PDPSI is designed for Compliance

(In continuation of the previous article)

PDPSI is a framework which evolved from the Indian Information Security Framework (IISF-309) which was first developed for compliance of ITA 2000, and published in March 2009.

PDPSI was designed to be of use for “Compliance” of data protection regulations for an organization which is involved in processing of personal data and is subject to the Indian jurisdiction.  The primary law of the Indian jurisdiction  now is ITA 2000 and is read with PDPB 2019 as the “Due Diligence Requirement” under ITA 2000.

PDPSI takes into account the fact that if the Indian organization is involved in processing personal data originating from abroad, the organization will be required to factor-in compliance of the appropriate law applicable to the “Country of Origin” of the personal data. It is therefore a “Unified Compliance Framework”.

Further PDPSI restricts its objective to “Compliance” of “Data Protection Law applicable to an Indian Data Fiduciary”. The  terms such as PIMS or DPMS used in ISO 27701 and IS 17428 indicate that these frameworks provide/attempt to provide a certification on the Personal Information or Personal Data Management system per-se. These standards do not claim to have been designed for “Compliance” but have drawn heavily from the GDPR in identifying the principles of Privacy which the PIMS/DPMS system tries to “manage”.

PDPSI on the other hand is designed for compliance. It is a template for compliance of any data protection law and incorporates many controls which are relevant for Indian requirement under ITA 2000-PDPB 2019 which may not be available in other laws such as GDPR. PDPSI is therefore more comprehensive than the IS 17428.

Also, both ISO 27701 and IS 17428 are not independent standards and have to be read with ISO 27001/2 and will not be certifiable except with ISO 27001 certification. Both ISO 27701 and IS 17428 have to therefore be considered as an augmented ISO 27001 rather than independent standards by themselves.

PDPSI however is an independent certifiable standard and incorporates protection of information through the CIA principle as part of its Implementation Specifications.

PDPSI is a framework which addresses “Management of Personal Information in an organization for the purpose of protecting the privacy of the data principal as indicated in the relevant law”.

This system is better referred to as PDP-CMS or “Personal Data Protection Compliance Management System” instead of PIMS or DPMS.

The primary focus of PDPSI controls are  therefore the prescriptions under the target regulation and any generic managerial controls which may be part of the system are meant to/ designed help the compliance in the longer run.

It is therefore possible to develop PDPSI certification as a tightly integrated certification for compliance of a given data protection regulation.

For example PDPSI-In can be considered as near compliance of Indian data protection regulation while  PDPSI-EU may be related to compliance of EU GDPR and PDPSI-Sg may be related to compliance of Singapore PDPA 2012. etc.

PDPSI however recognizes that “Compliance” of a law inherently involves “Interpretation” of law and hence even the best interpretation of a professional can only be a second guess on what the Data Protection Authority of the day thinks is the correct interpretation or a third guess on what the Courts may interpret.

While PDPSI attempts to partially address the alignment of compliance with the DPA’s interpretation, it may  not be possible to align the compliance with the possible interpretation of a Court in a future judicial proceedings and in that context PDPSI would be a “Good Faith” interpretation of what the Data Protection Jurisprudence could be.

Understanding PDPSI in its full perspective requires a more detailed discussion. FDPPI and Naavi are committed to explain these principles to all interested professionals who would be curious to know why PDPSI is considered as the “Bade Bhai” to IS 17428 which is the “Chote Bhai”.

Naavi is planning to conduct a free introductory webinar shortly to explain PDPSI concept in detail. FDPPI is also separately conducting Certification programs to develop DPOs who can implement the PDPSI in a corporate scenario.

Watch out for the introductory free webinar and book your interest through e-mail with naavi or as a comment here under.


Posted in Uncategorized | Leave a comment

IS 17428 and PDPSI

Recently, the Bureau of Indian Standards introduced a new standard called IS 17428 as the standard for providing privacy assurance for individuals and for organizations to set up a “DPMS” or data protection Management System.

Obviously there is a need to compare IS 17428 with PDPSI which is already being used to evaluate the Personal Data Protection Compliance System (PDP-CMS) in organizations that process Personal Data.

