FDPPI is your Privacy Companion

Madras Management Association and FDPPI successfully conducted a one day symposium on DPA 2021-Compliance View, at Chennai, on 23rd April 2021 at the MMA auditorium.

A large contingent of participants from ISACA and CySi who partnered the event made the event successful.

Following are some photographs of the event.

The event started with an welcome address from Captain Vijaykumar of MMA,  an inaugural address by Mr Ravichandran, IRS, Commissioner of Income Tax, followed by an overview of DPA 2021 by Naavi.

Subsequently there were 4 panel discussions, one on Legal aspects, One on Technology aspects, One on Professional opportunities and another on Compliance frameworks.

Naavi anchored the entire day’s deliberations while experts from the industry such as Rohan K George, Geetha Jayaraman (Capgemini), Rupak Nagarajan (KPMG), R Vittal Raj, Dr mahesh Kalyanaraman from HP and others participated. From FDPPI, apart from naavi, Directors, Mr Ramesh Venkataraman, Nagendra Javagal, and members such as Govind Srinivasan also participated in the discussions.

The proceedings of the symposium would be available on the MMA youtube channel at present. It may also appear on the FDPPI youtube channel shortly.

The event was part of the National Movement of DPA 2021 awareness that FDPPI has charted out. Hopefully with the availability of other partners in other parts of the country, similar events can be repeated.

Naavi

Video Links

1. Inaugural Session

2. Legal Aspects of DPA 2021

3. Technology Aspects of DPA 2021

4. Career opportunities from DPA 2021

5. Audit perspective of DPA 2021.

Madras Management Association (MMA) and FDPPI are organizing a symposium on DPA 2021-Compliance View. ISACA, IACC and CySi are partnering the program and offering special privileges to their members to attend the event.

If you can be in Chennai on the next weekend, make MMA Auditorium as your destination.

Naavi

India is planning to pass a law on Privacy and Data Protection and the Bill titled Data Protection Act 2021 (DPA 2021) which is pending in the Parliament. The copy of this Bill originated in 2018 following the Srikrishna Committee report and was later modified as Personal Data Protection Bill 2019 (PDPB 2019)  and a Joint Parliamentary Committee (JPC) has deliberated on the bill for more than two years, held consultations with many stakeholders and has now revised the PDPB 2019. The revised version now referred to as DPA 2021 is ready for final debate in the Parliament and being passed into a law.

Like all laws that have a significant impact on the society, DPA 2021 has also been facing opposition from a section of the industry. As a result,  the mainstream industry has been presented with a skewed view of the proposed law and creating uncertainty in the minds of the industry professionals on whether the law  will be passed and whether it is desirable or not. This has resulted in many organizations delaying the implementation of their compliance program.

We need to  realize that  DPA 2021 is  a continuation and expansion of the currently applicable law namely, Information Technology Act 2000 (ITA 2000) and forms the part of the “Due Diligence” under Section 43A of the ITA 2000. Several Courts have taken cognizance of the Bill and incorporated the provisions in their decisions. Prudent Companies therefore think that the time for compliance has already come and the time upto the actual passage of the Bill and further implementation time that may be provided there in is a cushion against being held liable to the potential penalties envisaged in the Act for non compliance.

FDPPI (Foundation of Data Protection Professionals in India) is an organization that  is  dedicated to the cause of “Data Protection” in India and building a Data Protection Compliance Eco system in India. FDPPI since 2018 has been engaged in outreach programs to build awareness of the Privacy and Data Protection concepts and also the development of professionals who are certified in the relevant skills to provide consultancy to organisations and conduct audits of the “Data Protection Compliance Management Systems”.  FDPPI is today the apex organization in India dedicated to the establishment of the Data Protection compliant environment in India.

During the pandemic times, FDPPI conducted nearly 100 online events on Data Protection regulations and related issues which has already created wide awareness of the forthcoming laws.

As a part of the activities in the post-pandemic scenario, FDPPI is now conducting a series of physical programs in different parts of the country in association with multiple organizations to spread the awareness of the regulation from the compliance perspective.

In this series, FDPPI conducted one program in Bangalore in association with Indo American  Chamber of Commerce (IACC) on 04^th March, 2022. On April 23^rd 2022, FDPPI is conducting a program in Chennai in association with Madras Management Association, ISACA Chennai Chapter, Cyber Society of India and IACC.

During these programs, we discuss the compliance measures that are required to be followed by the industry steering clear of the controversies. The discussions cover the overview of the law as presented in DPA 2021, the Technology and Business Challenges that the law presents, the Professional opportunities created for Data Protection Officers and Data Auditors and also the Compliance framework exclusively designed for compliance of the law.

