PDPSI or Personal Data Protection Act of India is a compliance framework that is unique. It has been developed by professionals with years of experience in the field of Privacy and Data Protection, as a unified framework for meeting the compliance of multiple data protection laws.
Unlike some of the other frameworks for PIMS (Personal Information Management System) or or DPMS (Data Privacy Management System), PDPSI is a compliance framework for “Personal Data Protection Compliance Management System” (PDP-CMS).
Again unlike the PIMS or DPMS systems which are an extension of other ISMS systems, PDPSI is a standalone system that has a focus on the compliance requirement to a target jurisdiction.
Unlike other PIMS or DPMS systems, PDPSI framework for PDP-CMS extends to calculation of the Data Trust Score (DTS) which is a Trust Seal indicating the level of compliance maturity of an organization.
Naavi, Chairman of FDPPI which is developing a system of Accredited PDP-CMS auditors, Certification Bodies and a system of Certification, will be explaining the salient features of PDPSI and why it is a comprehensive and forward looking compliance model appropriate for Data Controllers and Data Fiduciaries.
The two hour session on 19th September 2021 will be conducted as an Online webinar at 11.00 am and is offered free on registration.
We are happy to have Madras Management Association is partnering in this awareness building initiative.
Those interested in registration may complete the following form or send an e-mail to FDPPI.
The GH Raisoni Law College is organizing its 16th KSHAN Moot Court which will be held on the 4th and 5th of September, 2021 on a virtual platform.
As a part of the FDPPI’s activities under the P& Y Program to involve the youth of the country into the activities of FDPPI, FDPPI is collaborating with the GH Raisoni Law College, Nagpur in the conduct of the above Moot Court Competition. This is the 16th National Appellate Moot Court Competition -2021 is being organized by students of G.H. Raisoni Law College, Nagpur and G.H. Raisoni University’s School of Law. All India Reporter (AIR), and FDPPI- are collaborating in the conduct of this program.
Dr Mahendra Limaye, one of our esteemed members has been the brain behind the P& Y Program and the organization of this event.
As a part of the collaboration, FDPPI would be extending valuable educational opportunities to the Winners and the First and Second Runner’s up as rewards.
We look forward to involvement in more of such programs in association with law colleges.
About KSHAN
KSHAN is a National Level, inter-college moot court competition organized by the student bodies of the Law Schools under the Raisoni Group of Institutions. They conduct a nationally known Trial and Appellate Moot Court on Criminal Law. This year’s edition of KSHAN is the only Appellate Moot Court that has a special focus on Criminal Writ Petition and Data Privacy.
About AIR
AIR (All India Reporter) is a publication house known for its presence in all three media information transmission forms: Print, CD-ROM and Web base. It has a journal that reports on all benchmark judgements given by various courts around India. It was established in 1914 and has its head office inNagpur.
1. Winner: Free Certification Course-Admission, Video lessons and Examination for Module I and Module G and Basic Membership of FDPPI : Valued at Rs 25,000/-
2. First Runner up: Free Certification Course-Admission, Video lessons and Examination for Module I and Basic Membership of FDPPI: Valued at Rs 14,000
3.Second Runner up: Free Certification Course-Admission, Video lessons and Examination for Module I: Valued at Rs 10,000/-
Companies often face the dilemma on payment of ransom when their data is captured and held hostage by a ransomware attacker. The attacker fixes a certain price for the release of the decryption key and often places the data for sale in the dark web. Acer had a demand of $50 million, CNA Financial reportedly paid $40 million and Colonial Pipeline paid $4.4 million. In India itself we had a demand on Cognizant for $ 5 million and different smaller amounts in different companies.
It is clear that in these cases the hackers had a perception of the value of the data they had captured and the companies paid the ransom because they felt that there was an opportunity cost in refusing to pay. Insurance companies have their own practices on dealing with such instances and some may cover the ransom as part of their policy.
