the level of Self Evaluation and Basic Review  would be available at Rs 5000/- for the Indian law and Rs 10000/- for the global law.

Naavi

After the successful launching of DTS online tool based on the several enquiries received,  Naavi and Ujvala Consultants Private Limited has decided to launch a tool similar to MyDTS for compliance of GDPR.

Since GDPR involves several Supervisory Authorities who may have different interpretations, it is a more challenging task to design a DTS mechanism for GDPR. Also there are already many detailed guidelines available for implementation of the different provisions of GDPR through WP29/EDPB documents as well as ICO-UK website. These need to be incorporated as best practices. There are already hundreds of penalty decisions which also need to be taken into account. Hence this task of creating a model compliance plan for GDPR with a DTS evaluation is several times more challenging than working a model for the proposed Indian law.

However, considering the need for development of an affordable GDPR compliance assessment tool, we shall design a system on best effort basis by adopting the MyDTS system to meet the compliance of GDPR.

I request the support of all experts to enable us succeed in our efforts by suggesting modifications as may be necessary.

Naavi

Naavi and Ujvala Consultants Pvt Ltd have been using the framework titled IISF-309 (Indian Information Security Framework 309) as the framework for conducting ITA 2008 compliance audit.

This framework recognized the following risk domains

Under this framework, Data Privacy Risk was focussed on compliance of Sections 43A, 72A, 43 and 66. Now PDPB 2019 (to be called DPA 2022 when passed) would replace Section 43A. Additionally it would be necessary for all organizations to report data breach of non personal data also to the Data Protection Authority to be created under PDPB 2019. Organizations may also need to keep track of “Anonymized personal data” which may be part of the information that the Government may direct sharing in certain circumstances.

However, for an organization engaged in processing of data, it will be necessary to be compliant both with ITA 2000 and PDPB 2019/DPA2022.

We have gone into the details of PDPB 2019 and created a Data Trust Score System that tries to measure and represent the effectiveness of the compliance of PDPB 2019/DPA 2022.

Since we already had the framework IISF 309 for compliance of ITA 2008, it has been now upgraded into DPCSI-ITA 2000 as an extension of DPCSI just like DPCSI-GDPR is an extension of the DPCSI for compliance of GDPR.

DPCSI-ITA 2000 which is the new avatar of IISF 309 will have 40 implementation specifications similar to the 50 Model Implementation Specifications of DPCSI. These 40 implementation specifications have been carved out of the DPCSI Model implementation specifications and tuned to meet the risks under ITA 2000/8.

Since we also have a DTS system geared to measure the implementation effectiveness of Personal Data Protection under PDPB 2019, which is also capable of being adopted to the implementation of GDPR compliance, a similar system would be extended to measure the compliance of ITA 2000/8 based on the 40 implementation specifications presently identified.

Watch out for more information on the DTS tools for GDPR compliance and ITA 2008 compliance to be made public soon.

Naavi