Naavi.org

Naavi and Ujvala Consultants Pvt Ltd have been using the framework titled IISF-309 (Indian Information Security Framework 309) as the framework for conducting ITA 2008 compliance audit.

This framework recognized the following risk domains

Under this framework, Data Privacy Risk was focussed on compliance of Sections 43A, 72A, 43 and 66. Now PDPB 2019 (to be called DPA 2022 when passed) would replace Section 43A. Additionally it would be necessary for all organizations to report data breach of non personal data also to the Data Protection Authority to be created under PDPB 2019. Organizations may also need to keep track of “Anonymized personal data” which may be part of the information that the Government may direct sharing in certain circumstances.

However, for an organization engaged in processing of data, it will be necessary to be compliant both with ITA 2000 and PDPB 2019/DPA2022.

We have gone into the details of PDPB 2019 and created a Data Trust Score System that tries to measure and represent the effectiveness of the compliance of PDPB 2019/DPA 2022.

Since we already had the framework IISF 309 for compliance of ITA 2008, it has been now upgraded into DPCSI-ITA 2000 as an extension of DPCSI just like DPCSI-GDPR is an extension of the DPCSI for compliance of GDPR.

DPCSI-ITA 2000 which is the new avatar of IISF 309 will have 40 implementation specifications similar to the 50 Model Implementation Specifications of DPCSI. These 40 implementation specifications have been carved out of the DPCSI Model implementation specifications and tuned to meet the risks under ITA 2000/8.

Since we also have a DTS system geared to measure the implementation effectiveness of Personal Data Protection under PDPB 2019, which is also capable of being adopted to the implementation of GDPR compliance, a similar system would be extended to measure the compliance of ITA 2000/8 based on the 40 implementation specifications presently identified.

Watch out for more information on the DTS tools for GDPR compliance and ITA 2008 compliance to be made public soon.

Naavi

Today, I received a WhatsApp regarding four types of intelligence, namely,

1) Intelligence Quotient (IQ)
2) Emotional Quotient (EQ)
3) Social Quotient (SQ)
4) Adversity Quotient (AQ)

The forward defined the different types of intelligence as follows:

1. Intelligence Quotient (IQ): this is the measure of your level of comprehension. You need IQ to solve maths, memorize things, and recall lessons.

2. Emotional Quotient (EQ): this is the measure of your ability to maintain peace with others, keep to time, be responsible, be honest, respect boundaries, be humble, genuine and considerate.

3. Social Quotient (SQ): this is the measure of your ability to build a network of friends and maintain it over a long period of time.

This triggered a thought about the DPCSI  which is being suggested for Data Protection Compliance in India. and how the DPCSI incorporates all the four types of intelligence represented above  in its Standards and Implementation Specifications.

The 12 standards of the DPCSI framework are given below:

In the above standards,

Standards Law Based scoping, Data Classification, Privacy By design at entity level, represent the intelligence quotient and measure of the level of comprehension of the compliance requirements.

Emotional quotient is captured by the inclusion of Communication, Governance Committee, workforce control.

Social Quotient is captured by Distributed responsibility.

Adversity quotient is represented by the Risk appetite based charter.

The implementation specifications that go with this standard also reflect the four types of requirement of the framework which need to address the legal issues of compliance, technical architecture for compliance, the workforce and top management support and the need for external and internal communication with stake holders.

We can therefore feel confident that DPCSI is “Intelligent” and meets the expectations of Data Protection Professionals just as the above types of intelligence recognized by psychologists.

Naavi

To

All those interested in Data Protection law compliance in India

Dear Friends

I invite you all for the webinar on “Data Trust Score under DPCSI” scheduled for 11.00 am on Sunday, July 10, 2022. The webinar will be on Zoom. The meeting ID is 882 8084 0436. The pass code is : dts_07

The approximate duration would be one hour followed by discussions. During the session, I will try to explain how Data Protection compliance maturity of an organization can be expressed in terms of a “Data Trust Score” just as how the credit ratings express the investment worthiness of a financial instrument.

