FDPPI is your Privacy Companion

5^th September 2021

PRESS RELEASE

FDPPI Proposes a New Data Privacy Compliance Framework

Foundation of Data Protection Professionals in India (FDPPI) is organizing a free webinar on 19^th September 2021, to build awareness on a unique Data Protection Compliance framework that can help the data processing industry in India to meet the Data Privacy obligations under the current Data Protection regulations applicable to Indian establishments.

The framework called “Personal Data Protection Standard of India” (PDPSI) is a unified framework that can assist a company to be compliant with the data protection requirements under Information Technology Act 2000, the proposed Personal Data Protection Bill 2019 (PDPB 2019) as well as GDPR and other international data protection regulations that may be applicable to Indian establishments.

PDPSI is a revolutionary concept “Made in India for the World” and incorporates several innovative futuristic ideas such as computation of “Data Trust Score” (DTS) and incorporating Data Valuation System in corporate Governance.

FDPPI has already developed a team of trained Auditors and Consultants and also created a group of Certification bodies which can undertake Consultancy and Audit based on the PDPSI framework and certify them for the Management.

When the PDPB 2019 is passed, the Government of India will set up a Data Protection Authority which will introduce codes of practice for industries to follow. PDPSI is an advance proactive initiative from the industry professionals to develop a system of compliance in tune with the global standards and flexible enough to meet the emerging requirements of PDPB 2019 when passed.

The webinar will be conducted by Naavi, the veteran Data Protection and Governance consultant, founder of www.naavi.org and Founder Chairman of FDPPI . During the webinar, Naavi will introduce the Standard and its implementation specifications with comparison of similar frameworks available from other agencies.

The webinar is sponsored by FDPPI for the benefit of Data Protection professionals in India to spread awareness of this framework. Registration would be free. The webinar would be conducted on September 19, 2021 (Sunday) from 11.00 am to 1.00 pm. Entry by registration at  www.fdppi.in or through e-mail fdppi@fdppi.in

Sd

Chairman

FDPPI

PDPSI or Personal Data Protection Act of India is a compliance framework that is unique. It has been developed by professionals with years of experience in the field of Privacy and Data Protection, as a unified framework for meeting the compliance of multiple data protection laws.

Unlike some of the other frameworks for PIMS  (Personal Information Management System) or or DPMS (Data Privacy Management System), PDPSI is a compliance framework for “Personal Data Protection Compliance Management System” (PDP-CMS).

Again unlike the PIMS or DPMS systems which are an extension of other ISMS systems, PDPSI is a standalone system that has a focus on the compliance requirement to a target jurisdiction.

Unlike other PIMS or DPMS systems, PDPSI framework for PDP-CMS extends to calculation of the Data Trust Score (DTS) which is a Trust Seal indicating the level of compliance maturity of an organization.

Naavi, Chairman of FDPPI which is developing a system of Accredited PDP-CMS auditors, Certification Bodies and a system of Certification, will be explaining the salient features of PDPSI and why it is a comprehensive and forward looking compliance model appropriate for Data Controllers and Data Fiduciaries.

The two hour session on 19th September 2021 will be conducted as an Online webinar at 11.00 am and is offered free on registration.

We are happy to have Madras Management Association is partnering in this awareness building initiative.

Those interested in registration may complete the following form or send an e-mail to FDPPI.

The GH Raisoni Law College is organizing its 16^th KSHAN Moot Court which will be held on the 4^th and 5^th of September, 2021 on a virtual platform.

As a part of the FDPPI’s activities under the P& Y Program to involve the youth of the country into the activities of FDPPI, FDPPI is collaborating with the GH Raisoni Law College, Nagpur in the conduct of the above Moot Court Competition. This is the 16^th National Appellate Moot Court Competition -2021 is being organized by students of G.H. Raisoni Law College, Nagpur and G.H. Raisoni University’s School of Law. All India Reporter (AIR), and FDPPI- are collaborating in the conduct of this program.

Dr Mahendra Limaye, one of our esteemed members has been the brain behind the P& Y Program and the organization of this event.

As a part of the collaboration, FDPPI would be extending valuable educational opportunities to the Winners and the First and Second Runner’s up as rewards.

We look forward to involvement in more of such programs in association with law colleges.

About KSHAN

KSHAN is a National Level, inter-college moot court competition organized by the student bodies of the Law Schools under the Raisoni Group of Institutions. They conduct a nationally known Trial and Appellate Moot Court on Criminal Law. This year’s edition of KSHAN is the only Appellate Moot Court that has a special focus on Criminal Writ Petition and Data Privacy.

About AIR

AIR (All India Reporter) is a publication house known for its presence in all three media information transmission forms: Print, CD-ROM and Web base. It has a journal that reports on all benchmark judgements given by various courts around India. It was established in 1914 and has its head office in Nagpur.

The problem statement of the competition is available here. 

FDPPI has announced the following rewards. 

