(In continuation of the previous article)
PDPSI is a framework which evolved from the Indian Information Security Framework (IISF-309) which was first developed for compliance of ITA 2000, and published in March 2009.
PDPSI was designed to be of use for “Compliance” of data protection regulations for an organization which is involved in processing of personal data and is subject to the Indian jurisdiction. The primary law of the Indian jurisdiction now is ITA 2000 and is read with PDPB 2019 as the “Due Diligence Requirement” under ITA 2000.
PDPSI takes into account the fact that if the Indian organization is involved in processing personal data originating from abroad, the organization will be required to factor-in compliance of the appropriate law applicable to the “Country of Origin” of the personal data. It is therefore a “Unified Compliance Framework”.
Further PDPSI restricts its objective to “Compliance” of “Data Protection Law applicable to an Indian Data Fiduciary”. The terms such as PIMS or DPMS used in ISO 27701 and IS 17428 indicate that these frameworks provide/attempt to provide a certification on the Personal Information or Personal Data Management system per-se. These standards do not claim to have been designed for “Compliance” but have drawn heavily from the GDPR in identifying the principles of Privacy which the PIMS/DPMS system tries to “manage”.
PDPSI on the other hand is designed for compliance. It is a template for compliance of any data protection law and incorporates many controls which are relevant for Indian requirement under ITA 2000-PDPB 2019 which may not be available in other laws such as GDPR. PDPSI is therefore more comprehensive than the IS 17428.
Also, both ISO 27701 and IS 17428 are not independent standards and have to be read with ISO 27001/2 and will not be certifiable except with ISO 27001 certification. Both ISO 27701 and IS 17428 have to therefore be considered as an augmented ISO 27001 rather than independent standards by themselves.
PDPSI however is an independent certifiable standard and incorporates protection of information through the CIA principle as part of its Implementation Specifications.
PDPSI is a framework which addresses “Management of Personal Information in an organization for the purpose of protecting the privacy of the data principal as indicated in the relevant law”.
This system is better referred to as PDP-CMS or “Personal Data Protection Compliance Management System” instead of PIMS or DPMS.
The primary focus of PDPSI controls are therefore the prescriptions under the target regulation and any generic managerial controls which may be part of the system are meant to/ designed help the compliance in the longer run.
It is therefore possible to develop PDPSI certification as a tightly integrated certification for compliance of a given data protection regulation.
For example PDPSI-In can be considered as near compliance of Indian data protection regulation while PDPSI-EU may be related to compliance of EU GDPR and PDPSI-Sg may be related to compliance of Singapore PDPA 2012. etc.
PDPSI however recognizes that “Compliance” of a law inherently involves “Interpretation” of law and hence even the best interpretation of a professional can only be a second guess on what the Data Protection Authority of the day thinks is the correct interpretation or a third guess on what the Courts may interpret.
While PDPSI attempts to partially address the alignment of compliance with the DPA’s interpretation, it may not be possible to align the compliance with the possible interpretation of a Court in a future judicial proceedings and in that context PDPSI would be a “Good Faith” interpretation of what the Data Protection Jurisprudence could be.
Understanding PDPSI in its full perspective requires a more detailed discussion. FDPPI and Naavi are committed to explain these principles to all interested professionals who would be curious to know why PDPSI is considered as the “Bade Bhai” to IS 17428 which is the “Chote Bhai”.
Naavi is planning to conduct a free introductory webinar shortly to explain PDPSI concept in detail. FDPPI is also separately conducting Certification programs to develop DPOs who can implement the PDPSI in a corporate scenario.
Watch out for the introductory free webinar and book your interest through e-mail with naavi or as a comment here under.