Call for an online meeting for further discussions

Following the discussions with some like minded persons, it has been decided to take further steps to proceed with the formalization of this Academy.

In this connection, we would like to have an online interaction some time during next week.

An invitation is being sent through e-mail to finalize the day and time.

During the meeting we can exchange ideas and discuss the next action plan.

Kindly spread the word so that invitations can be sent to interested persons.

The meeting is proposed to be on Gotomeeting or Zoom. Bandwidth permitting there could be video interactions also. People may be able to join on mobiles also.

Naavi

 

Posted in Uncategorized | Leave a comment

Who are Data Protection Professionals?

IADPP believes in building a platform that can bring together a large part of professionals who are working directly or indirectly in the domain of “Data Protection”.

For the purpose of defining the role of a Data Protection professional, we need to define the scope of Data Protection Activity.

I propose that we may adopt the following definition for a “Data Protection Professional”

Data Protection Professionals are

“professionals”

engaged in the activity of 

“Creation”, “Enhancement” and “Preservation”

of value of information in any form.

A “Profession” is defined as

“any type of work that needs special training or a particular skill, often one that is respected because it involves a high level of education”

A “Profession” also means as distinguished from an “amateur”,  a person who uses his skill for earning a living.

In individual form we have the “Professional” and collectively professionals create a “Professional Organization”.

In the second part of the definition we have added “Creation, Enhancement and Preservation” of value of information.

This recognizes that today data protection is not an after thought in the IT industry. When we value “Security by design”, we are implying that those who create data systems which include the persons whom we today call as “Software Developers” or “Quality Professionals” are also part of the eco-system.

“Value preservation of information” implies that the professionals whom we call as “Information Security Professionals” who are the core professionals who are identified today as responsible for information security in organizations or “Privacy Professionals” who are focussed on the protection of Information Privacy and Cyber Crime Prevention professionals who may be Cyber Forensic or Law enforcement persons, and even Advocates who specialize in Cyber Law or Privacy laws are part of this eco-system.

On the Business side there are Cyber Insurance professionals who put money where their faith lies in information security and hence have to be part of the Data Protection Eco system.

It is true that only some of these professionals are actually designated as “Data Protection Officers” or such other designations that show a direct responsibility but others are also involved in Data Protection in some manner and it would be good to have an organization that does not exclude them.

Similarly there are “Academicians” who may not be professionals working in IT companies but nevertheless contribute substantially to the growth of the Data Protection Industry by their research and contribution towards regulation and development of security tools.

Last but not the least are the Commercial organizations who are the “Data Processors”, “Data Controllers”, “Data Mining or Data Analytics companies” etc who are stake holders in the regulation and implementation of Data Protection. They also have a reason to be part of the Data Protection Eco System.

Though there would be some conflicts between different categories of Data Security Stake holders, a sustainable eco system can be developed only by including such different types of stake holders in a common platform and trying to develop a self regulated , ethics based platform where each is aware of the conflict and try to work within the limitations imposed by the presence of such conflicting interests.

IADPP therefore keeps its doors open for a wide section of professionals and hopefully it provides the foundation for long term growth.

Naavi

 

 

Posted in Uncategorized | Tagged , , | Leave a comment

Let’s create a Federation of Data Protection Professionals

Indian Academy of Data Protection Professionals is devoted to the betterment of Data Protection Professionals in India.

Data Protection has multiple objectives.

a) Protect Data to protect Privacy

b) Protect Data to Protect the Company

c) Protect Data to Prevent Cyber Crimes

Presently, professionals in the Data Protection Industry are organized as “Privacy Professionals”, “Information Security Professionals”, “Compliance Professionals” etc.

This platform aims to bring together all these persons under one platform.

Presently there are multiple groups under WhatsApp or Telegram where we do exchange our views. Many of these groups have overlapping members and over a time the messages get repeated across multiple groups causing message fatigue.

We can avoid this by using this platform as a consolidated platform for information exchange where the message is of interest to all Data Protection Professionals. This will also obviate the need for us becoming members of multiple WhatsApp groups except when the purpose is different from knowledge sharing of Data Protection Related information.