FDPPI presently has developed a Compliance framework called “Data Protection Compliance Management Standard of India (DPCMS)” which is focussed on the compliance of DPA 2021 incorporating the best principles of other international frameworks. This is an indigenous approach designed to be a Unified Framework for Indian companies to be compliant with all Personal Data Protection laws and includes some aspects of compliance of Non-Personal Data protection which is part of DPA 2021.

The framework includes innovative and globally unique concepts such as “Data Valuation”, “Distributed Implementation Responsibility”, “ Generation of Data Trust Score” etc. It is flexible enough to be customized and adopted by different industry segments.

Recognizing the difficulties that arise when implementing one law applying  equally to all industries and entities of all sizes, FDPPI is now in the process of developing different “Sector Specific Compliance Code of Practice” which meet the requirements of law under Section 50 of DPA 2021. The Data Protection Authority of India (when operative) can approve such codes of practice after due consideration whether they meet the requirements of the law. This should substantially ease compliance and encourage increased voluntary compliance in the industry. FDPPI has a vision to create tailor made Compliance frameworks for different industry segments with  the participation of  industry representatives.  This is a “First in the World” approach to the customization of data protection law compliance to different sectors and would help in reducing the pain of compliance.

FDPPI however is a Not-for-Profit organization and its bandwidth to conduct the outreach programs in different locations is dependent on the partner organizations. Presently we are working with organizations like IACC and ISACA which have presence in multiple locations. However we are looking for other  suitable partners who are interested in associating with FDPPI for this “National Data Protection Compliance Movement” where we disseminate knowledge, motivate companies to start compliance initiatives and develop sector specific codes of practice.

Come, Let’s together  bring about a Data Protection Revolution in the country.

FDPPI in association with Madras Management Association and other partner organizations will be conducting an offline seminar in Chennai on April 23, 2022.

The theme of the seminar is “DPA 2021-Compliance perspective”.

There is a campaign in the media that the JPC modified version of PDPB 2019 need to be re-drafted.

Firstly the set of objections were centered around

“Government has too much powers under Section 35 of the Act”.

The second was on the “Restrictions on Data Transfer” under Sections 33/34 of the Act.

Now the third set of objections cantering around “Difficulties to Start Ups” and “Compliance Cost” has been raised.

The net objective of all these objections are to lobby with the Government that the current weak set of laws continue and the Tech Companies like the Twitter, Meta and Google can continue their Data Exploits in India without accountability.

FDPPI however believes that Compliance to the data protection regulation is in the interest of the community and even if there is some disruptions in the operations of the Data user organizations, it is not the reason to defer the law indefinitely.

In order not to let the industry slip into complacency thinking that the Data protection  law will not be introduced in India,  FDPPI would  like to present the “Compliance Perspective” so that responsible companies start working towards compliance without being under too much of stress.

On April 23rd, over a day long seminar in Chennai, FDPPI along with FDPPI will discuss the DPA 2021, from the perspective of companies who would like to work towards compliance.

Watch out for more details.

Naavi

Cyber Law College as training partner of FDPPI is conducting the next program on Data Protection Laws in India for FDPPI Certification, tentatively starting from April 30th. Details are as follows:

1. The program is leading to the Certification of FDPPI -“Certified Data Protection Professional-Module I” and is part of the larger “Certified Data Protection Compliance Management System Auditor/Consultant” (CDPCMS Auditor/Consultant). This program includes includes two other modules namely Module on Global Laws (Module G) and another on Audit (Module A).
2. The program is based on the new JPC approved version of the Data Protection Bill. It will be conducted online on Zoom platform.
3. Appropriate reading material would be provided during the course.
4. At the end of the course a multiple choice an online examination of 90 minutes would be available. Those who are successful will get a certification “Certified Data Protection Professional-Module I”.
5. The course content would be as follows:

1. 1. Evolution of Privacy Laws in India
   2. Applicability
   3. Obligations of a Data Fiduciary
   4. Rights of Data Principal
   5. Exemptions
   6. Restrictions on Data Transfer outside India
   7. Penalties and Offences
   8. Data Protection Authority
   9. Adjudication and Cyber Appellate Tribunal 
   10. Data Audit
   11. Data Protection Compliance Management System (DPCMS) and Data Protection Compliance Standard of India (DPCSI)

Registration can be done here.