IS 17428 comes with a good pedigree since it is backed by the BIS . But compared to PDPSI, it is observed that the standard does not make an attempt to cover the requirements of the PDPB 2019 which is the forthcoming law of data protection in India. It also does not confine to the requirements under Section 43A of ITA 2000 which is the current law of data protection in India. The standard tries to look at GDPR and replicate ISO 27701.

Like ISO 27701, IS 17428 cannot be implemented without ISO 27001 and is not certifiable. On the other hand, PDPSI is inclusive of technical security measures and is certifiable with DTS calculation.

The IS 17428 standard has two parts, the first part being termed as “Requirements” and the second part as “Guidelines”. The Guidelines are said to be “Optional”.

Part 1 has the following six sections




4.Privacy Engineering

5.Privacy Management


Part 2 contains the first 5 sections and not the 6th section.

The standard tries to distinguish the terms “Privacy Engineering” and “Privacy Management”. Rather than providing clarity on two roles in Privacy Protection one for the technical team and the second for the organizational team, this adds more confusion to the compliance process.  If Privacy Engineering refers to the technical side of processing and Privacy Management refers to the policy level of processing, it is unclear whether a Data Protection Officer is a Privacy Engineer or a Privacy Manager.

In PDPSI, it is not only the DPO who will be responsible for compliance but under the “Distributed Responsibility” concept, every employee is a DPO for his area of function. This concept raises the level of “Accountability” of the organization as an aggregation of the accountability of every employee.

PDPSI addresses “Privacy Engineering” by the Implementation specification on “Privacy By Design” but leaves the direction to the DPO along with the distributed responsibility of the engineering team.

Unlike ISO 27701 which integrates ISO 27001/2 into the standard itself IS 17428 only provides DPMS related requirements relegating the ISO 27001 reference to the optional guideline under Part 2.

As a result there is lack of adequate clarity in the document.

On the other hand, PDPSI comes with 12 standards and 50 implementation specifications. The Standards are a overview while Implementation specifications go a step further into the details.

The 50 implementation specifications of PDPSI cover not only the PIMS related aspects in ISO 27701 or the DPMS requirements under IS 17428, they also cover the requirements of the ISO 27001/2, though the requirements are clubbed under less than 50 items.

It is for this reason PDPSI is considered as “Essence of the Essentials but different by far”.

( Continued…)


Posted in Uncategorized | Leave a comment

Enhancing the Acceptability of PDPSI Audits

PDPSI is a unique framework for Personal Data Protection as per prevailing data protection laws.

Its 50 implementation specifications cover the data compliance requirements under multiple data protection laws and is more than what other best practice standards such as ISO 27701 tries to accomplish.

Some of the PDPSI model implementation specifications try to put certain best practices hither to not being part of such frameworks into the radar of the organization. Details of these are already available in the PDPSI handbook.

There are three other innovations that PDPSI has introduced and FDPPI has adopted in order to further improve the assurance of the PDPSI audits in the industry environment.

First is to register the audit with FDPPI along with the DTS computation worksheet so that FDPPI is aware of the PDPSI certifications that are in the market.

Second is getting a feedback on the auditee  including a permission if agreeable for disclosure of DTS.

Additionally, it is observed that after completion of an audit and its certification, the auditee often neglects to maintain the required data security discipline resulting in data breaches. At that time a question will be asked on whether the organization was audited, and if so whether the audit was deficient etc.

In order to make PDPSI audits more reliable, FDPPI will therefore introduce a system whereby the auditee will be required to send a quarterly report to FDPPI in which it will share any major incidents during the period and major changes in the business profile.

It is quite possible that the organizations may not send such reports in which case the responsibility of FDPPI would be reduced. If the organization considers it useful they may use this opportunity. In a way this will be like AMC service on the audit already completed.

FDPPI may charge a fee for such Audit AMC as it may deem fit.

Hopefully this would at least keep the need to be vigilant even after the audit certification will be ingrained in the auditee organization and this by itself be good for the auditee organization.

The details of the kind of reporting to be done etc are being finalized.


Posted in Uncategorized | Leave a comment

Upgraded Version of PDPSI

PDPSI framework has now been fine tuned with 12 standards and 50 implementation specifications.

FDPPI has concluded a training for Data Auditors who can provide consultancy on the implementation of Personal Data Protection in organizations and also certify the organization for compliance along with a DTS evaluation.

