FDPPI is your Privacy Companion

To All Information Security Auditors in India

Dear Friend,

Greetings and good wishes for a prosperous new year from FDPPI (Foundation of Data Protection Professionals in India).

FDPPI is  committed to the promotion of a Privacy Compliance culture in India through its various programs. “No Excuses, Just Be Compliant” is the nudge for Indian companies. 

Towards this objective, FDPPI is conducting certification programs in the area of Privacy with focus on DPDP Act 2023 (Digital Personal Data Protection Act 2023). The Certification program is available  on tap as an online program titled Certified DPO and Data Auditor (C.DPO.DA). From time to time, we also conduct  3 days in-person training program of C.DPO.DA at various centres.

For audit firms engaged in Information Security related audits such as ISO 27001, PCI DSS, etc., this Certification is a great opportunity to transform themselves into the new area of “Data Audit”.
If you are a Cert In empanelled auditor, you may remember the email dated 5^th September, 2024 from the empanelment division of CERT-In in which CERT-In had recommended the training program of C.DPO. DA. (Certified DPO and Data Auditors) conducted by FDPPI as an essential training for the auditors. Following the above circular from CERT-In, one in-person program was conducted at Bangalore for 3 days on September 27, 28 and 29. The Program was well received and Dr Ashutosh Bahuguna from CERT-In also addressed the participants during the training program.

In view of the forthcoming Rules for implementation of DPDP Act 2023, we have planned next 3 days C.DPO.DA in-person training program in Mumbai from 24^th to 26^th January, 2025.

During this program, there will be a detailed discussion on the implementation of DPDPA compliance in organizations along with how to audit and certify for compliance. The discussions will be based on the legal framework set by IT Act 2000 and DPDPA 2023 and how the FDPPI developed framework of DGPSI (Data Governance and Protection Standard of India) is going to meet the compliance.  The program will be based on case study discussions and cover all aspects of DPDPA 2023. To the extent necessary references will be made to GDPR as a data protection law and audit frameworks of ISO  so that the participants will have a well-grounded understanding of global Data Protection laws and the different audit frameworks.
We urge you to kindly depute one or more of your auditors to attend the program. At the end of the program, all participants will be provided with participation certificates and also an invitation to take an online examination. Those who pass the online examination would be eligible for a full certification of C.DPO. DA. from FDPPI.

As you may be aware, DPDP Act 2023 has mandated that all Significant Data Fiduciaries are required to conduct annual audits of their compliance from external data auditors. Also, those who intend to register as “Consent Managers”  need to undergo a mandatory audit of their platforms to be in compliance of DPDP Act 2023. Hence it is a new business opportunity for audit firms, especially those who are already accredited with CERT-In.
At present, C.DPO.DA certification is the only certification that addresses the requirements of “Data Auditor” as envisaged under the DPDP Act 2023. Participants will be provided with necessary books and materials to enable them successfully pass through the examination as part of the program.
I am enclosing a brochure for the Mumbai Program which is self-explanatory. You can also contact Sri Bondaiah Adepu, President, FDPPI Mumbai Chapter for more details. (Ph: 9004419020).
While the 3-day physical program was designed for the CERT-In empanelled auditors, it is also suitable for all Information Security auditors who want to transform to the Data Auditor status. Hence the program is not limited to CERT-In empanelled auditors. Others who are interested in becoming either a DPO or a Data Auditor are welcome to attend the same.

The registration link for the program is here:
https://fdppi.iletsolutions.com/c-dpo-da-training-2025/

If you have any problem in registering in this above link, you may make the payment through the link at www.fdppi.in also. You can also send an email to naavi with the subject line “Mumbai Training” for any clarifications.

Download Brochure

The new year resolution that FDPPI is pursuing for 2025 is to further promote the urgency for DPDPA Compliance during the year.

Towards this direction, FDPPI continues to

a) Build Awareness

b) Build Expertise

c) Provide the framework for compliance

d) Collaborate with PET developers

Currently there are lots of activities by different individuals and organizations about creating awareness of DPDPA. We welcome all these initiatives though there could be some differences of views on some aspects of the law here and there. Essentially the differences may come because other professionals may still be under the influence of the GDPR while we try to have an independent Jurisprudential view on different aspects of law. 

Whether it is the definition of what is “Personal Data” , How to identify the “Significant Data Fiduciary”, How to work on the rights of Grievance redressal and Nomination, or Data Monetization,  FDPPI may have a slightly different  view than some of the other professionals.

However, FDPPI welcomes the efforts of all community leaders in making “Data Privacy” a buzz word in the industry.

FDPPI now focusses on the next generation of work which is the enabling of implementation through the suggested DGPSI framework which can be used for implementation as well as third party audit and certification.

When a new thought like DGPSI comes to the market, there will be many who will continue to stick by the old practices…. and say “You should have done what others have done for years”. 

It is time to leave such advisors to the past and move ahead with DGPSI. The Birla Opus paint advertisement provides a similar message which describes exactly the sentiments I echo on DGPSI vs other frameworks.

DGPSI is an implementation framework that focusses on compliance of DPDPA. It has some revolutionary thoughts related to data classification, process based compliance, distributed responsibility, data monetization etc. In the past few months we are already seeing that some of the practitioners of other frameworks shifting their stand and saying this is also our view and can be implemented in the current framework as well.  I welcome such softening of the stand on DGPSI and look forward to them adopting DGPSI as a whole or incorporate its principles within the other frameworks they would like to stand by.

We intend discussing this concept of DGPSI as a framework for DPDPA compliance in depth during the three  day workshop at Mumbai on January 24, 25 and 26. 

Contact today to register yourself. This could be a turning point in the career of all ISMS auditors who would like to become a DPDPA Auditor.

