Certified Global Privacy and Data Protection Consultant

At Rs 30000/- FDPPI offers three Certifications modules leading to the coveted “Certified Global Privacy and Data Protection Consultant” .

Online training for 55 hours followed by three online examinations with over 1000 pages of reading material will prepare professionals for taking up the responsibility of a Data Protection Professional.

Top performers may be accredited as PDPSI Certification auditors.

Contact FDPPI today.

Naavi

Posted in Uncategorized | Leave a comment

FDPPI takes the next Generation Data Protection initiatives

Since 17th September 2018 when FDPPI was born, FDPPI has traversed a long journey in a relatively short time.

In order to keep on record some of the developments for the information of new members who are joining the organization, I try to give below a brief narration of the developments.

Details about FDPPI constitution, membership etc is available at different sections of this website.

In essence, FDPPI is an organization of the Data Protection Professionals, for the Data Protection Community.  The “Supporting Members” are the delivery channels through which FDPPI renders its services to the community.

Individual members are provided with many services for knowledge enhancement, Certification and Career advancement as explained here. Additionally Companies are provided with “Corporates Services”  to help them in implementing Data Protection

Jnaana Vardhini

One of the first objectives of FDPPI was to spread awareness of Privacy and Data protection in India so that India does not lag behind the world in the field of Data Protection. Accordingly, FDPPI started with a series of weekly webinars under the “Jnaana vardhini Series”.

Upto end 2020, 54 webinar sessions had been conducted and in 2021, so far 4 sessions have been conducted. In these 58 sessions, FDPPI has tried to disseminate knowledge about Privacy and Data Protection. Most of these sessions are available as video recordings in YouTube.

Additionally a messaging group “FDPPI Knowledge Group” functions on Telegram and doubles up as a communication between members and other guests who have been admitted to the group and also to spread knowledge through discussions. Since most of the members are themselves experts in the field knowledge acquired by sharing is immeasurable.

In addition to the weekly webinars FDPPI members have been conducting free educative sessions on many other forums and created a treasure house of knowledge for persons who would like to understand the Data Protection and related concepts.

Indian Data Protection Summit 2020

As a further step towards spread of professional knowledge, FDPPI conducted the Indian Data Protection Summit 2020 as a virtual summit along with the Bangalore Tech Summit held by the Government of Karnataka in November 2020.

CDPP Programs

In a further bid to provide professional certification programs, FDPPI created a series of Certification programs namely

a) Certified Data Protection Professional-Module I (Covering Indian Data Protection Law)

b) Certified Data Protection Professional-Module G (Covering Global Data Protection Laws)

c) Certified Data Protection Professional-Module A (Covering Data Audit Skills)

These certifications were offered independently as a part of a 5 module larger program in which modules on Technology and Behavioural Skills are due to be introduced in future.

Each of these programs were conducted as online training followed by an online examination. After the programs were conducted online, recorded sessions were made available through an “On Demand, Video Streaming Facility” so that the certifications can be availed on tap by interested persons.

Those professionals who have completed all the three programs were further recognized as “Certified Global Privacy and Data Protection Consultant” or “Certified Global Privacy and Data Protection Auditor”

The Consultant or Auditor so certified have been considered eligible to provide services related to implementation of data protection compliance in organizations and certification of organizations along with an assessment of DTS (Data Trust Score).

It may be noted that most of the persons who are certified under these schemes have also been professionals who might have the experience of similar certification programs conducted by other international orgnaizations like IAPP which conducts certification programs on GDPR and other international laws and have found the FDPPI certifications extremely valuable.

The objective of FDPPI certifications is to ensure that there is an distinctive knowledge enhancement and evaluation of understanding through examination so that the certified persons can be expected to be useful to their respective organizations. It is not simply experience based nor on mere attendance of training programs. This has been appreciated by all the professionals.

In the event the Indian Data Protection Authority introduces any criteria for accrediting Data Protection Auditors or Data Protection Officers, FDPPI certified professionals are likely to start with an advantage in terms of the knowledge requirements.

FDPPI has guaranteed that all those who have currently undergone the training for Module I on Indian laws will be provided with a one time n additional bridging session when the Personal Data Protection Bill 2019 becomes a full fledged laws.

