Naavi is in the process of developing the Data Trust Score System which will enable Data Auditors to evaluate the level of compliance of an organization to the required PDPA standards.
Naavi is also in the process of developing a “Personal Data Protection Standard of India” (PDPSI-0219) which will incorporate the data protection requirements of a typical organization working in India. This standard is expected to be an “Open Source Standard” and should encompass BS 10012 or such other proprietary standards in terms of what is required to be achieved.
It is left to the auditors to offer audits and for their clients to accept such audits adopting of BS or IS standards and piggy back on the perceived reputation of these standards or adopt the PDPSI-0219 standard which is dove tailed to the Indian requirements and take the responsibility for meeting the “Data Protection objectives” rather than “Certification Objectives”.
When we introduced the Naavi’s 5X5 DTS system we had indicated that we would adopt a 5 by 5 matrix to evaluate the compliance of an organization and the five parameters to be used would include “Commitment”, “Knowledge”, “Controls”,”Review” and “Redressal”.
We had indicated that the observations would be recorded on a scale of 0-100 in five buckets of 20 each.
In arriving at the final DTS value for an organization, we had indicated that each of the five parameters may be given different weightages. If equal, each parameter would bet a weightage of 0.2.
Now we would suggest the next step of a method to assign the weightage.
For the purpose of such weightage allocation, organziations would first be classified into three categories namely, “Infant”, “Adult” and “Mature”. An infant organization is one where the data protection exercise is in the beginning and hence more focus is required on awareness building and management commitment etc. As the organization grows in maturity, the management commitment and conducting awareness training would become routine basic requirement. [P.S: These may even be considered as a “Hygiene factor” which is something which if present it is considered as necessary and if not present it would be considered as a serious lapse. The score allocation under the parameter could be a binary proposition unlike other parameters].
Considering this aspect, we have drawn a table of weightage allocation as follows.
The PDPSI 0219 will indicate management requirements which will encompass all the above 5 parameters and will also adopt the Three Dimensional Model of Information Assurance which Naavi follows which includes Technical, Legal and Behavioural Science approaches.
Comments are welcome.