The framework incorporates all the best practices that can be expected in ISO 27701 and adds several improvements that are desirable and necessary in the Indian Context.

The PDPSI framework is a unified framework and provide compliance of multiple data protection laws on a single platform with necessary supplementary modules. Hence PDPSI-GDPR will take care of GDPR Compliance while PDPSI-IN will take care of Indian requirements. 

Organizations interested in PDPSI certification  or further information may contact Naavi through e-mail.


Posted in Uncategorized | Leave a comment

Self implementation handbook on PDPSI released

When Personal Data Protection Bill 2019 (PDPB 2019) gets passed in the Parliament, companies will be scrambling to get on to the compliance band wagon.

While there will be many job opportunities for Data Protection Officers (DPO) trained in data protection, there will be many SMEs/MSMEs, who will not be able to hire trained DPOs since there will be a great shortage of qualified persons who are aware of the Indian Data Protection Laws and are capable of converting it into implementation plans for the organization.

Naavi has already started Certification training trying to make people understand the Personal Data Protection Bill 2019 and how it may translate into an Act. With Foundation of Data Protection Professionals in India (FDPPI), a not for profit company, Naavi has already launched a program for “Certified Data Protection Professionals”  in two modules namely a module on Indian laws and module on Global laws.  Naavi has also released a book which explains the Indian law as it is emerging.

Now Naavi has moved onto the next level of assisting the organizations on how they can go about compliance of the Data Protection Regulations through a framework that guides them through to compliance and prepares them to be certified as follows:

“Certified that …………………………..  (Name of the organization) has  satisfactorily implemented policies, procedures and other  measures to be considered compliant with the provisions of  ………… (Name of the data protection act such as GDPR, PDPA etc) ,  with a Data Trust Score of …….. (Assessment score) “

Naavi has been discussing the PDPSI (Personal data protection standard of India) over the last two years in this website and other conferences. Now the concept is explained in greater detail in an E Book. This contains the comprehensive standard for compliance of data protection laws which can be implemented by any Personal Data Processing organization by themselves with a reasonable assistance from their in-house information security or privacy aware professionals.

FDPPI which is the Certifying Agency under the standard is  shortly  conducting “PDPSI Consultant Accreditation Training” to equip data protection professionals to be fully conversant with the provisions of PDPSI and assist organizations that may need their help.

Consultants  may also conduct the audit on implementation already done by organizations with or without the help of other consultants and  issue Certificates of compliance if the implementation is found satisfactory.

These initiatives help companies to get ready for compliance as soon as the law gets passed.

The E Book above contains the 12 standards and 50 implementation specifications that constitute the standard along with details of the certification system and DTS assessment system. (P.S: The book does not contain templates of policies which are to be developed by consultants based on different implementation contexts).

The framework under PDPSI incorporates the best practices and includes the controls normally suggested under internationally used standards and makes several innovative improvements.

Organizations interested in using the PDPSI framework may contact Naavi through e-mail.

(P.S: Kindly note that this is an imitative of Naavi and FDPPI and does not have  prior consultation with or accreditation from any Government agency. After the Personal Data Protection Act comes into being, the Data Protection Authority is expected to publish norms for certification separately and this certification is expected to prepare the organization for the formal certification system that may be introduced by the Data Protection Authority in due course… Naavi)


Posted in Uncategorized | Leave a comment

The Standards under PDPSI

(Continued from the previous article)

At present, PDPSI is built on 11 standards. We shall analyze what are the 11 standards that comprise of the PDPSI and the implementation specifications associated with it and how they relate to the “Certification” process.

PDPSI has adopted the HIPAA model of “Standards” and “Implementation Specifications”.

By including implementation specifications in a statutory law, HIPAA made 7 standards without implementation specifications  and 23 Required implementation specifications as part of the legal prescription. At the same time it left 22 implementation specifications as “Addressable” meaning that the management of a covered entity can take a view on whether thee 22 implementation specifications need to be implemented and if so whether they can be implemented in a manner different from what is suggested in the law.

In other words, HIPAA prescribes 30 statutory prescriptions on how to safeguard the protected health information by the covered entities and 22 other guidance indications that are optional with the condition that if they are replaced with alternatives, sufficient justification has to be provided through documentation.