Subsequently programs for continuing education would be introduced so that Certifications can be kept current.

Since CDPP programs of FDPPI also cover global laws such as GDPR, CCPA, Singapore PDPA, DIFC-DPA, LGPD-Brazil, HIPAA etc., the programs are considered “Made in India for the World” category of service.

PDPSI

The second most important contribution of FDPPI to the Data Protection world has been the introduction of the “Personal Data Protection Standard of India” or PDPSI. A concept which was pioneered by Naavi has been developed and fine tuned into a system which today provides a framework for compliance both as a self implementation mechanism by organizations as well as a Certifiable standard.

The uniqueness of PDPSI is that it is a “Unified” framework that can be used for simultaneous compliance of multiple data protection laws such as Indian PDPA along with GDPR. The sub modules of PDPSI framework provide the adaptability to different data protection laws that can be applied in an organization which has exposure to multiple jurisdictions.

Further PDPSI automatically incorporates the evaluation of the Data Trust Score (DTS) which is a measure of the Data Protection compliance maturity of an organization and is mandatory under the Indian law.

FDPPI has now set up a mechanism for Certifying an Organization through accredited PDPSI auditors.

A Unique feature of the PDPSI audits is that the audits are registered with FDPPI along with DTS and the auditee organization is provided with support subsequent to the completion of the audit through a “Mentoring” program with a limited quarterly consultation to clear any doubts in implementation. Though these are not “Review Audits”, they provide an opportunity for the auditee organizations to tap the experts of FDPPI to get some quick clarifications critical to their implementation of PDPSI compliance suggestions.

PDPSI is another unique “Made in India for the World” contribution of FDPPI. It is an open standard and will relieve the complying organizations from the burden of proprietary international standards.

DPERT

One of the recent services that has been introduced is the setting up of DPERT or Data Protection Emergency Response Team on the lines of the CERT organizations that function in the domain of Cyber Security.

The DPERT would be a team of experts chosen by FDPPI and would provide some quick suggestions for any reference from organizations who report any suspected Personal data breaches.

DPERT will work in close association with the law enforcement authorities and regulators and assist the companies in taking right decisions in times of a crisis.

DPERT will remain a free service to the society and where an in depth consultancy is required, will guide the companies accordingly.

DDMAC

DDMAC or Data Disputes Mediation and Arbitration Center is another unique service that FDPPI is bringing to the society and is in the final stages of introduction.

DDMAC is  a platform which can be used both offline and online for dispute resolution in the Data Processing industry. DDMAC will develop  a set of neutrals who are experts in data related regulations  and also trained in the art of Mediation and Arbitration. It will be available to be used by Data Fiduciaries and Data Principals to redress their grievances through ADR processes including Mediation and Arbitration.

DPJI

In order to ensure that knowledge dissemination to professionals occurs in a formal manner, apart from the information made available through the website of FDPPI, a journal titled “Data Protection Journal of India” has been started by FDPPI in 2021. The journal will be available at www.dpji.in.

Future Developments in pipeline

The above narration captures some of the developments in FDPPI till date. We will update this further. FDPPI is negotiating several collaborations some of which will fructify shortly. FDPPI is also working on additional projects including an award for the “Data Protection Champion” etc.

FDPPI has more than 150 professional members today and each one of them is an expert in his own domain. FDPPI being an aggregation of these professionals it has all the strengths of these professionals within its umbrella. FDPPI’s strength is therefore not limited to its employee force and hence when the full potential of its members is harnessed, it will be one of the biggest Data Protection Consultancy organizations in India.

Let us look forward to glorious days ahead and welcome more members to join this movement.

Naavi

 

 

Posted in Uncategorized | Leave a comment

Data Protection Emergency Team (DPERT) to be in place at FDPPI

The Audit is always a “Snapshot concept”. The auditor gathers his observation and as on the date of his certificate adds his disclaimers that to the best of his knowledge and in good faith and based on the evidences  provided, he certifies that the organization is compliant. The Certification sponsors do their best to properly accredit auditors with training and imbibe a culture of responsibility and ethics  to ensure that audits are meaningful.

However industry practitioners know that some accredited auditors take their work lightly and issue certificates without proper assessments.

