DSCI DCPLA - DSCI Certified Privacy Lead Assessor

The DSCI Assessment Framework for Privacy (DAF-P©) outlines three key approaches for privacy assessment:

Principle-based assessment (evaluates implementation of privacy principles like purpose limitation, data minimization, etc.)

Organisational competence assessment (evaluates maturity of organizational processes and resources for privacy)

Privacy risk assessment (identifies and mitigates potential risks to personal data)

These approaches collectively enable a comprehensive evaluation of an organization’s privacy posture .

==============

The landmark judgment in “Justice K. S. Puttaswamy (Retd.) and Anr. vs. Union of India And Ors” delivered on August 24, 2017, reaffirmed that:

"The Right to Privacy is protected as an intrinsic part of the Right to Life and Personal Liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution."

This case is foundational to the development of privacy jurisprudence in India and has guided theformulation of the Indian Data Protection law.

The “Privacy Organization and Relationship (POR)” practice area is aimed at building the organizational structure for privacy. It includes:

Establishing the privacy function and governance (D)

Identifying responsibilities and stakeholders (B)

Coordinating between legal, IT, and security functions (C)

Option A relates more to the “Visibility over Personal Information (VPI)” practice area, where data inventories and mapping of processes are core objectives. Hence, it is not aligned with POR.

==============

The consultants appointed by XYZ to design and implement the enterprise wide privacy program conducted a visibility exercise. This exercise was meant to capture the current state of Personal Information (PI) flows within the organization, identify any gaps between existing security controls/practices and intended enterprise-wide PI practices. The visibility exercise also included mapping the legal obligations of the organization in protecting PI across different jurisdictions where its operations were spread. Though this exercise seemed adequate to start with, some gaps in terms of meeting the requirements of EU GDPR were noticed during course of implementation.

Firstly, though the visibility exercise covered all channels through which PI would flow in and out of an organization - like email accounts, websites and physical storage locations etc., it did not cover every element of PI such as Social Security numbers and financial data. Moreover, there was no comprehensive assessment on the technical feasibility and costs associated with implementing additional measures for protecting this information. This could have been done in order to ensure that any new systems or processes introduced met the technical requirements of GDPR.

Additionally, there were certain gaps in terms of external service providers who are also responsible for ensuring compliance with GDPR while processing/storing personal data on behalf of XYZ. Though XYZ had ensured that all its existing contracts contained provisions regarding compliance with legal requirements related to privacy and confidentiality, it did not carry out any due diligence exercise to ascertain whether these third-party service providers had adequate security practices in place to comply with GDPR regulations.

Lastly, the visibility exercise did not cover all the legal obligations of XYZ in terms of compliance with GDPR. For instance, it did not consider any potential liabilities arising from data breaches and the process for dealing with such eventualities. Nor was any process put in place to ensure that appropriate technical and organizational measures were taken to protect PI as required by GDPR.

Thus though the visibility exercise carried out by XYZ consultants seemed adequate at first glance, there were several gaps identified in terms of meeting EU’s GDPR requirements. These gaps could have been addressed through a more comprehensive assessment and must be taken care of if XYZ has to realize its full potential in Europe. As GDPR is now firmly in place across the continent, companies cannot ignore its regulations and must take necessary action to ensure compliance.

This includes making sure that every element of PI is taken into consideration while designing an enterprise-wide privacy program, due diligence with regards to external service providers who process/store data on behalf of XYZ, and establishing a comprehensive legal framework for dealing with any potential liabilities arising from data breaches.
In short, if XYZ does not address these gaps effectively, it may find itself in a vulnerable position in terms of protecting personal information as required by applicable laws. It will also be at risk of facing significant fines or other penalties.

According to the DSCI Privacy Framework and as aligned with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, under Section 43A of the Information Technology Act, 2008, the following are considered Sensitive Personal Data or Information (SPDI):

Password

Financial Information(such as bank account or credit card details)

Biometric Information(such as fingerprints, retina scans, etc.)

Medical Records and History

However,Sexual OrientationandCaste and Religious Beliefsare not explicitly included in the list of SPDI under Section 43A of the ITAA, 2008, though they may be protected under broader privacy considerations or sectoral regulations.

This classification helps in mandating appropriate security measures to protect such sensitive data, failure of which can result in compensation for damages to the affected individual due to negligence by the data processor or controller.

According to the DAF‑P©, the assessment process begins only after the assessee provides required pre-requisites. These may include:

Completed self-assessment checklist

Documentation on privacy policy, data flows, training records, etc.

This ensures the assessor can effectively plan the assessment and identify areas for further investigation.

==============

According to DAF‑P, major non-conformities represent significant deviations that impact the effectiveness of the privacy program.

In this case:

The absence of PI considerations in core governance areas such as risk assessment, security architecture, incident response, and classification constitutes a critical oversight.

Despite some efforts (data masking and identification), the lack of integration into foundational programs denotes a systemic issue.

Hence, this constitutes a major non-conformity under the DSCI certification framework.

All the listed options (A, B, and C) are legitimate objectives of the “Visibility over Personal Information (VPI)” practice area. The VPI layer emphasizes:

Comprehensive inventorying and mapping of personal data across systems

Aligning data operations with privacy risks and business goals

Categorizing data to manage consent, retention, and sharing

Therefore, none of these options are incorrect or outside the scope of VPI.

The DSCI Assessment Framework for Privacy (DAF-P©) emphasizes the need for organizations to move beyond checkbox compliance to embrace “Demonstrable Accountability.”

This involves:

Being able to show evidence of privacy program implementation

Having appropriate governance structures

Showing that privacy principles are embedded into processes

This proactive and transparent approach to privacy governance aligns with leading global frameworks.