Assessment of Organizational Competence in Privacy : (DAF-P)

DSCI pioneered the DSCI Privacy Framework (DPF©) which promotes best privacy practices in nine areas. DSCI has been encouraging its adoption by the Indian industry since the publication of DPF© in 2010. The framework has received good response from the industry and it has been adopted by some large enterprises to establish their privacy programs. As part of DPF©, DSCI has also developed DSCI Privacy Principles which are based on the study and analysis of global privacy principles including those of FIPPs, OECD, EU, APEC, etc. DSCI Assessment Framework for Privacy (DAF-P)© is the logical progression of DPF© and can be used as the much required instrument to provide privacy assurance to external and internal stakeholders.

Accountability is emerging as a fundamental privacy concept which puts the onus on the organizations handling personal information for protecting it, instead of transferring the responsibility of data collection and usage onto the individual through complex notices, choices and consent. Organizations are required to have a comprehensive privacy program in place which is based on a well-defined privacy strategy / policy and the program is implemented across the organization, with appropriate monitoring & oversight mechanisms in place to check non compliances and performance. Organization’s privacy initiatives – privacy function, policy, program, governance mechanism, etc. form the core of DPF©, around which this assessment approach revolves. The assessment will help in gaining an understanding of the privacy initiatives and supporting processes whilst identifying weaknesses and process inefficiencies that continue to impact privacy.

Questions in each of the nine areas have been designed in a manner that ensures that the objective of each practice described in DPF© is met in implementation. Very importantly, the questions also provide appropriate guidance to the assessors in terms of what to check and how to check in the implementation of a particular privacy practice. The detailed guidance is provided in the form of suggestive indicators, techniques, mechanisms, due diligence steps or examples among other elements wherever appropriate and feasible that may have been adopted by the organization to achieve the objectives of implementing a particular privacy practice as advocated in DPF©. Such guidance is intended to reduce subjectivity in assessments and provide for consistency across different assessors. However, this guidance is not to replace assessor’s independence, expertise and judgment; Assessor’s opinions and judgments are crucial, esp. after analyzing the evidences that prove successful implementation of privacy practices. In case an organization aspires for DSCI certification, the third party assessor (empanelled by DSCI) will submit its report to DSCI for validation and authorization, post which DSCI may issue a certificate.

For further details on this framework, please write to assessment@dsci.in