The auditor escapes his responsibility because the moment the audit is over, it is entirely the responsibility of the organization to maintain the controls suggested and taken on note during the audit. While we can understand that the auditor cannot take more responsibility on an ongoing basis, from the point of view of the CEO, it is often felt that audit is a money making game and it has no real value to the organization.  Organizations still go through audit certifications because the customer feels more assured and it has become a ritual to ask for certifications.

We need to change this perception of auditors and the perception on the system of audit. Audit is not a money making tool. It should be an instrument of change in an organization.

Naavi therefore suggests what could be a revolutionary concept in IS audits through the PDPSI (Personal Data Protection Standard of India framework that is being developed through FDPPI. (Foundation of Data Protection Professionals in India).

FDPPI has envisaged the engagement of PDPSI in two modes namely “Consultancy” mode ” Audit” mode. In the consultancy mode, a PDPSI consultant works with an organization to conduct a Risk assessment, develop a Gap analysis report. The PDPSI comes with a table of  “Model Implementation Specification” (MIS) and it could be basis on which the gap report emerges. But the organization may decide that they have a certain level of  “Risk Appetite”  and hence all controls in the MIS is not relevant for them and they would like to implement only a truncated version of MIS.

This truncated version is what is referred to as “Adopted Implementation Specification” (AIS) and is like the “Statement of Applicability” or SOA.  The AIS is supported by a “Variance Justification Document” (VJD)  where there is a documentation of why the organization thinks that a suggested MIS control is not relevant or needs modification. This concept is similar to the HIPAA concept of “Addressable implementation specifications” in its security rule.

The PDPSI consultant will work with the organization until this AIS with VJD is signed off by the top management. This AIS will then be the “Implementation Charter” for the DPO. If the implementation charter is faulty, then the responsibility is with the management. The DPO’s role is to understand and implement the AIS in good faith.

The PDPSI auditor when he enters the scene will ask for the AIS. If it is not available, the auditor will conduct his own risk assessment, develop a gap report and submit it as the first deliverable. He will then wait for the management to either give a go ahead for the gap report as presented which means that the MIS becomes identical with AIS. If not the management may come up with its own VJD and fine tune the MIS into its approved AIS which becomes the implementation boundaries set by the company for itself.

The Company may take a stand that they are only interested in the AIS as adopted and the auditor can check if they have done it properly.

The PDPSI auditor therefore looks at the AIS item by item, calls for evidences and decide whether the AIS items have been implemented “Satisfactorily” or “Not”. This is a binary decision and for an organization there has to be 100% satisfactory report. Where there is a “Not satisfactory” remark, the organization can justify its non compliance based on a new VJD. The auditor will go with the decision of the company and close his audit.

However, every PDPSI audit also involves a DTS (Data Trust Score) assessment and in this document, the auditor will express his own view on how good is the implementation with reference to the MIS. If an organization is callous and truncated the MIS to an unjustifiable AIS, then it will suffer from a low DTS. The auditor need not fight with the organization and forced to issue a “Satisfactory” report when he is really not satisfied. In effect in this system the auditor’s report only says “I am satisfied that the Company is in satisfactory compliance with whatever AIS has been adopted”. The DTS expresses the real assessment of the auditor which is provided to the auditee and it is open to them to hide it and not disclose it.

The DTS however is reported by the auditor to the FDPPI and hence it gets recorded and cannot be manipulated subsequently.

The PDPSI system envisages that at the closure of the audit, the auditee will send one “Audit Closure Feedback” to the FDPPI. In this if the auditee has serious reservations on the DTS, it can be sent so that an opportunity would have been given to the organization to object to any DTS element.

After this FDPPI would allocate a mentor for the PDPSI completed audit as an optional service so that the DPO of the organization can on a quarterly basis check with the mentor if there is some action to be taken. For this purpose the DPO may discuss any significant “Incident” in confidence and get a feedback whether he needs to make further investigations etc.

This “mentoring” service ensures that FDPPI continues to be in an engagement with the client and does not drop him like a hot brick once the audit is closed and payments are settled.

The role of a “Mentor” is however limited and lower than the role of the “PDPSI Consultant”. Also the Mentor will not be the same person as the auditor. He can however be a consultant if required. Mentor will fulfill the role of providing a quick feedback in crisis situations will be like an “Emergency Consultancy” service so that DPO will have a friend to consult in times of need. He will be a “Friend of DPO”.