Additionally, Naavi maintains the Privacy Knowledge Center (www.privacy.ind.in), Cyber Law Knowledge Center (www.naavi.org) etc. Others may also have similar knowledge sharing platforms of their own. We need to find a way of consolidating the information spread across different platforms so that it becomes available without too much pain.

Some of the sub groups mentioned above can be “Organizational Associates of the IADPP” so that they can maintain their independent status but also participate in the community activities. In this sense IADPP can become a “Federation of other Privacy and/or Data Protection organizations”.

Any suggestions on how to achieve this objective are welcome.

Naavi

Posted in Uncategorized | Tagged | Leave a comment

Now this is Indian Academy of Data Protection Professionals

Over the last one week we have been deliberating on the status of this proposed association of Data Protection Professionals. During this time I have had personal discussions with a few and online interaction with some others.

Some clarity has now come to the idea which should ensure that more number of professionals come together for common good of the community.

Some of us would like to meet on the web and some have offered a suitable online platform for the meeting. We need to finalize the schedule.

In the meantime, one of the most contentious issue confronting us was finding a neutral name for this platform.

I started with Indian Association of Data Protection Professionals, keeping the meaning of “Association” as some thing that indicates a confluence of people. Though the word “Association” mean many things, one of the predominant meanings was indicating a “Trade Union”. This was not the intention of the proposed platform and a disclaimer was found insufficient to overcome the suspicions. Some of the HR managers would not have liked their employees to be part of such an “Association” if it was perceived to be a “Trade union”.

Now after some thought, it appears that we can better call this an “Academy”. (This does not require change of the domain name and hence is a big practical advantage for me.)

“Academy” is also closely related to “Knowledge” and “Learning” and is the essence to the primary objective of the platform.

“Academy” can also have secondary and tertiary objectives in the larger interest of the community and can accommodate other requirements that may be required to make this organization sustain itself as an “Organisation of the Professionals, by the Professionals, and for the Professionals associated with the Data Protection industry”.

It can therefore also include the Privacy professionals and Information Security Professionals on a single platform. The “Developers” who are involved in “Privacy or Security by design” and the “Managers” can also be part of this eco-system. It can therefore be the “Inclusive” platform that we are searching for.

My own activities under Privacy.ind.in or gdpr.ind.in or naavi.org and cyberlawcollege.com all are in tune with this “Academy” and makes it comfortable for me and many others who are already in the field of Data Protection.

Cambridge dictionary defines academy as

“an organization intended to protect and develop an art, science, language, etc., or a school that teaches a particular subject or trains people for a particular job:”

Oxford dictionary adds

“A society or institution of distinguished scholars and artists or scientists that aims to promote and maintain standards in its particular field.”

Hence the name “Academy” appears suitable for a broad charter for the organization.

I suppose we can therefore start developing our charter based on this name.

I now request all those who were on the fence as to whether they should join this consortium or platform or market place or by whatever name it was called, to feel comfortable and join so that we can have a participative decision making.

I am aware that making the organization a formal registered society would involve taking up lot more responsibilities which many of us donot have time for. But we should be comfortable with the online platform.

As long as we donot have any financial interests, the structure can be very simple and run on the basis of this website.

But we can still have a shadow democratic online set up that simulates a registered society as per the local laws so that we adopt all the good practices that registered societies are meant to follow.

We shall therefore call this a “Virtual Society”. I will provide more thoughts on this structure as we go along. I look forward to your positive support for this new “Online Organizational Structure” which should become a model for future online organizations.

So… Welcome to the Indian Academy of Data Protection Professionals.

Naavi

Posted in Uncategorized | Tagged , | Leave a comment

We Want to be an Inclusive Society.. Tell us how?

In the initial discussions with some professionals, it has been found that some have expressed that there could be a conflict with some existing associations with a similar objective. It is our intention that this community should be as much inclusive of all stake holders as possible.

If one professional working in one IT company shakes hands with another professional working in another IT company, we can always say there are two people with conflict of interest. Hence when we speak of an organization that represents a community and there are other organizations which have similar objectives, it is natural that there is a perception that conflict is present.

