Now Data Protection Compliance in India is easy and affordable

Ujvala Consultants Private Limited as a Supporting member of Foundation of Data Protection Professionals in India (www.fdppi.in) has made Data Protection Compliance in India simple and affordable.

Ujvala provides online access to a self assessment tool through this website, which costs only Rs 2500/- (plus GST) as an introductory price.

On payment of the fees, an e-mail will be sent with access password to an online self assessment system which consists of five parts and 233 questions.

The questions can be answered online and a self evaluation of the effectiveness of the current practices can be entered by the organization representative.

On Submission, Ujvala team will provide an an adjusted Self Assessed DTS with a basic review comment.

If required, the organization may get implementation evaluation of policy documents and a summary assessment from Ujvala.

Following this, the organization may obtain implementation consultancy from a DPCSI consultant and FDPPI certified audit certificate from a DPCSI auditor.

Cost of Rs 2500/-plus GST (Total Rs 2950/-) is applicable for self assessment, review of the self assessment and issue of an adjusted DTS based on the preliminary review.

Cost for Summary assessment, Consultancy and Audit will be advised on request and further discussion.

Naavi

Posted in Uncategorized | Leave a comment

Let’s Create a Compliance Culture in Indian Data Protection Community

To

All those interested in Data Protection law compliance in India

Dear Friends

I invite you all for the webinar on “Data Trust Score under DPCSI” scheduled for 11.00 am on Sunday, July 10, 2022. The webinar will be on Zoom. The meeting ID is 882 8084 0436. The pass code is : dts_07

The approximate duration would be one hour followed by discussions. During the session, I will try to explain how Data Protection compliance maturity of an organization can be expressed in terms of a “Data Trust Score” just as how the credit ratings express the investment worthiness of a financial instrument.

The framework based on which the model of DTS would be explained is the Data Protection Compliance Management System which is uniquely built as a “Unified system for compliance of Personal Data Protection under ITA 2000/PDPB2019 or DPA 2021/GDPR etc.

During the session, the use of an online tool that can be used for a self estimation of the data protection status of an organization would also be described.

Don’t miss this opportunity to be part of a revolutionary change in the way companies can handle their data protection compliance requirements. MSMEs in particular should be more interested since the tool would help them to start their journey to be compliant with the law as it emerges.

The objective of this interaction is to make compliance easier and more affordable so that we can together create a “Compliance Culture” in India.

Whether the Government passes the Personal Data Protection bill (PDPB 2019/DPA 2021) during monsoon or not, responsible companies need to start their journey towards compliance.

Even when changes are brought, the foundation principles of compliance will not change. Let vested interests continue their fight to avoid compliance responsibility.

We the responsible corporates shall show the way to respect and be compliant with the legislative intention already reflected under the concept of “Due Diligence” and . “Reasonable Security Practice” in ITA 2000/8.

Naavi

Posted in Uncategorized | Leave a comment

My DTS

Data Trust Score (DTS) is a measure of the effectiveness of compliance of an organization to data protection law as assessed by an auditor. This brings visibility to the common man of how reliable are the data protection measures in an organization. It also brings accountability to the data audit system by requiring the auditor to convert the subjective assessments to a common objective number.

In the Corporate and Investment world, “Credit Rating” is a common measure of the safety of investment in an instrument and has been widely used.  DTS now brings this concept to the world of “Personal Data” which is like a currency which public invest and Data Fiduciaries collect and use for generating business revenue.

Naavi has been working on developing a DTS system based on the PDPB 2018 which later became PDPB 2019 and now referred to as DPA2021 (or DPB 2021). In this process, Naavi developed a framework referred to as “Data Protection Compliance Standard of India” (DPCSI) which incorporates the best of the various frameworks for implementation of ISMS or PIMS and extends it with some other unique concepts.

Now, Naavi has tried to simplify the process of DPCSI audit by enabling DTS evaluation online. This online DTS computation has been enabled by Ujvala Consultants Private Limited. The process is enabled as a “Self Evaluation” based on certain assessment questions, submitted for review to Ujvala Consultants for validation. Validation can be further strengthened by review of policy documents into a summary assessment of DTS. Finally the system merges with a Certifiable audit by a FDPPI certified auditor.

The online Link to self assessment will be available on the payment of a prescribed fee.