PDPSI is currently designed on 11 standards and 45 implementation specifications. But under PDPSI, the standards and implementation specifications are used differently from HIPAA. The PDPSI standards are defined for the conduct of PDPSI audit by a lead PDPSI auditor.

However the implementing company is provided with 45 guidance indications which can be used by the Data Fiduciaries and Data Processors. The documentation of whether these 45 implementation specifications are used in toto or some of them replaced with other controls and if so the reasons thereof, is addressed through one of the  documents namely the “Implementation Charter” which is one of the 11 standards recommended. The PDPSI auditor will evaluate the implementation of the 11 standards reflected in the 45 implementation specifications along with the logic presented in the Implementation charter on why one or more of the suggested specifications are ignored or replaced.

The PDPSI auditor’s responsibility is in verifying the implementation of the standards and the implementation specifications adopted in the Implementation Charter and provides his certificate on whether the implementation system is set to work reasonably. The implementation specification includes what may be called “Controls” in other systems .

While the Standards and the Implementation specifications are created by the PDPSI agency (except to the extent the implementation specifications are modified through the implementation charter), the controls are created by the organization themselves.

A few of the key implementation specifications are explained in the PDPSI specification itself to the next level where they become “Control Descriptions”. But most of the other specifications are left without the subordinate “Control Level Description” because it is felt that the industry already has many best practice alternatives for these specifications. The “Control Descriptions” which are provided as part of the PDPSI documentation are those which may not be commonly used by the industry.

To this extent the “Implementation specification with control description” is similar to the “15 Standards with implementation specifications” in HIPAA and the “Implementation specification without Control Specification” is similar to the 7 standards without implementation specifications in HIPAA”.

The structure of PDPSI will therefore look like the following.


…. To Be continued

Posted in Uncategorized | Leave a comment

PDPSI Eco System

The National Digital Health Mission (NDHM) has issued the Health Data management policy which has been introduced over the previous series of articles. As per the document on the NDHM website, the Health Data Management Policy (HDMP) is the first step in realizing the NDHM’s guiding principle of “Security By Design” for the “protection of the data principal’s personal digital heath data privacy”. This acts as the minimum standard for data protection that should be followed across the board in order to ensure compliance of relevant and applicable laws, rules and regulations.

Participation of an individual or a medical practitioner or a health facility in the scheme is voluntary and the participants when they opt in would be issued a “Health ID” or “Digi-Doctor ID” or a Health Facility ID”. These IDs will be unique as long as the participants are within the system and if they opt out, they will be deactivated and in the case of the individuals may be deleted and erased on request.

 In order that the policy is complied with, it would be necessary for organizations to be compliant with the provisions of the policy along with the applicable laws. Presently, the applicable law is Information Technology Act 2000 as amended in 2008 which under Section 43A addresses the requirements of securing “Health Data”. However, the PDPB 2019 represents the “Due Diligence” and is recognized in the policy itself.

In order to enable organizations to  adopt to the compliance requirements, Naavi suggests the use of the “PDPSI” system which is being developed  in the context of  PDPA of India or PDPAI (Proposed). As we await the PDPB 2019 to become a law, we can apply the PDPSI to the NDHM policy implementation as is briefly explained here.

PDPSI stands for “Personal Data Protection Standard of India” and is meant to assist SME/MSME s to adopt PDPA (proposed) as also to develop a Certifiable standard along with an assessment system for Data Trust Score (DTS) evaluation.

After the undersigned presented the concept of PDPSI and DTS about 2 years back, the two systems have been widely discussed with the professionals associated with the FDPPI movement. (See www.fdppi.in for more information on FDPPI). As a result of these deliberations, the PDPSI has evolved along with the DTS system and these systems would be explained in a series of articles here.

The PDPSI Ecosystem

To start with, we need to recognize that the PDPSI is a complete ecosystem that supports the Organizations that require PDPAI (proposed) to be implemented in their organizations.

PDPSI is developed as a “Unified System” for compliance of multiple Data Protection regimes and is applicable not only for compliance of PDPA of India but also for GDPR or DIFC DPL, Singapore PDPA, CCPA or Brazil LGPD or any other data protection regulation.

Hence PDPSI is also ready as a compliance eco system for the NDHM-HDMP.

The PDPSI Eco system consists of Standards, Implementation Specifications and a DTS system.