The auditor and the mentor would be offering their services under FDPPI disclaimers. Consultant is engaged by the company on a contractual basis.

PDPSI is a pioneering system and the SOPs are under development. But the end objective is clear. The PDPSI is meant to support the Data Protection Eco system on a continuing basis and is not meant to be only a money scooping activity.

FDPPI will develop a “Data Protection Emergency Team” (DPERT) which will have a pool of mentors from whom the service would be provided. Only FDPPI certified consultants/auditors would be constituting this DPET.

We are aware that in the sceptic world, the intentions of FDPPI will have to go through a process of testing and trust building. The team of FDPPI is working towards establishing the trust of the organizations and we welcome the views and suggestions of experts.

Naavi

Posted in Uncategorized | Leave a comment

PDPSI Audits will try to monitor the Post-Audit performance of the auditee organizations

PDPSI is a unique framework for Personal Data Protection as per prevailing data protection laws.

Its 50 implementation specifications cover the data compliance requirements under multiple data protection laws and is more than what other best practice standards such as ISO 27701 tries to accomplish.

Some of the PDPSI model implementation specifications try to put certain best practices hither to not being part of such frameworks into the radar of the organization. Details of these are already available in the PDPSI handbook.

There are three other innovations that PDPSI has introduced and FDPPI has adopted in order to further improve the assurance of the PDPSI audits in the industry environment.

First is to register the audit with FDPPI along with the DTS computation worksheet so that FDPPI is aware of the PDPSI certifications that are in the market.

Second is getting a feedback on the auditee  including a permission if agreeable for disclosure of DTS.

Additionally, it is observed that after completion of an audit and its certification, the auditee often neglects to maintain the required data security discipline resulting in data breaches. At that time a question will be asked on whether the organization was audited, and if so whether the audit was deficient etc.

In order to make PDPSI audits more reliable, FDPPI will therefore introduce a system whereby the auditee will be required to send a quarterly report to FDPPI in which it will share any major incidents during the period and major changes in the business profile.

It is quite possible that the organizations may not send such reports in which case the responsibility of FDPPI would be reduced. If the organization considers it useful they may use this opportunity. In a way this will be like AMC service on the audit already completed.

FDPPI may charge a fee for such Audit AMC as it may deem fit.

Hopefully this would at least keep the need to be vigilant even after the audit certification will be ingrained in the auditee organization and this by itself be good for the auditee organization.

The details of the kind of reporting to be done etc are being finalized.

Naavi

Posted in Uncategorized | Leave a comment

Attention HR Professionals… A DPO who does not know Indian laws would not be an ideal candidate.

Data Protection Officer (DPO) would be a key position to which many organizations will be recruiting senior professionals. We are already seeing some advertisements on the recruitment of DPOs with certain description of requirements.

However it is observed that many of these advertisements donot indicate that the recruiters are aware that India has a data protection law and any DPO who does not know the Indian laws would be a drag on the company irrespective of his expertise in GDPR.

FDPPI, as an organization in India which has trained the Data Protection Community on Indian data protection laws, International data protection laws and data protection audit skills etc., is in an ideal position to define the requirements of a good DPO.  Hopefully this would be helpful to the recruiters.

We will be shortly publishing through our Journal a template of a Data Protection Officer recruitment. We also run a “Mentoring Workshop” for Data Protection Professionals who would like to take a crash course in Indian Data Protection laws if required.

FDPPI recently conducted two free programs for HR Professionals to equip themselves with the knowledge of PDPB. But there are a lot more HR professionals and marketing officials of recruitment agencies like naukri.com who need to appraise themselves of the needs of a DPO.

FDPPI would be glad to do an on demand training for recruitment firms on the requirements of a DPO along with the fundamentals of the emerging Indian law.

Interested organizations may contact FDPPI.

Naavi

Posted in Uncategorized | Leave a comment

The Symbol of Compliance

FDPPI is an organization which represents the effort of the Data Protection Community to create a “Privacy and Data Protection Culture in India”.