The assessment goes through different steps over 50 model implementation specifications (MIS 1-50)  and covers five responsibility centers in the organization namely,

1.Management (MIS 1-15)

2.DPO (MIS 16-24)

3.Legal (MIS 25-26)

4.HR (MIS 27-30)

5.IT (MIS 31-50)

General Instructions for use of the “My DTS” system

The assessment has been divided into five sections corresponding to the five different responsibility centers, so that different representatives of the company can complete the assessment in each of the sections. Each section covers the Implementation Specifications related to  the specific responsibility center. The user is expected to complete the questionnaire with reference to the current practices in the organization. 

The questionnaire consists of one or more questions related to each of the Model Implementation Specifications followed by a self assessment of an evaluation score for the specific implementation specification on a scale of 1-10. For each assessment, a list of documents referred may be indicated.

When these individual scores for each implementation specification is totalled, one arrives at the total score for the section.

It is envisaged that each section would be completed by a designated person.

The completion  of the questionnaire can be stopped and continued as per the convenience of the responder.  It can be reviewed internally before it is finally committed for submission.

The summation of the assessment scores for each of the five sections provides the first raw estimation of DTS of the organization based on self declaration.

When this assessment is submitted to Ujvala, Ujvala will apply a weightage system and compute an “Adjusted DTS” and communicate it to the organization along with some critical recommendations if any for further action.  A Certificate would be issued in support of this “Self Assessment”. A general feedback on the next action required will also be provided by Ujvala along with the self assessment certificate.

Summary Assessment

Additionally, the organization may chose to elevate the self assessment into a “Summary Assessment” by Ujvala based on submission of evidentiary documents such as policy documents etc for review.

This would be separately Certified as  “Provisional DTS” for the organization.

FDPPI Certification 

If the Company opts to go for a full fledged audit of their compliance under the DPCSI framework which should meet the standards of Section 29 Data Audit,  the audit will be conducted by an FDPPI accredited Certification body and may be certified by FDPPI under its norms for Certification.

Pricing

The self assessment audit with the general feedback from Ujvala about the DTS without detailed scrutiny of the documents is available at Rs 5900/- (includes basic price of Rs 5000/- and  GST of 18% of 900/-).

P.S: Inaugural concessional price of Rs 2950/- has been withdrawn.

Similar assessment audit for GDPR-DTS would be available at Rs 11800/- (Including Basic price of Rs 10000/- and GST of Rs 1800/-)

This will include the general feedback from Ujvala issued along with the Self Assessment Certificate.

The cost of Summary assessment by Ujvala with a review of the documents submitted would be based on the documents to be reviewed and an estimate would be provided after the basic DTS is provided.

>The cost of  final Certification audit  would depend on the estimate of the work involved and as per FDPPI guidelines if any.

For using the online DTS evaluation for Compliance of Indian DPA 2021,kindly make the payment of Rs 5900/- using the following link and await further instructions.

Naavi

Confidentiality of Information Submitted:

Kindly Note that the information submitted for assessment will be available for the team of consultants of Ujvala which consists of Naavi and his associates who provide their assurance for confidentiality of data through Ujvala.

Since the evaluation questionnaire is hosted on an external website and the security of data entered there in is subject to the security provided by the said website, an option is made available to the respondent organization to seek an Pseudonymous ID while making the payment which can be used on the website where the responses are completed. The responses donot contain any corporate data once the name of the organization is pseudonymized.

For any further clarification, kindly contact Naavi

 

Posted in Uncategorized | Leave a comment

Online Data Protection Audit and Data Trust Score Tool

Ujvala Consultants Pvt Limited has developed an online Data Protection Compliance Assessment Tool which can assist in generating a DTS score for an organization.

DTS or Data Trust Score is a measurability of the extent of data protection compliance of an organization. A Complete assessment of DTS requires an audit, a methodology for converting the audit findings into a score and an assessment by an experienced auditor.

However, as a preliminary measure of assessment, an online assessment tool has been developed by Ujvala Consultants Pvt Ltd.

The tool can be used by any DPO to check the preparedness of the organization before a formal audit may be invited. It is also a tool to be used by Ujvala Auditors to develop the Gap assessment.

The tool has been developed on the basis of DPCSI (Data Protection Compliance Standard of India) as a framework and Naavi’s methodology for DTS calculation.

Ujvala Consultants would be using this tool for its Data Protection Compliance audits.

Naavi

Posted in Uncategorized | Leave a comment

Ujvala to pioneer Algorithmic Transparency Audit as required under DPA 2021

One of the new requirements that has been brought into the Data Protection Audit in India through the DPA 2021 is the need for “Algorithmic Transparency”. Additionally all devices both software and hardware,  that process data needs to carry a security certification from an accredited lab.

The Data Protection Standard of India (DPSI) has been suitably modified to incorporate these requirements.