1. Winner: Free Certification Course-Admission, Video lessons and Examination for Module I and Module G and Basic Membership of FDPPI : Valued at Rs 25,000/-

2. First Runner up: Free Certification Course-Admission, Video lessons and Examination for Module I and Basic Membership of FDPPI: Valued at Rs 14,000

3.Second Runner up: Free Certification Course-Admission, Video lessons and Examination for Module I: Valued at Rs 10,000/-

(DVSI stands for Data Valuation Standard of India… Refer www.dvsi.in for more information)

Companies often face the dilemma on payment of ransom when their data is captured and held hostage by a ransomware attacker. The attacker fixes a certain price for the release of the decryption key and often places the data for sale in the dark web. Acer had a demand of $50 million, CNA Financial reportedly paid $40 million and Colonial Pipeline paid $4.4 million. In India itself we had a demand on Cognizant for $ 5 million and different smaller amounts in different companies.

It is clear that in these cases the hackers had a perception of the value of the data they had captured and the companies paid the ransom because they felt that there was an opportunity cost in refusing to pay.  Insurance companies have their own practices on dealing with such instances and some may cover the ransom as part of their policy.

Further, darkweb often quotes a price list for many kinds of data. One such laundry list is here.

When thieves set a value for the data they may target and steal, it is necessary for the organizations which have these assets to also know that they have assets which are vulnerable to be stolen.

Managements often express surprise when a ransom demand is made and wonder “Do we have that kind of data with us”?. The reason is that so far the CFOs and CEOs were never told that Data is an asset though on the balance sheet it does not show up.

Corporate Managements need to ask themselves, if they are not representing the true value of their assets in the financial statements which they certify “This is a fair and true representation of the company’s financial position”.

If the CEO/CFO knows that the company has a Rs 5000 crore of data asset, they would not crib to appoint a DPO or CISO at the kind of remuneration they deserve or to invest in security products or employee training or atleast to harden their operating systems which they keep postponing.

Let’s therefore look to the future with confidence by valuing our data assets and bringing them into our balance sheets. …

Let our shareholders know what we are worth.

Let our competitors know what it would cost to take over our company.

Asatoma sadgamaya…tamasoma Jyotirgamaya…Oh DVSI, Oh DVSI…

(meaning From Ignorance, lead me to truth, from darkness, lead me to light..Oh Data Valuation Standard of India)

Naavi

(With apologies to the Rishis who gave us the Upanishad Vaakya)

Data has a value as everybody understands. But we need to go further in our discussion on what is the value of data, how it can be computed and how it can be brought into the balance sheet etc.

The latest issue of Data Protection Journal of India discusses these concepts along with the handling of the personal data of the deceased persons.

The journal is available free at www.dpji.in

FDPPI started the comprehensive 36 hour online program for training DPOs in India for “Certified PDP-CMS Auditor/Consultant” on July 17th as a week end program. This program is concluding on July 25th.

In the meantime based on the requests from many interested professionals, we are making available the same course on demand through streaming videos which can be subscribed at any point of time.

This mode will be open until the next time the program is conducted either offline or online as an interactive program. No schedule has been drawn in this regard at present.

On receipt of the registration with payment, the link to the video lessons would be sent and a time of two months would be provided for completion of the study. Afterwards students may take an online examination and try for the certification.

An option would be provided not to take the examination in which case, a “Course Completion Certificate” would be provided. For those who complete the examination at the first cutoff point, the Certificate would be “Certified PDP-CMS Consultant” and those who complete the examination at the second cutoff point, the certificate would be “Certified PDP-CMS Auditor”.

Persons who pick up certificate as “Consultant” can upgrade to “Auditor” through experience of a minimum of 3 audit assignments under PDPSI.

FDPPI is now GST certified and hence the fees would include GST as indicated (18%).

For any further clarifications, contact FDPPI by email.

FDPPI received the GST registration today and in future, all services of FDPPI will be having a GST component.

All prices will therefore be considered as revised accordingly.

The GSTIN is 29AADCF4963H1ZC

Naavi

FDPPI today maintains the website of www.fdppi.in and www.dpji.in. The recently notified Digital Media Ethics code defines a digital publisher and suggests certain compliance measures which may be relevant to FDPPI activities.

For the purpose of the rules

‘publisher’ means a publisher of news and current affairs content or a publisher of online curated content;

‘news and current affairs content’ includes newly received or noteworthy content, including analysis, especially about recent events primarily of socio-political, economic or cultural nature, made available over the internet or computer networks, and any digital media shall be news and current affairs content where the context, substance, purpose, import and meaning of such information is in the nature of news and current affairs content

‘digital media’ means digitized content that can be transmitted over the internet or computer networks and includes content received, stored, transmitted, edited or processed by… a publisher of news and current affairs content or a publisher of online curated content;

‘online curated content’ means any curated catalogue of audio-visual content, other than news and current affairs content, which is owned by, licensed to or contracted to be transmitted by a publisher of online curated content, and made available on demand, including but not limited through subscription, over the internet or computer networks, and includes films, audio visual programmes, documentaries, television programmes, serials, podcasts and other such content;

Part III of the guidelines published on February 25, 2021 is applicable for publishers of news and current affairs content;  and publishers of online curated content.