In this endeavor to create the Data Protection Culture in India, PDPSI works on the three dimensions namely

    1. The Data Protection Regulations
    2. The Data Protection Professionals
    3. The Data Processing organizations.

FDPPI is closely following the Privacy and Data Protection regulatory regime in the country and engaging itself with the Policy makers to contribute towards framing of a  balanced  legislation which achieves the objectives of protecting the Privacy of Indian Citizens as a fundamental right under our constitution without ignoring the requirements of the Government which has the duty to protect the Citizens of the country and the requirements of Data Processing business which cannot be killed in pursuance of Privacy.

FDPPI also is taking steps to empower the professionals who need to comply with the law in the Data Protection scenario and implement the vision of “Protecting the Privacy through Personal Data Protection” and providing a “right of self determination to the Data Principals on how the personal data about them can be collected, used and disclosed.” Towards this end, FDPPI has created and executed “Certification Programs” and created an army of “Certified Data Protection Professionals”  who have attended at least 12 hours of training on the current Indian Privacy Laws including the proposed law represented by PDPB 2019, followed by an evaluation through an online examination. Many of the professionals have been further empowered with at least another 16 hours of training on Global Privacy laws and a further 12 plus hours on Data Audit skills making them one of the best trained professionals globally. They are developing like the “Navy Seals” or NSG Commandos” as we have heard in the security scenario.

Additionally, FDPPI has adopted the “Personal Data Protection Standard of India” or PDPSI  as a “Unified” framework for compliance of multiple Personal Data Protection laws by an organization. The PDPSI consists of 12 standards and 50 implementation specifications that cover the entire gamut of PIMS as envisaged by other frameworks and goes further to address the needs of the need to be simultaneously in compliance of multiple global laws incorporating many futuristic thoughts on “Data Business”.

This PDPSI framework is not only a “Certifiable Audit Framework” like the ISO 27701 but also an Assessment framework for the Data Trust Score (DTS) system which is a representation of the Personal Data Protection maturity of an organization as assessed by an auditor using the 50 implementation specifications of the PDPSI framework.

PDPSI is also a framework which is available for organizations for self implementation as an instrument of internal audit.

FDPPI is also creating a set of professionals who are conversant with Indian Privacy Laws, Global Privacy Laws and a certain minimal Data Audit skills through 3 certification exams which over over 55 hours of online training, over 1000 pages of study material and 270 minutes of online examination.

We are humble enough to admit that FDPPI can only provide an opportunity for professionals to develop their knowledge and skills and ultimately it is the capacity of individual professionals to absorb the skills and apply it in the practical scenario.

However the symbol shown along side is emerging as the symbol of Personal Data Protection and is the goal of every Data Fiduciary and Data Processor.

This is a symbol of protection for the Data Principal in the context of protection of his Privacy.

It also represents a framework for enabling Privacy Protection through Data Protection.

The accompanying symbol in future will represent an organization which has undergone an assessment of its DTS by a PDPSI accredited auditor.

This could be disclosed by organizations as required under the Indian laws.

The auditors and consultants who have undergone the rigorous training and passed through the Certification exams have been certified by FDPPI and certificates like the following have been issued to them.

These are sample certificates that only the privileged professionals who have gone through the rigorous evaluation process have been issued.

The “Certified Global Privacy & Data Protection Consultant” is  a person with a reasonable knowledge of the Privacy laws and a reasonable skill to conduct data protection audits and provide consultancy to organizations in their Privacy Compliance program.

The “Certified Global Privacy & Data Protection Auditor” is a person with an accreditation for conducting Audits and DTS assessment which will be registered with FDPPI and issue necessary “Certificate of Privacy and Data Protection Compliance” under the PDPSI framework.

FDPPI  congratulates the 21 professionals who have achieved this recognition in the first batch and hope that in future, we will have many more such professionals.

Naavi

Posted in Uncategorized | Leave a comment

Corporate Services

FDPPI has been conceived as an organization of the people, viz., the Data Protection Professionals. Hence its services such as providing “Certifications”, “Conducting Frequent Knowledge enhancement Webinars in the Jnaana Vardhini Series” etc are services oriented toward creating empowered Data Protection Professionals.

At the same time an organization is considered as an aggregation of people. FDPPI itself is an aggregation if its members and renders all its services through its supporting members. It has been recognized that organizations also need to be supported in our journey towards making India  a globally recognized Personal Data Protection leader.