The PDPSI serves the requirement of different types of users. The Standards are meant to be used by accredited auditors to Certify an organization. The Implementation Specifications are meant to be used by the implementers as a guideline for compliance. On the other hand, The DTS is meant to be used by Data Auditors who after their audit present their assessment in the form of a DTS.

PDPSI is meant to be used as a unified platform for multiple Data Protection Compliance. The DTS however has to be computed differently for different compliance requirements and therefore, DTS-In will be different from DTS-GDPR for the same organization.

We shall explore the concept of PDPSI further in the follow up articles.


Posted in Uncategorized | Leave a comment


Refer to the set of articles below

What is Pseudonymization Gateway

Governance and Implementation Structure under PDPSI-GDPR


PDPSI-GDPR the replacement for ISO27701


Posted in Uncategorized | Leave a comment

Earlier Articles

Discussions on PDPSI started some time back at www.naavi.org and are now being organized for exclusive focus on this website.

The earlier articles written on this topic are given below. Further discussions will continue.

  1. A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
  2. Data Protection Standard of India- (DPSI)
  3. Data Classification is the first and most important element of PDPSI
  4. Why 16 types of Data are indicated in PDPSI?
  5. Implementation Responsibility under Personal Data Protection Standard of India
  6. India to be the hub of International Personal Data Processing…. objective of PDPSI
  7. Principles of PDPSI
  8. Pentagon Model of TISM…An implementation approach to PDPSI implementation
  9. Personal Data Gate Keepers and Internal Data Controllers in Organizations
  10. Legitimate Interest Policy
  11. Implement “My Bhi Chowkidar” policy for Personal Data Protection.
  12. Criticality of the Grievance Redressal Mechanism in PDPSI
  13. Data Breach Notification-What PDPSI expects
  14. PDPSI-Business Agreement Control
  15. Naavi’s Data Trust Score model unleashed in the new year
  16. Naavi’s 5X5 Data Trust Score System…. Some clarifications
  17. Naavi’s Data Trust Score Audit System…allocation of weightages


Posted in Uncategorized | Leave a comment

What is PDPSI?

PDPSI is a Techno Legal Information Security standard developed for meeting the Data protection requirements in the Indian Jurisdiction.

It is modelled on the principle of Three dimensional information security approach involving Technology, Law and behavioural science.

This standard is originated by Naavi, the founder of www.naavi.org who is a pioneer in Cyber Law in India.

The objective of this standard is to focus on the requirements of companies in India which are exposed to the upcoming requirement of compliance of the Personal Data Protection Act of India (PDPA) along with other relevant Privacy and Data Protection laws that are mandatory for an organization operating in India including the current Information Technology Act 2000.

This standard is being developed on the open source principles where the standard is public and implementation is specific. In other words, this standard PDPSI can be adopted by any Data Auditor as a framework.  The individual specifications that come as annexure to the standard may be improved upon and customized.

There will be one suggested implementation framework that comes along with the standard which can be used with suitable modifications based on the context by the auditor with an appropriate deviation disclosure. 

Data Auditors are free to adopt the main standard without the adopting the suggested implementation specifications as suggested. They may in turn develop their own proprietary methods as a guide.  

Auditors who want to develop their own implementation frameworks and publish the same on this site, they are welcome.

If they want to keep it proprietary,  we respect their intellectual property right. We would however appreciate if they keep us informed of the existence of such proprietary implementation standards.

In due course, this website may provide a platform for them to reach out interested clients and sell their implementation specifications as a standard within standard.

This standard does not have any Government patronage and is purely a voluntary effort from the user’s perspective. We however shall endeavor to present this to the Data Protection Authority (DPA) as and when the set up emerges. 

As a part of the discussions around PDPSI, this site will try to present its views on the various codes and practices that PDPA envisages in due course. 

Naavi is also the Chairman of the Foundation of Data Protection Professionals in India (FDPPI) details of which is available at www.fdppi.in.

The PDPSI initiative is at present the initiative of Naavi the individual and does not constitute the views of any of the members of FDPPI or of the organizations that they may be associated with. FDPPI is however free to take its own independent view on the standard and also develop its own endorsed version of the standard or the implementation specifications as it deems fit.


Posted in Uncategorized | Leave a comment