PDPSI was first developed for the purpose of compliance of PDPA. Hence it incorporated the following Six fundamental principles/requirements.
-
- Define Implementation Responsibility unambiguously with top management involvement
- Define the scope of implementation in terms of the laws that it needs to address
- Incorporate measurability in the form of a Data Trust Score or its equivalent
- Incorporate Privacy by design through out the life cycle of personal information that the organization may encounter
- Define the implementation charter signed off by the organization at the highest level
- Incorporate an appropriate certification process –to meet the annual and sub annual requirements of Data Audit as required under the Indian laws
The second fundamental requirement mentioned above is relevant for us to extend PDPSI to GDPR compliance, which we can identify as PDPSI-GDPR.
One of the suggested implementation parameters is “Classification” of personal data and tagging the personal data set with the “Applicable Data Protection Law”.
This principle means that we are not going to apply GDPR to protecting personal data of Indian Citizens in India nor viceversa.
Each data protection law has a “Jurisdiction” and “Objective to protect the Privacy of the citizens of their jurisdiction”. Though there are “Extra Territorial Jurisdiction” in terms of making the Data Controllers/Fiduciaries/Processors irrespective of their location, the basic objective of the law remains protection of the citizen within the jurisdiction of the law making body.
As a result each personal data set has to be identified with the applicable law and protected as required there in.
In cases where an organization is a multi national body, is registered in one country but operates in another country, processing the personal data of the citizens of the countries other than the country where the company is registered, there is a possibility of an overlap of the laws if the laws are not properly written by the law makers or the law makers arrogate to themselves the right to make a law for a foreign country.
Indian law makers have been alert to this possibility and having been a country which has the experience of colonial rulers who made laws such as “If an Indian King does not have a heir the kingdom belongs to the foreign ruler”, incorporated a specific clause to say that we are prepared to exempt the processing of the personal data of foreign citizens in India from the blind application of Indian law.
Some of the foreign data protection laws have not had similar provisions and therefore puts the implementing companies to doubt as to whether they should follow two laws simultaneously.
In order to provide a standard method of dealing with such situation, PDPSI suggests that Personal Data shall be classified incorporating the “Applicable Law” as a parameter to be tagged.
The suggested implementation which is a technical measure is to tag the “Personal Data Set” with different tags as indicated below.
What this suggests is that in a formal data base of personal data, a separate column is introduced to add the above attributes. Once properly tagged the personal data can be recalled into a specific bucket representing the compliance requirements applicable to that personal data set. Hence, if a Privacy Policy has to be displayed or a Consent form has to be obtained or a specific data subject’s right has to be identified etc., the “Applicable Law Tag” will determine which privacy policy or consent form or right to be made available to the specific data subject.
While the above applies to structured data, the unstructured data will be converted into structured data as soon as the personal data enters into the custody of one of the employees of the organization. The role of such “Data Gatekeepers” is discussed in a subsequent article but is mentioned here that under PDPSI no personal data set is allowed to remain in unstructured form for a long time and converted into a structured form with the relevant tags so that further compliance in the given context can be administered.
It is understood that the above method involves technical architecture to be tweaked but it is one of the suggested implementation specifications which can be over ridden by other methods by the organization if it deems fit. The efficacy of such technological controls of classification and identification of the applicable law will be a parameter that will determine the DTS score. (DataTrust Score).
In the current context of PDPSI-GDPR let us stop at the classification of incoming personal data set as belonging to the application of GDPR for data protection and not PDPA or CCPA or any other law.
Beyond this classification step, PDPSI-GDPR will merge with the requirements of data protection as provided also under ISO 27701 or BS 10012.
A few other innovations that PDPSI framework will bring in the PDPSI-GDPR extension will be discussed in further articles.
Naavi