The framework based on which the model of DTS would be explained is the Data Protection Compliance Management System which is uniquely built as a “Unified system for compliance of Personal Data Protection under ITA 2000/PDPB2019 or DPA 2021/GDPR etc.

During the session, the use of an online tool that can be used for a self estimation of the data protection status of an organization would also be described.

Don’t miss this opportunity to be part of a revolutionary change in the way companies can handle their data protection compliance requirements. MSMEs in particular should be more interested since the tool would help them to start their journey to be compliant with the law as it emerges.

The objective of this interaction is to make compliance easier and more affordable so that we can together create a “Compliance Culture” in India.

Whether the Government passes the Personal Data Protection bill (PDPB 2019/DPA 2021) during monsoon or not, responsible companies need to start their journey towards compliance.

Even when changes are brought, the foundation principles of compliance will not change. Let vested interests continue their fight to avoid compliance responsibility.

We the responsible corporates shall show the way to respect and be compliant with the legislative intention already reflected under the concept of “Due Diligence” and . “Reasonable Security Practice” in ITA 2000/8.

Naavi

The IT community has gone through the phase of discussing the need for building an “Information Security” culture in the organization. There after we also went through the phase of building a “Privacy Culture”.

In both these phases, we focussed on the people in the organization and tried to educate them on security issues and privacy issues.

While the efforts for building an information security culture and privacy culture continue, they are now being subsumed by the new requirement of building a “Compliance Culture” in organizations.

This requirement is  typical of the Indian market where we always stretch the compliance requirement till we are forced to comply.

The time has therefore come now to build a “Compliance Culture” in an organization. In this context, an “Organization” is the aggregation of the senior executives who have gone through the implementation of measures in their respective work places to ensure that their subordinates are impregnated with the importance of information security and privacy and why they all need to change their attitudes to work and attitudinally re-orient themselves to practice better security and privacy ethics and technology in their day to day work.

FDPPI is now embarking on leading Indian organizations into this phase through its program.. “Data Trust Score, the future of Privacy Protection”.

“Data Trust Score” or DTS, is the suggested measure of “Maturity of Data Protection Law Compliance” in India. It is a suggested deliverable of a data auditor who audits the data protection practices of a company in India. It works like the “Credit Rating” assigned for financial instruments by Credit rating agencies such as CRISIL or ICRA.

FDPPI which has created an eco-system for certified Data protection audits based on the indigenously developed framework of DPCSI (Data Protection Compliance Standard of India) is adopting the DTS-DPCSI, as  model for calculation of DTS on the DPCSI framework.

DTS-DPCSI is the first of its kind concept and would be the forerunner of similar assessment yardsticks that will emerge in future for other frameworks also.

The life of a Data Protection Professional will not be complete without understanding the concept of DTS and how it can be applied in their work environment.

Let us start our journey in understanding the concept of DTS through a virtual presentation to be made by Naavi on 10th July 2022 at 11.00 am.

For registration, contact Naavi through email at : dts@ujvala.com

Naavi

Data Trust Score (DTS) is a measure of the effectiveness of compliance of an organization to data protection law as assessed by an auditor. This brings visibility to the common man of how reliable are the data protection measures in an organization. It also brings accountability to the data audit system by requiring the auditor to convert the subjective assessments to a common objective number.

In the Corporate and Investment world, “Credit Rating” is a common measure of the safety of investment in an instrument and has been widely used.  DTS now brings this concept to the world of “Personal Data” which is like a currency which public invest and Data Fiduciaries collect and use for generating business revenue.

Naavi has been working on developing a DTS system based on the PDPB 2018 which later became PDPB 2019 and now referred to as DPA2021 (or DPB 2021). In this process, Naavi developed a framework referred to as “Data Protection Compliance Standard of India” (DPCSI) which incorporates the best of the various frameworks for implementation of ISMS or PIMS and extends it with some other unique concepts.

