After DPDPA 2023 has become a reality, there is a scramble to find a framework of compliance which can assist organizations in implementing a Data Governance and Protection Management System (DGPMS) which can provide “Compliance by Default and Design”.
The key compliance requirement of the Act is contained in Section 4(1) of the Act which says
A person may process the personal data of a Data Principal only in accordance with the provisions of this Act (a) for which the Data Principal has given her consent; or (b) for certain legitimate uses.
Consent or legitimate use is a necessary aspect of the obligation but not “Sufficient”. The obligations cover all the other provisions of the Act which need to be taken into account.
An organization that needs to be compliant with DPDPA 2023 cannot rely on the existing frameworks such as ISO 27001 which addresses only one aspect of compliance namely how to preserve the confidentiality, integrity and availability of personal information to those who have a need to know or ISO 27701 which extends the ISO 27001 to legal basis of processing and rights of data principals under GDPR.
While there is always a possibility of adapting ISO 27001 or ISO 27701 to compliance of DPDPA 2023, if the implementer is innovative enough, the need for India to develop its own framework to directly address DPDPA Compliance has arisen with the passing of DPDPA which is not GDPR.
If DPDPA is not GDPR, it seems not logical that we should use ISO 27701 for DPDPA Compliance.
The TINA principle (There is no alternative) is unfortunately not applicable in favour of ISO 27701 since FDPPI has been working on the alternative in anticipation of the law being passed in India. Accordingly, PDPSI or Personal Data Protection Standard of India was introduced after PDPB 2018 was released and progressively upgraded to PDPB 2019, DPA 2021 and DPDPB 2022 is now available as DGPSI or Digital Governance and Protection Standard of India.
DGPSI recognizes that compliance of DPDPA 2023 requires also compliance of ITA 2000 since there are some sections of ITA 2000 which are relevant even after DPDPA 2023 comes into existence.
For example, we can recall Section 72A of ITA 2000 which states
(72A of ITA 2000) Penalty for Disclosure of information in breach of lawful contract
Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be liable to pay penalty which may extend to twenty-five lakh rupees
This section will continue to apply even after DPDPA 2023 comes into being.
Similarly there are several other sections of ITA 2000 applicable to Personal Data Breach that needs to be complied with by a Data Fiduciary as well as a Data Processor.
Hence DGPSI framework recognizes and incorporates ITA 2000 compliance requirements also to the implementation framework which ISO 27001/27701 may not consider.
As a bonus DGPSI also includes part of the Bureau of Indian Standard draft guidelines on “Adequacy of Data Governance and Data Management System” meant for data driven organization which recognizes Data as a valuable asset of a company which is recommended to be managed in a particular manner.
As a result, DGPSI has emerged as the Gold standard for a Compliance framework for DPDPA and perhaps the only standard for implementation.
The fact that it is also available for Certification makes it a TINA in the reverse. As of now there is no alternative to DGPSI as a framework for DPDPA 2023. The framework also accommodates Data Trust Score as a tool of assessment which can be expressed as a Score for good visibility to the management.
A Glimpse of what DGPSI represents can be captured in the 12 key principles that are the foundation of the framework depicted below.
At the end of this short discussion organizations need to only ask themselves ….
Why run around searching for compliance framework. Why Not DGPSI?
Naavi