Further, darkweb often quotes a price list for many kinds of data. One such laundry list is here.
When thieves set a value for the data they may target and steal, it is necessary for the organizations which have these assets to also know that they have assets which are vulnerable to be stolen.
Managements often express surprise when a ransom demand is made and wonder “Do we have that kind of data with us”?. The reason is that so far the CFOs and CEOs were never told that Data is an asset though on the balance sheet it does not show up.
Corporate Managements need to ask themselves, if they are not representing the true value of their assets in the financial statements which they certify “This is a fair and true representation of the company’s financial position”.
If the CEO/CFO knows that the company has a Rs 5000 crore of data asset, they would not crib to appoint a DPO or CISO at the kind of remuneration they deserve or to invest in security products or employee training or atleast to harden their operating systems which they keep postponing.
Let’s therefore look to the future with confidence by valuing our data assets and bringing them into our balance sheets. …
Let our shareholders know what we are worth.
Let our competitors know what it would cost to take over our company.
Data has a value as everybody understands. But we need to go further in our discussion on what is the value of data, how it can be computed and how it can be brought into the balance sheet etc.
The latest issue of Data Protection Journal of India discusses these concepts along with the handling of the personal data of the deceased persons.
FDPPI started the comprehensive 36 hour online program for training DPOs in India for “Certified PDP-CMS Auditor/Consultant” on July 17th as a week end program. This program is concluding on July 25th.
In the meantime based on the requests from many interested professionals, we are making available the same course on demand through streaming videos which can be subscribed at any point of time.
This mode will be open until the next time the program is conducted either offline or online as an interactive program. No schedule has been drawn in this regard at present.
On receipt of the registration with payment, the link to the video lessons would be sent and a time of two months would be provided for completion of the study. Afterwards students may take an online examination and try for the certification.
An option would be provided not to take the examination in which case, a “Course Completion Certificate” would be provided. For those who complete the examination at the first cutoff point, the Certificate would be “Certified PDP-CMS Consultant” and those who complete the examination at the second cutoff point, the certificate would be “Certified PDP-CMS Auditor”.
Persons who pick up certificate as “Consultant” can upgrade to “Auditor” through experience of a minimum of 3 audit assignments under PDPSI.
FDPPI is now GST certified and hence the fees would include GST as indicated (18%).
For any further clarifications, contact FDPPI by email.
FDPPI today maintains the website of www.fdppi.in and www.dpji.in. The recently notified Digital Media Ethics code defines a digital publisher and suggests certain compliance measures which may be relevant to FDPPI activities.
For the purpose of the rules
‘publisher’ means a publisher of news and current affairs content or a publisher of online curated content;
‘news and current affairs content’ includes newly received or noteworthy content, including analysis, especially about recent events primarily of socio-political, economic or cultural nature, made available over the internet or computer networks, and any digital media shall be news and current affairs content where the context, substance, purpose, import and meaning of such information is in the nature of news and current affairs content
‘digital media’ means digitized content that can be transmitted over the internet or computer networks and includes content received, stored, transmitted, edited or processed by… a publisher of news and current affairs content or a publisher of online curated content;
‘online curated content’ means any curated catalogue of audio-visual content, other than news and current affairs content, which is owned by, licensed to or contracted to be transmitted by a publisher of online curated content, and made available on demand, including but not limited through subscription, over the internet or computer networks, and includes films, audio visual programmes, documentaries, television programmes, serials, podcasts and other such content;
Part III of the guidelines published on February 25, 2021 is applicable for publishers of news and current affairs content; and publishers of online curated content.