6. The fees for the course is Rs 12,000/- plus GST of Rs 2160/- . Total Rs 14160/-.

7. Those who attended the FDPPI-IACC seminar on April 4th  are entitled to a discount of Rs 2000/- and the fees payable to them would be Rs 10,000/- plus Rs 1800/- (GST). Total Rs 11800/-. (An email has already been sent to all the registered participants of the program)

8. The registrants will also be provided a complimentary “Basic Membership” of  FDPPI which otherwise costs R 4000/-.

9. For further clarifications if any contact Naavi

Naavi

You can register either at IACC or FDPPI.

IACC registration for physical event

FDPPI registration for webinar: 

Registrants who attend the webinar will receive further benefits of value from FDPPI

The Data Protection Journal of India was launched on the Data privacy Day 2021 to disseminate knowledge on Data Protection from time to time. So far four quarterly issued had been released during the year 2021 and the first issue of 2022 has now been released.

The issue is available on the web at www.dpji.in.

The current issue covers the new version of the Data Protection Act as presented by the JPC in the Parliament and discusses the changes.

For the first time the issue embeds a video presentation also making it a hybrid journal.

Naavi

The year 2022 is unfolding before us and I wish all of you a happy new year.

The year 2022 is more likely than ever before to see the passing of the Indian Data Protection Act.

Since September 2018 when FDPPI was formed we have been preparing professionals in India  to be aware of the Indian Data protection scenario through our continuous educational activities.

In the process we have conducted Training Programs leading to “Certification”, webinars in the form of “Indian Data Protection Summit” and “Jnaana Vardhini” events.

We have also developed a base framework for compliance for the industry.

The time has now come to upgrade all our efforts to a higher level as the country prepares itself for the full fledged Privacy and Data Protection Era.

In this direction FDPPI will be introducing a FDPPI “Continuing Professional Education Program (FDPPI-CPE Program) similar to other professional organizations.

The FDPPI-CPE program is aimed at not only ensuring that our professionals  will be better placed to meet challenges that they may encounter in the domain of Privacy and Data Protection  in the real world, but also ensure that the industry respects our professionals more than ever before.

It is desired that an FDPPI Certified professional should command a respect as well informed and updated professional in the eyes of the industry and the FDPPI-CPE program has to enable it.

Please watch out for the details of the program that would be shared here in a couple of days.

We may start the program with some simple provisions and introduce more features in the coming days.

Naavi

If we follow the discussions around the DPA 2021, it appears that there is a confusion regarding the term “Anonymization” and its effect on Personal Data. It is strange that after so much of discussions on the GDPR and the Data Protection laws, we come back to the basics of what is “Personal Data”.

Personal Data is such data which either directly or indirectly can identify a living natural person. This means that set of characters such as  “Chandrashekar” is an element that can identify a living natural person. But the string of data “Chandrashekar” alone has no identity with a living individual since there could be several persons with such name. Further, whether it is a name or not is itself a factor of the knowledge of a recipient of the data. An Indian would recognize it as a name.

Will a person from interior Africa would recognize it even if he is aware of the English Alphabets? or will a person in China who does not know the English alphabets recognize it as a name?

If not, why should we consider “Chandrashekar” as a “Personal data”?. Is it not just  a stream of binaries which one software renders  as text in English  “Chandrashekar”. In another rendition it may look different and may not appear to be a name.

The fundamental principal this suggests is that “Data” is neither personal nor non personal per-se. In a context it may be perceived as “Personal” by some and not by others. (Please refer to Naavi’s Theory of Data for a more detailed discussion)

Can any data that can be perceived as “Personal” by  some body in the world be considered as “Personal Data” by all under law? … Certainly not.

Hence just because we sit in India and get a feeling that “Chandrashekar” is the name of a person, does not mean that “Chandrashekar” should be considered as “Personal Data”.

Another example….What does a string called “Bhajji” or “Submarine” represent?. Is it the name of a dish in South India or name of a naval contraception?.

For a Cricket follower in India, Bhajji  may be a nickname of Harbhajan Singh and Submarine may be the nick name of Mr Subramanyam (Former test cricketer from Mysore).

Hence “Chandrashekar” by itself should not be considered as “Personal Information” no more than Bajji, or Submarine. This is the part of the “Theory of Data” and the hypothesis is that “Data is in the beholder’s eyes”.

Recently, A German Court in an order related to GDPR held that an IP address is a “Personal Data” and if any American Company is touching the IP address then it would be considered as a disclosure of personal data to a US entity which is not permitted by the cross border data transfer restrictions under GDPR. (See this article).

In this instance, the IP address is related to an action by an individual (Such as visiting a website).  But if the data is merely the “IP address” it is not sufficient to identify a living natural individual. Hence it should not be treated as “Personal Information” but be classified as “Non Personal Information”. However if the recipient of the data (IP Address) has in possession more information that the profile of the visiting person is identifiable because he is a member of some service and his full particulars are available with the same person who is looking at the IP address.