We have therefore started a focussed approach towards Corporates members. FDPPI enrolls Corporate members at a one time fee of Rs 18000/- which enables designation of three subordinate individual members. Hopefully, the DPO, CISO and the CCO would be the first three persons in an organization who need to be equipped. Bigger organizations who want more of their executives to be equipped with the necessary empowerment of knowledge and skills may expand their subordinate membership by paying additional amount of Rs 6000 per person. The Company would be allowed to revise its subordinate member list once every year in case there are changes in the allocation of responsibilities of executives.

The Corporate services that FDPPI renders include

a) Conducting Privacy awareness training programs for the employees

b) Providing External DPO consultancy

c) Assessment of Data Trust Score as an internal evaluation or Certification through accredited auditors.

d) Providing consultancy for achieving compliance

e) Providing Data Disputes Mediation and Arbitration Center (DDMAC) as a platform for use by the Corproates.

These services are delivered by the supporting members of FDPPI whose profiles are available on the website.

These services are available for Companies even if they are not members of FDPPI. However, Corporate members will get all these services at a discounted rate.

Watch out for more information on these services through the FDPPI website.

(You can download a corporate services brochure here)

Naavi

Posted in Uncategorized | Leave a comment

We Create the Path… Not wait..

Today the first batch of Data Protection Professionals in India who have been trained on Indian Data Protection Laws, Global Data Protection Laws and Data Audit skills with special training on the PDPSI framework are completing the certification examination. A few of them will be certified as “Certified Auditors for the FDPPI-PDPSI Data Protection Audit with DTS evaluation” after the entire evaluation process is over. A Few more would be certified as “Certified Consultants for the FDPPI-PDPSI Data Protection Implementation”

The Implementation Consultants and Certified Auditors would be professionals who have completed around 55 hours of class room training (Online) and 4.5 hours of online examination plus several hours of assignments. They have read through over 1000 pages of notes. This is one of the most elaborate training programs conducted in any such certification programs.

At the end of this rigorous program, FDPPI is confident that these professionals  will be able to stand out in the community as people with the necessary knowledge and skills to start guiding the Indian organizations towards Privacy and Data Protection Compliance.

We all know that skill cannot be entirely acquired through external training alone and hence these professionals will continue to improve their skills and some of the consultants after more experience may be upgraded to the level of auditors FDPPI will have a plan to implement this “Continuing Data Audit Skill Enhancement” program.

The industry already has several “Certified” professionals who have been certified from other organizations some of them recognized world over. However, in terms of the focus and intensity of training, the FDPPI Certified professionals will be a class apart though  this will need some time to be recognized by the industry.

These are the professionals who create path by walking…. not wait for others to show the path…

Naavi

 

Posted in Uncategorized | Leave a comment

Privacy Day 2021-Data Protection Journal of India launched

To mark the international privacy day of 2021, FDPPI launched a journal titled “Data Protection Journal of India”.

The journal will be available at www.dpji.in

Naavi

Posted in Uncategorized | Leave a comment

Schedule of Module A

The  training for “Certified Data Protection Professionals-Module A” covering data audits is set to start tomorrow.

The registrations have closed.

The tentative agenda covering 12 sessions of 90 minutes each totaling to around 18 hours in total is as given below.

This program along with the earlier two modules on Indian law (Module I) and Global Law (Module G) would prepare professionals for both providing Data Protection Compliance consultancy to companies as well as conduct  certifiable audits under the PDPSI (Personal Data Protection Standard of India” sponsored by FDPPI.

These audits will also make an assessment of the Data Trust Score of an organization which is envisaged in the Indian PDPB 2019.

These programs being delivered with the assistance of Cyber Law College, come with the assurance that after the PDPB 2019 is passed, the previous trainees would be provided a free additional training to cover the changes in the law and issue of any guidelines from the Data Protection Authority on the requirements of Data Auditors.

At present there are nearly 100 professionals who have been certified in Module I, or Module G or both. Persons who have completed all the three modules would be considered for accreditation as PDPSI auditors.

With the completion of this program, India will have for the first time, a compliance framework which could match or even excel the global standards.

Naavi

Posted in Uncategorized | Leave a comment