The compliance requirements include the following

(a) establish a grievance redressal mechanism and shall appoint a Grievance Officer based in India, who shall be responsible for the redressal of grievances received by him;
(b) display the contact details related to its grievance redressal mechanism and the name and contact details of its Grievance Officer at an appropriate place on its website or interface, as the case may be;
(c) ensure that the Grievance Officer takes a decision on every grievance received by it within fifteen days, and communicate the same to the complainant within the specified time:
(d) be a member of a self-regulating body as referred to in rule 12 and abide by its terms and conditions

Since our activity consists of what we call a “Journal” (Data Protection Journal of India), we publish videos on a regular basis (curated content) and also propose activities such as DPERT where news based analysis may be published, there is a possibility that unless exempted, we do fall within the definition of the Digital publisher in the rules.

Yesterday, there was an interaction  with the Joint Secretary of MIB, Mr Vikram Sahay and discussed the need for supporting Micro digital publishers and small enterprises and the possibility of organizations like FDPPI taking the lead in organizing a Self regulatory body of publishers (SRB) at Level II of which the digital publishers are to be members.

FDPPI is taking further steps to remain in compliance of this requirement by registering as a Digital media publisher and thereafter catalyzing the setting up of a SRB-Level II to cater to the requirements of Micro and Small digital publishers.

Naavi

FDPPI has presently constituted wo internal committees one on “Deceased Data Principal’s Assets” and another on “Data Valuation”. The committee on the Deceased Data Principal’s asset under the chairmanship of Dr Mahendra Limaye is submitting an internal report shortly.  The “Data Valuation Committee” is in the process of engaging other external institutions in a discussion to establish consensus on the need to value data and present it as part of the published accounts.

As a follow up to the activities of these two groups, it is recognized that there is a need for a proper legislation and FDPPI should take the discussion to the logical end by drafting a proposed legislation and try getting it as a Private MP bill in the Parliament.

The Proposed  “Digital Valuation and Succession Act” may include

1) Defining Data as a new class of asset and not necessarily to be compared with the known asset classes such as movable, immovable, actionable claims etc.

2) Defining a method of valuation of Data

3) Defining the a means of  disclosure of data value in an organization to the public

4) Defining the ownership rights and means of transfer

5) Possibility of “Nomination” of Data

6) Possibility of “Joint ownership of data” (eg: Either or survivor or Former or Survivor of data held with data processors like Twitter or Facebook)

7) An established methodology for recognizing handling of data of deceased data principals, without automatic deletion  or automatic appropriation by the data fiduciary

8) An established methodology for the legal heirs of a deceased to “Claim” data assets in the hands of intermediaries.

9) An established methodology for the Government to appropriate “Unclaimed Data Assets” after classifying them as “Unclaimed” through a process similar to branding a data asset as “Dormant” and “Inoperative”.

10) Establishment of a  “Uniform Data Disputes Resolution Policy” (UDDRP) to be adopted voluntarily by Data Fiduciaries on the lines of UDRP/INDRP to facilitate data disputes resolution through an ADR process.

and Any other aspect relevant to data valuation, data value disclosure.

Such a law should be compatible with  the current data related laws such as Information Technology Act 2000, Personal Data Protection Act (as proposed),  Non Personal Data Governance Act (As envisaged) and any other laws likely to be considered in the meantime.

FDPPI has been described as the “Dada of Data Protection Agencies in India” and therefore has the responsibility to take constructive steps in finding a solution to these problems of the industry.

In this direction FDPPI shall constitute a special committee to draft a bill on “Data Valuation and Succession Act”, deliberate on the issue in consultation with other academic institutions such as law colleges and professional bodies who may be interested.

A proposal will also be sent to the Government of India if it would be interested in setting up such a committee in which case FDPPI may withdraw its committee.

Naavi

After ISMS and PIMS, it is the time for PDP CMS or Personal Data Protection Compliance Management System to be implemented in organizations. PDP CMS is inclusive of PIMS  and ISMS but is more focused on either of them. ISMS focus rests on technical security across all information in an organization while PDP-CMS is focused on Personal Data. PIMS is focused on Privacy related to one specific data protection law leaving the security to a supporting ISMS system. On the other hand PDP-CMS is a unified system that takes into account all applicable data protection laws in an organization and incorporates Information Security along with Privacy controls as required for compliance.

After conducting three separate modules, Module I, Module G and Module A over the last 18 months, FDPPI is now launching an integrated module of training for professionals who could be consultants for data processing organizations or undertake audits for certification with a calculation of Data Trust Score as envisaged in the proposed Indian law.

The first such program is being inaugurated today at 10.30 AM and would be conducted online over 36 hours spread over six week ends.

FDPPI is happy to welcome DNV the globally renowned Certification agency which has joined hands with FDPPI as a Certification partner for this course.

SPOT REGISTRATION

Pay Rs 40000/- through this link 

and Contact Ramesh Venkataraman for the session link