One of our visitors asked me why FDPPI is terming its flagship certification program as C.DPO.DA. (Certified Data Protection Officer and Data Auditor) while all others are only conducting C.DPO. (Certified Data Protection Officer) program. The person also commented if this is another indication of ” What Naavi thinks today, others will think a few years later” and a bit ahead of times? I understand the honest intention of the gentleman but I think I owe an explanation to this comment.
It is true that in the Cyber Law domain, many of my thoughts took years for others to accept and adopt. The concept of CEAC and Section 65B (IEA) Certification was one such which was initiated by me in 2000, presented in a Court in 2004 but it was only in 2012 that Supreme Court recognized the principles of Section 65B certification.
In the Data Protection domain, others are catching up fast and it is expected that others will catch up much faster. Today if Naavi and FDPPI are thinking of C.DPO.DA. as the skill to be developed and certified and DGPSI as the frame of reference for DPDPA compliance to be adopted, DTS as the assessment framework for compliance status of DPDPA, it is expected that others will soon accept and adopt.
We feel that DPO has the responsibility to implement DPDPA compliance within his organization while Data Auditor is the external auditor who has to verify compliance and certify if required.
It is true that the DPDPA 2023 as an act has been passed but it is yet to be notified with rules. Everyone including the Minister responsible believes that draft rules will be released in the next 15 days. On October 14 Delhi High Court is preparing to hear the petition of WhatsApp and Meta challenging the Intermediary Guidelines of ITA 2000. The same companies may be now preparing for challenging the DPDPA Rules and the Act itself in some manner stating that it is unconstitutional.
But Naavi or FDPPI ignores such hurdles placed by “Andolan Jeevies” and proceed with an assumption that MeitY will be mighty enough to roll out the implementation of DPDPA 2023 not withstanding the lobbying by the MNCs.
We therefore expect that DPDPA Compliance requirement will become a reality in 2024 and DPOs will be in action. Data Audit may come in the year 2025 but no skill gets developed overnight. Naavi/FDPPI therefore expects that the need to train one self with the Data Audit requirements will be concurrent with the need to develop DPO skills.
Let those who relish procrastination think that DPDPA 2023 will not be notified in near future, the date of implementation will not be in our lifetime and the Data Auditor concept is unlikely to be implemented by the MeitY, continue to wait .
Let those who think that their GDPR related certifications by international organizations are good enough for DPDPA, continue to think so.
But Naavi and FDPPI will look at the future with the optimism that DPDPA notification is round the corner and there will be a mad rush for compliance there after. It would be a good time for sub optimal automated tools to flood the market but the real fun begins when a good DPB Chairman takes charge. Andolan Jeevies need some body who is happy occupying the position and bide his time for some body some where to lodge a complaint before DPB starts an Inquiry.
It could be a nightmare for the industry if we have an active DPB with a T.N Sheshan kind of Chairman in place. Those who follow the futuristic principles of FDPPI will laugh at that time.
The biggest challenge we see is that in the journey towards being a Data Auditor, the current set of auditors trained and developed on other frameworks will find it difficult to adapt to the requirements of Data Audit under DPDPA. They will still think ISO 27001 is the framework to be used because the 2022 version claims to include “Privacy” and ISO 27701 is more than adequate to meet DPDPA requirement. Only time will tell if it is correct. We donot think so.
But to unlearn the past and re-learn for the future is a tough task which only the wise auditors will be able to understand.
Some of them will be there in the FDPPI Certification program on September 27, 28 and 29 exclusively designed for CERT In Auditors but good enough for others who want to be expert DPO s.
Look for details and register before it is too late.
Naavi
