Towards DPDPA Compliance…What is DGPSI?..2

DGPSI stands for Digital Governance and Protection Standard of India. It is designed as a framework for compliance for setting up DGPMS or Digital Governance and Protection Standard of India.

Just as we refer to ISMS in the context of ISO 27001, PIMS in the context of ISO 27701, DGPMS is the system that is built with DGPSI for the purpose of DPDPA Compliance by design.

DPDPA Compliance by design includes

a) Privacy by Design as required in India by DPDPA

b) Security by Design as required by ISO 27001 in respect of Personal Information to which DPDPA is applicable.

DGPSI is therefore a combination of PIMS for DPDPA and ISO27001 for PII under DPDPA.

DGPSI is built around 12 basic principles which form the foundation of the framework and comes in two flavours namely, DGPSI-Lite with 36 Model Implementation Specifications (MIS) for compliance of DPDPA 2023 and DGPSI-Full with 50 Model Implementation Specifications (MIS) which includes DPDPA 2023, ITA 2000 for PII and Draft BIS standard for Personal Data Governance.

MIS refers to the requirements that are suggested for implementation. DGPSI Lite is directly related to DPDPA provisions and hence is required to be implemented by all organizations that process Digital Personal Data for which DPDPA 2023 is applicable. We may refer to it as Applicable Personal Data or APD. All Data is not APD and all Personal Data is also not APD.

Flexibility in implementation of the MIS in respect of DGPSI Full is provided by the document “Deviation Justification Document” that is like the “Statement of acceptable Exclusions” and relates to the Statement of Applicability and Scoping in ISO 27001 framework. The Deviation Justification Document that is approved by the Management is considered as the “Implementation Charter” for the DPO for implementation of the DPDPA Compliance. The deviations are considered as “Accepted and Absorbed Risks” and to be also managed through appropriate Cyber Insurance covering first party and third party liabilities.

The Implementation Specifications that are part of the Implementation Charter is referred to as Adapted Implementation Specifications.(AIS)

At the time of third party audit, the auditor will evaluate the Deviation Justification Document and audit the implementation for a binary response of each of the implementation specifications.

For a maturity assessment of the implementation, implementation would be assessed over each of the 50 MIS assigning different acceptable scores which are weighted and aggregated for a consolidated score. For this purpose, the lowest acceptable score is assigned for the implementation specifications that are considered part of the approved deviation justification.

For the purpose of assigning the “Score” for each implementation specification, a scale will be adopted with different limits for “Policies and Procedures being established, “Technology Controls having been established” and “Organizational Culture and sustainability having been established”.

The consolidated score of an organization’s implementation is termed the “Data Trust Score” or DTS. The DTS will be assigned for every audit and reported to the management and the FDPPI as the audit certification agency. The Company is free to publish the DTS score at its discretion.

DGPSI therefore provides the three functionalities namely

  1. Implementation Assistance
  2. Third party certifiable audit
  3. Assessment of maturity of implementation

The objective of this series of articles is to increase the awareness of DGPSI in the community and FDPPI would like to create a set of professionals who would be DGPSI Ambassadors who appreciate the nuances of DGPSI with reference to any other framework.

FDPPI is willing to fine tune the framework as required. The detailed implementation guidelines will be part of the responsibility of the auditors and the framework will only define the broad level of requirement for meeting the implementation. This preserves the scope for auditors to add their own value to the final implementation and certification and the customization required. For example a Privacy Notice under DPDPA developed for a Bank will be different from a Privacy Notice developed under DPDPA for a Hospital. This sort of customization cannot be built into the standards document and is left to the discretion of the auditor or implementation consultant.

At present Implementation Consultancy, as well as audit is considered as part of the common skills and until necessary, C.DPO.DA. will continue to be the Certification both for Implementation Expertise and Audit expertise. This may change in future and the two may be segregated into separate certifications like “Lead Implementor” and “Lead Assessor”.

Questions if any are welcome as we now go into the clarificatory mode for a few days.

Once this introduction is absorbed by the community, we shall go into specifics of the DGPSI Principles and MIS in subsequent articles.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.