The New Compliance Framework for Data Protection in India: Personal Data Protection Standard of India_v2023

Naavi and FDPPI are in the forefront of advocating “Compliance by design” as a commitment to creating a Privacy and Data Protection eco system in India.  The logic is that it is the responsibility of the Government to define what compliance measures are required for the purpose of protecting Privacy and Data Security and the industry should focus on putting together Technical and Organizational measures to meet the compliance requirements.

In any Techno legal compliance including the compliance of data protection law, there will be need for several interpretations of the provisions of the law. However it is considered that the Companies who are the subjects of compliance and who are Data Fiduciaries under the law are not the best legal minds to interpret the basic concepts of law such as what is Privacy and it should be left to the Courts and the Legislature to define the legal aspects of compliance so that need for their interpretation at the user level is low.

Hence instead of “Privacy by Default” or “Privacy by Design” we  prefer to focus on “Compliance by Default” and “Compliance by Design”.

“Compliance by Design” in the context of Digital personal Data Protection Bill/Act has the objective of creating a Personal Data Protection Compliance Management System (PDPCSI) . This requires compliance of Chapter II of the new DPDPB 2022 which inter-alia extends to the entire Act. Some of the specific requirements which are recognized as “Obligations” of a Data Fiduciary is recorded under Section 9 of the Act.

The PDPCSI of FDPPI is designed to meet these requirements and proceed further to make an estimate of the maturity of implementation in the form of Data Trust Score (DTS).

PDPSI is built on 12 basic principles as “Standards” and  50 “Model Implementation Specification” (MIS) which covers all aspects of Privacy Governance and Personal Data Security. In order to achieve the targets of Privacy Governance, the Data Fiduciary needs to have  appropriate measures in place to obtain consent, provide appropriate notice, recognize the exemptions available, deemed consent provisions that can be used, identify special provisions related to minor, data transfer to a processor etc.  Additionally it addresses the  need to preserve the confidentiality, integrity and availability of personal information.

PDPSI tries to provide guidance on some basic preparatory requirements such as “Classifying data”, “Recognizing the value of Data”, ” Drawing up an inventory of data, processes and people”, “Conducting a Risk Assessment” etc. Additionally some specific policies such as the “Augmented Whistle Blower Policy”, “Contract Management Policy”, “Pseudonymization Policy”, “Remote Working Policy” etc are suggested as part of the framework.

Overall, PDPSI framework is designed to be inclusive of all best practices under ISO 27701 or IS 17428 or what is normally considered as GDPR compliance.

The DPO practioner’s Certification program conducted by FDPPI is geared towards imparting knowledge and skills to be able to implement, maintain and audit the Personal Data Compliance Management System (PDCMS) just as a IS professional is trained to implement an ISMS system or a Data Privacy professional under GDPR context is trained to implement a PIMS system.

FDPPI has recently launched a program for enrolling Data Protection Consultants into a Federation of Data Protection Consultants (See details in www.fdpc.in) . In the same website, intending Companies who want to avail the services of consultants who can help in the implementation of Data Protection Systems can send their requests. The enrolled consultants may use PDPSI framework if they are FDPPI certified auditors. Otherwise they may use other frameworks in which they have  the necessary expertise.

FDPPI Certified auditors can not only assist in setting up and implementing the DPCMS, but also initiate (Different auditors who have not been involved in the implementation) “Certifiable Audit”. These Certifiable audits will be Certified by FDPPI under a process and only accredited auditors for this purpose can conduct and submit such audits to FDPPI for approval.

Presently around 27 professionals have been fully certified for DPO status based on the earlier version of PDPB 2019. FDPPI will be updating them to the new DPDPB2022 before renewing their Certifications.

The upgradation is part of the periodical requirement for the DPOs Certified by FDPPI so that industry will get the services from professionals who are upto date with the requirements.

We invite both experienced and aspiring professionals to consider registering with FDPPI for new Certification and FDPC for providing their consultancy services.

For clarifications if any contact fdppi@fdppi.in or Naavi.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.