Say No to dogmas  and yes to the new generation framework of DGPSI.

Naavi

FDPPI would celebrate the January 2025 as the DGPSI month. During this month we intend to cover how DPGSI as a framework covers several DPDPA compliance issues.

We welcome questions from professionals about their DPDPA compliance queries.

Naavi

FDPPI’s  previous C.DPO.DA. physical program in Bengaluru was a grand success. now it is time for the next program at Mumbai set to take place on January 24/25 and 26.

Watch out for more details:https://fdppi.iletsolutions.com/c-dpo-da-training-2025/

This program will cover the requirements of a DPO and a Data auditors in India.

The coverage includes DPDPA 2023 along with the essence of GDPR, challenges of the DPO, requirements of a data auditor, DGPSI framework of implementation, audit and assessment of DPDPA compliance with several case studies.

Registrations are now open. Join today.

Naavi

The two day event Indian Data Protection Summit 2024 came to a successful conclusion with the valedictory function where Dr Bharat Panchal of Bhima Sugam gave the valedictory address. Mr Abhishek Solanki, senior scientist from CERT-In was a gues of honour along with Mr Yashvantha Kumar of Cyber Crime Division Bangalore and Dr A Nagaratna of NLSUI.

During the two days, more than 56 speakers participated in the program including 13 from outside the country. The 8 key notes, 7 panel discussions and 4 Focus Group discussions made the conference a wholesome event. With an excellent organizational support from the KLE, and special efforts of Suresh Balepur, and Ashok Kini, managing the hospitality, the event was memorable.

The publication of the book “DGPSI-The Perfect Prescription for DPDPA compliance” during the event marked a significant development of FDPPI’s efforts to facilitate DPDPA compliance in the industry. Hopefully this would also be a significant milestone in the development of Data Protection Compliance in India.

The set of these twin books would server the purpose of providing the information on Privacy as a Fundamental right, the DPDPA as an act, the Governance aspects related to Data protection and the practitioner’s guide for implementation and audit. Though the rules are yet to be notified for DPDPA, the DGPSI booklet serves presently as a Jurisprudential exposition that tries to identify how each of the DPDPA provisions may be implemented.

A detailed report of the event will be available later and the registered delegates would also get a link to the videos to be published virtually.

In the annual flagship event of FDPPI, namely the Indian Data Protection Summit 2024 (IDPS 2024) set to be held on November 30 and December 1, 2024 at Bengaluru, FDPPI recognizes those who contribute to Privacy and Data Protection in India.

Yesterday we lost Justice K S. Puttaswamy who had contributed to the rising of the Privacy Consciousness in India leading to the passing of DPDPA 2023. FDPPI had the satisfaction of recognizing him with a title of “Privacy Pitamaha” during our 2023 AGM. Continuing our appreciation of his contribution to the Privacy eco system in India, FDPPI has decided that this year, the “Privacy Advocate of the year Award” would be “Dedicated to the memory of the Privacy Pitamaha, Late Justice Sri K.S.Puttaswamy”.

Nominations will be open upto 10th November 2024 and the nomination form would be available here https://fdppi.iletsolutions.com/idps-2024-award-nominations.

There will also be 4 other categories of awards namely “Privacy Knight”, “Privacy Squad”, Privacy Champion (Organization) and “Privacy Innovator”. Out of these, the Privacy Champion Award would be “Dedicated to the memory of Padma Vibhushan, Late Sri Ratan Tata”.

We hope that these leaders who have left this world will continue to inspire our professionals through these awards.

Justice K S Puttaswamy who was instrumental in initiating a case in Supreme Court on Aadhaar which finally ended up with the judgement leading to passing of DPDPA 2023 reportedly passed away today. He had led a very fruitful life and will be remembered for a long time for his contribution to the field of Privacy. in India.

At the time he was honoured he was 98 years old and hence he lived a full life of 99 years. FDPPI wishes to pass on our condolences to the bereaved family.

FDPPI has been working on the adoption of DPDPA Compliance by the society through multiple efforts. Apart from creating “Awareness”, FDPPI has a capacity building program with the creation of “Certified Data Protection Officers and Data Auditors” (C.DPO.DA). Additionally FDPPI has developed an indigenous framework for compliance of DPDPA through DGPSI.

However, it is still an uphill task for pushing the Indian community particularly the MSMEs to take steps for DPDPA Compliance in their operations. One obvious excuse is the lack of funds for compliance while the real reason could be a desire to make hay while the sun shines and gather as much of personal information of public as possible and exploit them. While law can punish them at the appropriate time, the objective of the Government and the society is to persuade the industry to be compliant without the need for using the penalty stick.

FDPPI therefore urges the Government of India to introduce a scheme for incentivisation of adoption of DPDPA at least for MSMEs, in a manner similar to what US Government did for promoting HIPAA adoption. (More details here).

Such a scheme would involve subsidizing the use of “Privacy Compliant Software” and more appropriately “DPDPA Compliant Software” for processing Personal data by a Data Fiduciary. Obviously the software needs to be evaluated and certified as DPDPA Compliant software.

In this direction FDPPI is extending its C.DPO.DA. to specifically train the Data Auditors to evaluate a software system for DPDPA Compliance and assign a DTS score as an indication of the level of “DGPSI Compliance”. Being “DGPSI Compliant” is a fair indication of being “DPDPA Compliance”.

We urge software developers to avail of this evaluation and the tag “Built for DGPSI Compliance” with a “DTS score” and simultaneously urge the MeitY to take steps to introduce a system of incentivisation in the form of a subsidy for use of software which is built for DPDPA Compliance.

Request MeitY to start a debate on this count and form a committee of experts to take a decision at the earliest. This can be announced along with the publication of the final rules under DPDPA.