The compliance requirements include the following
(a) establish a grievance redressal mechanism and shall appoint a Grievance Officer based in India, who shall be responsible for the redressal of grievances received by him;
(b) display the contact details related to its grievance redressal mechanism and the name and contact details of its Grievance Officer at an appropriate place on its website or interface, as the case may be;
(c) ensure that the Grievance Officer takes a decision on every grievance received by it within fifteen days, and communicate the same to the complainant within the specified time:
(d) be a member of a self-regulating body as referred to in rule 12 and abide by its terms and conditions
Since our activity consists of what we call a “Journal” (Data Protection Journal of India), we publish videos on a regular basis (curated content) and also propose activities such as DPERT where news based analysis may be published, there is a possibility that unless exempted, we do fall within the definition of the Digital publisher in the rules.
Yesterday, there was an interaction with the Joint Secretary of MIB, Mr Vikram Sahay and discussed the need for supporting Micro digital publishers and small enterprises and the possibility of organizations like FDPPI taking the lead in organizing a Self regulatory body of publishers (SRB) at Level II of which the digital publishers are to be members.
FDPPI is taking further steps to remain in compliance of this requirement by registering as a Digital media publisher and thereafter catalyzing the setting up of a SRB-Level II to cater to the requirements of Micro and Small digital publishers.
FDPPI has presently constituted wo internal committees one on “Deceased Data Principal’s Assets” and another on “Data Valuation”. The committee on the Deceased Data Principal’s asset under the chairmanship of Dr Mahendra Limaye is submitting an internal report shortly. The “Data Valuation Committee” is in the process of engaging other external institutions in a discussion to establish consensus on the need to value data and present it as part of the published accounts.
As a follow up to the activities of these two groups, it is recognized that there is a need for a proper legislation and FDPPI should take the discussion to the logical end by drafting a proposed legislation and try getting it as a Private MP bill in the Parliament.
The Proposed “Digital Valuation and Succession Act” may include
1) Defining Data as a new class of asset and not necessarily to be compared with the known asset classes such as movable, immovable, actionable claims etc.
2) Defining a method of valuation of Data
3) Defining the a means of disclosure of data value in an organization to the public
4) Defining the ownership rights and means of transfer
5) Possibility of “Nomination” of Data
6) Possibility of “Joint ownership of data” (eg: Either or survivor or Former or Survivor of data held with data processors like Twitter or Facebook)
7) An established methodology for recognizing handling of data of deceased data principals, without automatic deletion or automatic appropriation by the data fiduciary
8) An established methodology for the legal heirs of a deceased to “Claim” data assets in the hands of intermediaries.
9) An established methodology for the Government to appropriate “Unclaimed Data Assets” after classifying them as “Unclaimed” through a process similar to branding a data asset as “Dormant” and “Inoperative”.
10) Establishment of a “Uniform Data Disputes Resolution Policy” (UDDRP) to be adopted voluntarily by Data Fiduciaries on the lines of UDRP/INDRP to facilitate data disputes resolution through an ADR process.
and Any other aspect relevant to data valuation, data value disclosure.
Such a law should be compatible with the current data related laws such as Information Technology Act 2000, Personal Data Protection Act (as proposed), Non Personal Data Governance Act (As envisaged) and any other laws likely to be considered in the meantime.
FDPPI has been described as the “Dada of Data Protection Agencies in India” and therefore has the responsibility to take constructive steps in finding a solution to these problems of the industry.
In this direction FDPPI shall constitute a special committee to draft a bill on “Data Valuation and Succession Act”, deliberate on the issue in consultation with other academic institutions such as law colleges and professional bodies who may be interested.
A proposal will also be sent to the Government of India if it would be interested in setting up such a committee in which case FDPPI may withdraw its committee.
After ISMS and PIMS, it is the time for PDP CMS or Personal Data Protection Compliance Management System to be implemented in organizations. PDP CMS is inclusive of PIMS and ISMS but is more focused on either of them. ISMS focus rests on technical security across all information in an organization while PDP-CMS is focused on Personal Data. PIMS is focused on Privacy related to one specific data protection law leaving the security to a supporting ISMS system. On the other hand PDP-CMS is a unified system that takes into account all applicable data protection laws in an organization and incorporates Information Security along with Privacy controls as required for compliance.