Now, Naavi has tried to simplify the process of DPCSI audit by enabling DTS evaluation online. This online DTS computation has been enabled by Ujvala Consultants Private Limited. The process is enabled as a “Self Evaluation” based on certain assessment questions, submitted for review to Ujvala Consultants for validation. Validation can be further strengthened by review of policy documents into a summary assessment of DTS. Finally the system merges with a Certifiable audit by a FDPPI certified auditor.

The online Link to self assessment will be available on the payment of a prescribed fee.

The assessment goes through different steps as explained below and covers five responsibility centers in the organization namely,

1.Management (MIS 1-15)

2.DPO (MIS 16-24)

3.Legal (MIS 25-26)

4.HR (MIS 27-30)

5.IT (MIS 31-50)

General Instructions for use of the “My DTS” system

The assessment has been divided into five sections corresponding to the five different responsibility centers, so that different representatives of the company can complete the assessment in each of the sections. Each section covers the Implementation Specifications related to  the specific responsibility center. The user is expected to complete the questionnaire with reference to the current practices in the organization. 

The questionnaire consists of one or more questions related to each of the Model Implementation Specifications followed by a self assessment of an evaluation score for the specific implementation specification on a scale of 1-10. For each assessment, a list of documents referred may be indicated.

When these individual scores for each implementation specification is totalled, one arrives at the total score for the section.

It is envisaged that each section would be completed by a designated person.

The completion  of the questionnaire can be stopped and continued as per the convenience of the responder.  It can be reviewed internally before it is finally committed for submission.

The summation of the assessment scores for each of the five sections provides the first raw estimation of DTS of the organization based on self declaration.

When this assessment is submitted to Ujvala, Ujvala will apply a weightage system and compute an “Adjusted DTS” and communicate it to the organization along with some critical recommendations if any for further action.  A Certificate would be issued in support of this “Self Assessment”. A general feedback on the next action required will also be provided by Ujvala along with the self assessment certificate.

The Supreme Court of India will start functioning again after vacation from July 11th. Unfortunately during the Vacation  the reputation of the Court has been damaged almost irreversibly.

The responsibility to put it back on the rails is with the Chief Justice of India.

The judges who erred by pronouncing a judgement escaping the responsibility to record their views in a speaking judgement, are now under an intense public scrutiny.

The erring judges, have promptly started  justifying their action calling India as an immature democracy. They are now hitting out at the Social Media as the culprit and suggesting gagging of the social media. They may also invoke the powers of Contempt of Court to curb the freedom of expression selectively .

Such measures may silence criticism for the time being and push the disrespect of Supreme Court underground. But it will ensure that the reputation of the Supreme Court would be permanently damaged and the public will no longer trust the Courts at any level.

It is now in the hands of the Chief Justice of India prevent such a catastrophe and restore the honour of the honourable court by initiating appropriate action as the Chief Justice of India may deem fit.

If the Chief Justice of India decides to condone the mistakes of his brother judges, We the people of India will get a message that we should be ready for the  Shariatization of the supreme Court.

It must be acknowledged that the action of the vacation bench of the  Supreme Court has resulted in the spreading of a fear psychosis  in the country since we as Citizens of India can no more trust the  highest Court of the land for protection of our life.  If there is no protection from the Supreme Court, it means there will be no support from other Courts or the Police. The future of India as a law abiding democracy is in threat because of the actions of the vacation bench of the Supreme Court.

I therefore personally request the Chief Justice of India  to act now to protect the Country. As an elderly citizen born before the current Chief Justice of India was born, I remind him that it is his constitutional duty to protect the country and this duty towers above everything else including protecting brother judges.

Naavi

(P.S: Followers of this blog may excuse me for this off-topic expression since there is an existential crisis for the people of India because we the people of India have lost the judicial protection enshrined in the constitution. If no remedial action is taken by the CJI, the writing on the wall is clear that it is the end of road for all our professional activities. Since it is no longer safe to express an opinion in India and to move around, the professional activities of Naavi may need to be suspended. Naavi)

Also Read:

Legal Rights Protection Forum urges President of India to call a meeting with CJI ..opindia.com

The court can be discretionary but not whimsical: Dangerous waters, comments by Judges and legality of oral observations …opindia.com