At the same time, the DPIA and Harm Audit concepts need to be upgraded to include the audit against any possible “Bias” of an automated decision making involved in data processing.

In order to provide a service for third party “Bias Audit”, Ujvala is developing a new line of activity for “Independent third party Bias Audit” of algorithms as may be considered adequate under DPA 2021.

This audit would not be at the Code level and therefore does not involve any IPR risks.

Ujvala is in the process of finalizing technology partners for this line of activity.

Naavi

Posted in Uncategorized | Leave a comment

Ujvala Data Governance Consortium

Ujvala Consultants has created a virtual subsidiary named Ujvala Data Governance Consortium (UDGC) with effect from 1st August 2021. It will undertake projects related to Data Protection Audit as a group of professionals.

UDGC will be a division of Ujvala Consultants Pvt Ltd.

Posted in Uncategorized | Leave a comment

PDPSI Audits

Ujvala Consultants is one of the Certification bodies licensed by FDPPI for conducting assessments, audit and DTS (Data Trust Score) evaluations under PDPSI system.

PDPSI assessment is based on the Standard and Implementation specifications provided under the PDPSI framework.

PDPSI consists of 12 standards and 50 Model Implementation specifications. (MIS). The DTS evaluation is based on an assessment of an auditor on the effective implementation of these implementation specifications.

The Audit is based on the Implementation Charter developed based on a Gap Assessment based on the Model Implementation Specifications (MIS) but modified by the Management based on their Risk Strategy of Mitigation. The Risk Mitigation Strategy takes into account the organization’s preference for Risk Avoidance, Risk Absorption and Risk Transfer and the resultant modified set of Implementation Specifications is considered as the “Adopted Implementation Specifications”.(AIS)  The logic for modifying the MIS into AIS is recorded in the “Deviation Justification Document” signed off by the management.

The Audit is conducted based on the AIS of the Implementation Charter resulting in “Satisfactory” or ” Requires Improvement” comment. All audits will be accompanied by an allotted DTS score.

The Certificate is issued by Ujvala and copy filed with FDPPI. It is part of the PDPSI system that at the end of the audit, the auditee organization will file a “PDPSI Auditee Feedback” and send it directly to FDPPI. The feedback will also consist of a permission to opt in for disclosure of DTS.

Currently, Naavi and Ramesh Venkataraman are the Certified Lead Auditors for Ujvala, for the purpose of PDPSI audits.

 

Posted in Uncategorized | Leave a comment

Digital Media Compliance Guidance Center

With the notification of the new Intermediary Guidelines 2021 (Information Technology [Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021] notified on 25th February 2021, the Digital Publication scenario in India has changed substantially.

It will take some time for the full impact of this Surgical strike by the joint operations of the Ministries of IT and I&B to sink in to the industry.

The changes will affect all the large Intermediaries like Twitter, FaceBook, YouTube, WhatsApp, Telegram etc., the emerging Indian companies like Koo, Tooter, Arattai, as well as a number of YouTube Channels such as Shekar Gupta’s Channel , The News Minute  or other similar channels. The OTT Channels such as HotStar, ZeeTV, JioTV etc will all be coming within the provisions of the guidelines.

The compliance requirements in principle applies to any digital publication which has News content and therefore applicable to many blogs though by virtue of a smaller exposure they may not be coming directly under the definition of the “Significant Social Media Intermediary” or a “Publisher”.

The compliance requirements are not simple and will also need to incorporate a Grievance Redressal Mechanism.

Naavi has been operating the ODRGLOBAL.IN which is an online grievance redressal system and is ideally suited to be adopted for the requirements of this type. Naavi has also been engaged in ITA 2008 compliance as well as Personal Data Protection Compliance (GDPR, Indian PDPA etc).

Recognizing the needs of the Digital Media Publishers, Naavi has launched a new service namely “Digital Media Compliance Guidance Center” (DMCGC).

DMCGC will provide compliance consultancy to enable organizations maintaining news websites and news apps to maintain compliance as envisaged under the rules.

Non Compliance of the Intermediary guidelines would be like exposing the media organization to a volley of AK 47 bullets without as much of even a shirt to wear on, let alone a bullet proof vest.

The service would be provided through Ujvala Consultants Private Limited the Techno Legal compliance consultancy company.