After conducting three separate modules, Module I, Module G and Module A over the last 18 months, FDPPI is now launching an integrated module of training for professionals who could be consultants for data processing organizations or undertake audits for certification with a calculation of Data Trust Score as envisaged in the proposed Indian law.
The first such program is being inaugurated today at 10.30 AM and would be conducted online over 36 hours spread over six week ends.
FDPPI is happy to welcome DNV the globally renowned Certification agency which has joined hands with FDPPI as a Certification partner for this course.
The much awaited comprehensive Certification Program for DPOs in India from FDPPI is set to commence on June 19, 2021 as per the following tentative schedule.
The program consists of 36 hours of online training covering the Data Protection laws of India in full detail, GDPR in reasonable detail and laws of several other countries.
The sessions would be primarily conducted by Naavi, a veteran who started virtual education way back in the year 2000 through Cyber Law College and is the founder of www.naavi.org, as well as Chairman of FDPPI.
The discussion on Indian law will be on the basis of PDPB 2019 and ITA 2000/8. As and when the Bill is passed, a free bridging session will be offered to all the participants to discuss the changes so that the participants would be fully aware of the Indian Law.
The focus of the program will be to equip a Data Protection Officer with relevant knowledge required to take on the responsibility . The participants will get a certificate as
“Certified PDP-CMS Auditor” or “Certified PDP-CMS Consultant” depending on their performance in the examination.
The online examination will consist of 3 papers which will be held on July 31st (Paper 1 and Paper 2) and August 1st 2021. (paper 3)
PDP-CMS audit is an audit for “Personal Data Protection Compliance Management System” which will be mandatory to be implemented by every organization in India handling personal data. Those organizations which are classified as Significant Data Fiduciaries would be required to mandatorily get an audit conducted annually by an external auditor.
The PDP-CMS audit will include Evaluation of “Data Trust Score” (DTS) which is a unique proposition of the Indian Law.
The Evaluation of DTS will be based on a unique system established by FDPPI under the Personal Data Protection Standard of India (PDPSI).
In view of the collaboration between FDPPI and DNV, the globally recognized organization which is known for Management audits, the Certificates would be issued under the joint names of FDPPI-DNV.
The online examination will consist of thee separate online multiple choice examination for 90 minutes each. There will be two cutoff marks for certification. Participants who clear the higher cutoff would be provided the certificate as PDP-CMS Auditor. Participants who clear a lower cutoff would be provided the certificate as PDP-CMS Consultant.
Certified PDP-CMS auditors would be accredited by FDPPI under their PDPSI audit program and will be eligible to conduct audits in association with Certification Bodies who are organizations accredited with FDPPI. PDP-CMS consultants would be able to provide consultancy to organizations to prepare themselves for audit and also upgrade themselves to the auditor grade based on experience.
The total fees for the program would be Rs 40,000/- (Or approximately US$ 575/-)
P.S: It may be noted that the Minister of Law and IT, honourable Mr Ravi Shankar Prasad in an interview on 28th May 2021 with Times now has indicated that the Government will push the passage of PDPB 2019 in the next Parliamentary session. Excerpts from this interview is available here.
It is likely that the Government would provide some time for implementation and will require around 3 months to set up the Data Protection Authority. However it appears that Jurisprudence has already developed in India to consider the principles of Personal Data Protection discussed in the PDPB 2019 as “Due Diligence” under ITA 2000/8. (Refer court judgements referred to in this article) .
Professionals are also aware that implementation of a comprehensive privacy program for an organization is not as simple as drafting a Privacy Policy for the website. It involves establishment of a Privacy culture in the organization which requires time. Hence prudent professionals and organizations need to start early to retain a competitive advantage.
FDPPI hopes that professionals would take advantage of this opportunity.
In view of the collaboration between FDPPI and DNV, the globally recognized organization which is known for Management audits, the Certificates would be issued under the joint names of FDPPI-DNV.