We would like to state that such apparent perceived conflicts cannot be completely avoided. But if both organizations are interested in the community, then we believe that there must be a way to work together.

At present, the details of how this confluence of data protection professionals need to be structured. If we look at this as a “Market Place”, where Professionals, Professional Organizations both who are the torchbearers of “Privacy” and “Information Security”, we will have a wide representation of the society. If the organizations include the Data Protection Service providers as well as Data Protection Service Consumers, if we define the scope of “Data Protection” as “Personal Information” as well as “Non Personal Information”, then we will have a really representative organization of the society that has stake in “Data Protection”.

As more and more regulations address this community, there is a conflict with the “Innovation” in technology and there is a threat to the free and fair operation of Technology business. The industry which works in “Artificial Intelligence” and “Data Analytics” will be the worst hit when we implement some of the regulations that are presently discussed for the industry.

The professionals who work as “DPO” or “Compliance Officer” will be the worst affected in the fight between the hard core Privacy activists who want to stop all processing of personal information that cannot be identified with a specific written and signed consent with right to rectification, to erase etc., and companies which want to add value to raw data and create a business out of it using innovative algorithms.

There is no doubt that the data protection laws leave enough scope for innovation if we are innovative in interpreting the legislation but we will be at the mercy of the judicial authorities who may have their own interpretation of the regulation which may not entirely be agreeable to and clear to the industry practitioners. The Courts in EU will take stands that could be clearly anti-business where as Courts in US would be more pro-business. Courts in India may be torn between the two extremes and take decisions that some times may confound the confusion.

Business will find it extremely difficult to wade through such uncertain data protection environment and the professionals who are expected to provide advice to organizations and also carry the fiduciary responsibility cast on them by the regulations will be torn between what is good for business and what is the likely view of a judicial authority when a conflict arises.

This organization therefore wants to bring together the entire community on one platform. The Data Protection Officers who swear by GDPR, the Privacy Activists who swear by the Puttaswamy Judgement are part of this Community. The Information Security professionals who need to manage the security for GDPR compliance or ITA 2008 compliance or a new Data Protection Act of India amidst the counter pressures from the Business Executives who want to push ahead with customer centric decisions and CFOs who want to hold back on costs as well as HR professionals who need to ensure that the workforce remain motivated all the time are also stakeholders in this community.

Can we bring together all these stake holders on this single platform? If so how? is the task before us.

Please do share your thoughts… Register yourself as a free member so that we can share our views through e-mails. Write directly if you want to Naavi through e-mail. Let us all come together and plan something which is sustaining and beneficial to the society.

Disclosure

In this entire exercise of formation of this body,  Naavi would like to be a catalyst and ensure that the organization is managed by younger practitioners on the basis of democratic principles guided by a Memorandum of Association and Bye-Laws.

Naavi would therefore like to declare that he would voluntarily keep himself outside any executive positions in the proposed organizations and want other interested persons to come forward to lead the organization.

Naavi

 

Posted in Uncategorized | Leave a comment

Some Changes in the Offing

Visitors may kindly take note that in the preliminary discussions regarding the formation of this body, suggestions are coming in from different stakeholders. Some of these suggestions express concerns about “Perceived Conflicts” with other organizations because of the similarity of activities or name.

The concept of this organization is to go beyond “Privacy” and encompass the interest of “Data Protection” which again is not restricted to “Personal Data Protection”. It will encompass the Information Security, Cyber Security, Legal Compliance, Behavioural Aspects of Security etc.

Some of the other organizations have restricted fields of operation such as “Personal Privacy Protection” or “Personal Data Protection” etc. Hence it is my personal thinking that there is at present no similar “Inclusive Society of Professionals who are addressing different domains of Information Security”. Hence there should be no conflict real or perceived by other organizations who are already in the domain.

In fact Naavi.org itself is one of the early entrants into the field of “All Inclusive Information Security”. Naavi.org however remained as an Information hub but has been working with the IT industry, Information Security community, Privacy Professionals, Cyber Crime lawyers, Police, Government, Academicians, Behavioural Scientists etc.  Some of the other organizations have over a period of time,  grown differently and occupied different niches in the Information Security space.

