DGPSI (Data Governance and Protection Standard of India which is the premier framework for DPDPA Compliance in India) focusses on compliance of Data Fiduciaries who process personal data collected from India. It includes compliance requirements under DPDPA 2023, ITA 2000 and BIS standard for Data Governance.
A Data Fiduciary often conducts its business with the assistance of software suppliers. may supply products or software services.
If the service provider is providing service as exactly prescribed by the DF, then he will be a Data Processor whose obligations are only to follow instructions in the contract and the compliance obligations are borne by the DF.
In many practical instances, the service provider either does not reveal the complete details of the “Means of processing” either because he treats them as his trade secret or he is too big for the DF. Most cloud service providers fall into this category.
In such cases, the DF who determines the purpose of processing is not in control of the “Means of processing”.
Hence such data processors may have the responsibility of the Data Fiduciary (DF) under the law though we all may call them as “Data Processors”.
DGPSI addresses this issue by defining the role of the service provider as a “Joint Data Fiduciary” and makes him directly responsible for the compliance.
In many cases the service of the service provider is contracted through dotted line contracts and not through negotiated contracts. Hence the DF is forced to pick a service available on the web by simply clicking the “I accept” button for the terms of service along with the privacy policy of the service provider.
In such cases the DF is expected to at least send a proper notice to the service provider that the DF treats him as a Joint Data Fiduciary for the purpose of compliance of DPDPA 2023 and tries to get an acknowledgement.
Going further, some DFs may request the service provider to produce an assurance in the form of an audit such as ISO 13485 for medical devices or FDA CFR audit certification.
The same issue arises when an AI service is provided in the form of an algorithm or managed services.
DGPSI considers such sub systems as a “Compliance Entity” and expects them to separately be assessed for compliance of DPDPA as if that sub system is an enterprise by itself.
In such cases, the AI algorithm becomes the subject “Data Fiduciary” which is required to be compliant with the DPDPA 2023.
Hence the AI algorithm has to be evaluated on the basis of
- Who is the owner of the algorithm
- What personal data elements it collects and from where?
- Is there a Consent or other forms of established legal basis for processing?
- What is the evidence that there is a notice and consent?
- Who accesses the personal data and why at the time of processing or storage as long as it is within the control of the algorithm
- How does the “Rights of data principals fulfilled”?
- How does security of data handled and “Breach” gets recognized?
- How does other obligations like handling of cross border restrictions, minor data handling and nomination handling etc addressed by the algorithm owner?
- What does the contractual terms of use state in terms of inter-se obligations of compliance?
The Data Trust Score mechanism of DGPSI addresses an evaluation of these requirements against the parameters used for compliance and through some weightage system arrives at a score which is called the “DTS”. We have already discussed Web-DTS and AI-DTS as two concepts covering compliance of the website and an AI algorithm.
A similar system is now being applied for vendors of specific devices or services to evaluate whether during the lifecycle of the data processing that happens within the service, the obligations of DPDPA is complied with and if so how.
This evaluation can be done only if there is a specific context in which we are aware what type of data is collected and processed.
However there will be some instances where a device or a system supplier would kike to claim that “When you use our products, you can meet your regulatory obligations”. This would be like evaluating a product for “Compliance Readiness When in use”.
This compliance ready evaluation has to assume a context which is representative of the most relevant use case and makes an assessment.
“Compliance Ready-when in use” is evaluation is a DTS evaluation that represents the maturity of the product or service which addresses this issue. We may simply call them “Product-DTS” for easy reference.
When it comes to evaluation of AI algorithms, the DGPSI will draw from the EU-AI act to define the risk etc. Similarly when it comes to medical devices, DGPSI will draw from ISO 13485. With such an approach, DGPSI will remain the unified approach for compliance not only at the “Data Fiduciary” but also at the “Joint Data fiduciary” who is a contract partner of the Data Fiduciary .
Attend FDPPI training programs to discuss this further.
(Comments are welcome)
Naavi