As conversations and debates are in full flow all around us on privacy and data protection, India quietly crossed a crucial milestone in its privacy journey for enterprises last week.
The Data Security Council of India (DSCI), India’s focal body on data protection which is an independent Self Regulatory Organization (SRO) under NASSCOM®, launched the ‘DSCI Lead Assessor for Privacy’ program last week.
Why is this significant? Where does it fit in? This post elaborates on this and gives an overview of the Privacy Ecosystem in India from an Enterprise perspective.
Privacy & Data Protection issues and challenges are not merely growing – they are escalating. The issues encompass individuals, civil society, governments as well as enterprises. While some countries and geographies have been addressing these challenges via laws and regulations for quite some time now, others like India have adopted necessary legislation only in the last few years with more laws scheduled to be passed in the pipeline.
In a dynamic, continually evolving scenario like this, enterprises often struggle to implement and manage privacy initiatives and programs. Whether it is a multinational operating across multiple countries with a host of different business lines or a small business with a limited regional presence, it has to deal with personal information of individuals that it is exposed to or handles or merely processes. The individuals could be customers and/or employees.
To help enterprises implement and manage privacy programs, DSCI conceptualized and launched its DSCI Privacy Framework (DPF©) back in December 2010. Based on global privacy principles and best practices, the DPF© helps enterprises implement privacy in a comprehensive manner.
Enterprises that began adopting this framework subsequently started looking at DSCI to certify them – for having complied with the framework. This required the enterprise to be assessed for compliance. To cater to this, DSCI developed an assessment framework – the DSCI Assessment Framework for Privacy (DAF-P©) which was released in December 2012.
What is noteworthy is that while developing the assessment framework, DSCI took cognizance of the fact that not all enterprises may be in a position to roll out DPF©. Some, especially the smaller ones, may just look at complying with certain global privacy principles. Hence DAF-P© was designed in two parts – one focused on assessment of DPF© and the other on assessment of global privacy principles. The first would qualify for external assessment and consequent certification by DSCI while the second could be used by an enterprise for self assessment. Of course, enterprises have the option of doing a self-assessment for DPF© without necessarily going in for a certification from DSCI.
The overall DSCI certification eco-system consists of
– A DSCI Certification Board
– Accredited organizations authorized to assess an enterprise for compliance with DPF©.
– Certified DSCI Lead Assessors for Privacy who carry out the actual assessment of an organization, under the aegis of an accredited assessor organization. These assessors can also work with an enterprise for self-assessment
With the launch of the DSCI Lead Assessor for Privacy program, the first aspect of the above ecosystem has been kick-started. Given the enthusiastic response to the program from industry, this is sure to rev up privacy adoption in Indian enterprises.
Posted by Shivangi Nadkarni, Co-Founder & CEO, Arrka Consulting www.arrka.com | @arrka2 | @shivanginadkarn