This is to be considered as Privacy Jurisprudence .

In India, even the JPC members seem to have an unresolved doubt about what is “Anonymised Data” and how does it relate to “Personal Data”.

Personal data by definition contains elements that lead to an identifiable individual. These identity parameters such as the name, PAN number, E Mail address, IP address, Cookie information etc in combination represent the identity parameters that render a piece of information as “Personal Information” to which the data protection law becomes applicable.

In comparison, there could be data such as the weather, the environment etc which is understood by everybody as “Non Personal Data”. Then there is information about a “Company” which is not a “Living Natural Person” which also is easy to identify as “Non Personal Data”. However there could be doubt about personal looking data of a non living natural person. In this case there is no doubt that the information may be considered as “Personal information” but there is no need for providing “Privacy Protection through data protection for the deceased individual”.  Hence compliance requirements of a data protection law may not apply to the personal data of a “deceased data principal”. In the context of compliance therefore the organization can classify the personal data of a deceased individual as different from personal data for which the obligations and rights become applicable.

Yet another category of personal data that creates a problem is the “Anonymized Data” where the identity parameters of the individual contained in a personal data set are removed and irrevocably destroyed so that even the person who created the anonymized data from an identifiable data cannot re-identify the data.

Some people consider that “Anonymization” is reversible and hence anonymised data should be also considered as “Protected Personal Data”. But if the law places a standard for anonymization which includes that the identity parameters separated from the identified information is forensically destroyed, then there is no way of reversing the process of anonymization.

In the case of “Encryption” there is a “Key” with which the encrypted data can be de-crypted. This is similar to the process of “De-identification” or “Pseudonymisation” where in identifiable data is rendered unidentifiable through a process of removal of identity parameters and/or substitution with proxy parameters. The person which has the “Key” to de-identification or pseudonymization can re-identify the data. Hence these processes are reversible.

If however we have a very strong encryption and the holder of the encrypted data does not have the decryption key. Then such data is considered “Confidential” though the data is in the hands of an unauthorized person. Data Breach notification requirements under HIPAA/HITECH Act does not consider such data breach as breach of PHI. If however the encrypted data is lost along with the key stored in the same data store, the breach is recognized.

In the Case of anonymization, the anonymization process is known to the anonymizer. However just as an encrypting person deliberately throws away the decryption key, the anonymiser forensically deletes the anonymization key so that de-anonymisation is theoretically not possible if proper standard has been followed.

Hence it is correct to consider that “Anonymised Personal Data” is not “Personal Data”. This was the status in the PDPB 2019. However in the PDPB 2021, the JPC has been confused sufficiently by some experts who have held the view that just as a data encryptor having the decryption key can decrypt the encrypted data, an anonymiser of data can de-anonymise it as a matter of routine. This is an incorrect perception of the process of anonymization which is inherently including the process of forensic deletion of all the identity parameters.

Some experts claim that Data Analysts can apply sophisticated algorithms and read meanings in to Big data which enable them to de-anonymise. This is a false premise since if the anonymisation process is as per a proper standard, the de-anonymiser can only make a guess like creating a “Profile” out of data which is just a “View” and not “Fact”.

Beyond this if some body can decrypt encrypted data without a key by use of brute force attack or social engineering, it is called a “Crime” and not the problem  of the encryption system. Similarly if anonymised data can be de-anonymised to a reliable extent by use of some technology, then it would mean that the standard of anonymisation was not good enough or the de-anonymiser was a criminal who with a persistent hacking of the data was able to extract personalized information out of the anonymised information. Such acts should be considered as a crime and PDPB 2019/2021 does consider them as publishable crimes with 3 years imprisonment.

If we are not confident of our Data Protection Authority for his capability of setting a proper anonymisation standard which cannot be broken with a reasonable level of sophistication of an attack, then the user of an unreasonable level of sophistication to break an anonymisation should be considered as a “Motivated Criminal” and the punishment should be raised from 3 years to at least 10 years or more to bring in sufficient deterrence.

Unfortunately without understanding this aspect, PDPB 2021 tries to include “Anonymised Data” as part of the regulations and create an overlap between ITA 2000 and PDPA 2021.

Technically there is no difficulty in segregating data as “Personal” and “Non Personal” using “Anonymisation” as a separator. Just as a strongly encrypted data with the key having been destroyed cannot be recovered, a properly anonymised data cannot be de-anonymised.

I wish JPC gives a serious thought to correct this situation when the Bill is taken up in the Parliament for discussion provided there is no ego issue in making  changes.

Naavi