Interested persons may contact Naavi through e-mail

Naavi

Posted in Uncategorized | Leave a comment

GDPR Compliance.. A Better Tool at a more Economical Cost

When GDPR came into existence, it created a stir in the Corporate markets all over the world including India. The immediate concern was that the administrative fines under GDPR could go upot 4% of the global turnover of an organization which is considered a “Data Controller”. Additionally the applicability of GDPR was extended to organizations outside EU region if they were directing their business to the Data Subjects in EU or were profiling the activities of individuals in EU. Hence companies in India were concerned about non compliance of GDPR.

Since 25th May 2018 when GDPR came into effect there is a better understanding of the applicability of GDPR and how it operates on entities located in India, particularly if the organization is only a processor and is not a Controller or Joint Controller.

However the July 14, 2020 order of the Court of Justice EU on the invalidation of the US Privacy shield has given a new jolt to the Indian organizations. The US Companies are now out of the shelter of the self certified US privacy shield arrangement and are banking more on the Standard Contractual Clauses (SCC). The Controller-Processor template of a SCC is also extended by US data vendors to their contracts with Indian data processors along with the indemnity clauses.

As a result the need for documented compliance of GDPR has increased in India.

The fundamental obligation under GDPR is on securing the personal data of EU Citizens that is being processed. However, the SCC imposes a “Data Controller” obligation even on a “Data Processor” in certain exceptional circumstances. In some cases the data vendor may be not fully aware of the implications of GDPR in a given context and the Indian organization needs to negotiate with the data vendors the inter-se responsibilities and a proper role definition.

For both these reasons, Indian companies whether they are conrollers, joint controllers or processors, would do well to implement a GDPR compliance program within their organization.

Being fully GDPR Compliant will also enable the Indian Data Processing Companies to bid for business from out of India either from the EU area itself or from many other countries where there may be no data protection regulations and GDPR is looked upon as a Standard for data protection.

Presently organizations aspire to achieve GDPR Compliance through the privacy frameworks such as BS 10012 or ISO27701.

Both BS 10012 and ISO 27701 are frameworks specifically developed for GDPR compliance and address the issues of Privacy Protection envisaged in GDPR.

However the ISO 27701 is an extension of ISO 27001 and even BS 10012 makes a normative reference to ISO 27001. Both frameworks are therefore dependent frameworks and can be relied upon only if the organization is already ISO 27001 compliant.

In the Indian context,  Though large organizations would be comfortable with ISO 27001+ISO 27701 as the compliance standards SMEs and MSMEs would find it difficult to maintain ISO 27001 and hence ISO 27701 remains an impractical goal.

Also for most data processors, pursuing ISO 27701 would be an overkill.

In order to address the needs of such Indian organizations, Ujvala has adopted the standard created by Naavi under PDPSI and its extension PDPSI-GDPR as the effective alternative to ISO 27701.

Compliance framework of PDPSI-GDPR would be more than sufficient to cover all aspects of ISO 27701 along with ISO 27001.

Lead implementers for this implementation is also being developed by Cyber Law College through its certification programs in association with FDPPI. The consultants of Ujvala will be adopting this framework for GDPR compliance.

The PDPSI-GDPR in its full implementation mode is a step ahead of the ISO 27701 with a Data Trust Score to indicate the maturity level of the organization in terms of implementation of GDPR compliance program.

 

 

 

Posted in Uncategorized | Leave a comment

DIFC-DPL Compliance

Ujvala Consultants  adopts a customized audit cum implementation framework for compliance to DIFC-DPL 2020.

The framework has been developed under the “PDPSI” extension and is recognized as “PDPSI-DIFC Framework.”

PDPSI (Personal Data Protection Standard of India) was first developed as a framework for implementation of India’s proposed Personal Data Protection Act by Cyber Law College and is being adopted as an indigenous implementation framework for Data Protection in India through FDPPI. (Foundation of Data Protection Professionals)

It is now adopted as extended framework for other Data Protection Laws including GDPR to replace the ISO 27701.

The Extension for DIFC has 11 fundamental Standard statements followed by 44 implementation specification guidelines.

These guidelines are specifically tailored to meet the Techno Legal compliance requirements of DIFC and provides a structured implementation guideline.

Any Techno Legal compliance cannot be fully automated and hence a certain  level of interpretation is inevitable in implementation of any framework based approach.

In applying this framework, Cyber Law College has developed a few trained Lead Implementer who can interpret the provisions of DIFC-DPL 2020 in an appropriate manner.

Naavi will be personally involved in such implementation programs initially as the Lead Consultant in all projects of Ujvala.

Ujvala’s PDPSI-DIFC based implementation is offered as a consultancy service for all those companies who are intending to take compliance steps to meet the DIFC deadline of 1st October 2020 and thereafter.

 

Posted in Uncategorized | Leave a comment