It is  the intention of this proposed organisation to work in close association with other such organizations in the spirit of “Inclusiveness”.  Hence we are deliberating all measures to avoid all sorts of real and perceived conflicts and we may even adopt a different name for the organization as we go forward towards formal formation if required.

Consequent to such changes, even the domain name hosting this information may change.

Please do watch out for further information which will be provided here.

Hopefully, we may be able to have greater clarity within the next one week.

Naavi

Posted in Uncategorized | 1 Comment

Data Protection Professionals.. Don’t Get Sandwiched between the regulator and the boss

Data Protection Industry is closely related to the Information Security industry on the one hand and the Legal Compliance industry on the other hand.

This industry includes of Data Controllers and Data Processors as envisaged in Data Protection laws such as GDPR but is not limited to this segment alone. Data Protection is required not only for protecting the Privacy of Citizens under the Privacy Protection Objective, but also because Data is an essential raw material of business. Hence We protect data both for the reason of preventing Privacy Breach as well as Cyber Crimes and for protecting business interests.

Different Laws are made for prevention of Cyber Crimes and for the Protection of Privacy Rights of individuals and therefore “Compliance” applies to both segments of activity. Cyber Crime prevention laws have been in existence for some time and have not been in conflict with the business requirements. Hence compliance did not have any conflict either for a Company or for the Compliance managers.

Privacy Protection Laws on the other hand ignore the needs of the business not only for Business Data Protection but also the interests of the Business Development itself except within  narrow boundaries. In many cases the law inhibits business development and justifies it in the larger interest of protecting rights of Privacy. Cyber Security is also a secondary objective for most of the Data Protection Laws.

Cyber Crime prevention laws donot ignore Privacy Rights but address both protection of business data as well as personal data to the extent that there is a measurable “Loss” suffered by a Citizen.

Data Protection Laws cannot completely over rule the Cyber Security requirements and hence “Legitimate Interest of the Business”, “Law Enforcement Requirements” , “Legal Defense requirements”, “Vital Interests of other individuals” and ” Public Interest” are provided as exceptions in the law.

However, recognizing the availability of “Exceptions” and applying it in a given scenario where multiple interpretations exist is a difficult proposition for operating Data Protection Professionals. The Business would like to err on the safer side and that “Safe” option is often a business hurdle.

Conflicts will therefore arise when a Data Protection Professional (DPP) tries to balance the Privacy Protection requirements of a data subject along with the legitimate interests of the Data Processing industry. The conflict management will require utmost skill for the DPPs which is a skill to manage not only the technical aspects, but also the legal issues  and the managerial concerns involved.

Under GDPR it is envisaged that the DPO is answerable to the Supervisory Authority while working under the salary/financial consideration of the Data Controller/Data Processor. This sort of relationship where there is an inherent conflict is new to the IT professionals. It is a kind of relationship which Chartered Accountants and Company Secretaries tries to manage but not always with success.

It with a recognition of this difficulty, and not letting the DPPs sandwiched between their responsibilities to their bosses vs responsibilities that  Naavi has promoted the idea that there is a need for an Indian Association of Data Protection Professionals (IADPP) and along with like minded individuals is finalizing the formation of a suitable organization.

Explore this idea and contribute by becoming a member of this community today.

Naavi

 

Posted in Uncategorized | Tagged , | Leave a comment

Welcome

Welcome to this platform being developed in an attempt to bring together all the Data Protection Professionals in India. This common platform is meant to  develop an aggregation of skills and knowledge to create a powerful organization that can serve the community.

Kindly note that the term “Association” is not intended to make this a trade union organization. It is a confluence of like minded professionals with a common professional interest to build a new institution that can serve the society and also the professionals themselves.

The idea was promoted by Naavi founder of Naavi.org and many professionals have shown interest and therefore an attempt is being made to take this forward.

Watch out for more information in the days to come.

Naavi

Posted in Uncategorized | Leave a comment