DCPP Training Program Set2 v0.5 - Maya Misra

DSCI CERTIFIED PRIVACY PROFESSIONAL (DCPP©)
TRAINING PROGRAM
Schedule – Day 2
2
Time Topic Covered

Privacy Laws - Framework
9:30 - 11:30 Privacy Laws - GDPR, Singapore, US, Canada, Australia
Privacy Laws - India
11:30 - 11:45 Break
11:45 - 13:15 Trans-border Data Flows
13:15 - 14:00 Lunch
Beyond Information Privacy
14:00 - 15:30 Information Lifecycle
15:30 - 15:45 Tea Break
15:45 - 17:30 Privacy in Organizational Ecosystems
17:30 - 18:00 DCPP Exam : Structure & Tips
Confidential (c) Arrka, 2020

Licensed to Maya Misra <Maya.Mishra@ril.com> on 07-04-2020. Single user license only, copying and networking prohibited.
3 Privacy Laws
• Framework for Analyzing Privacy Laws
• Categories for Regulation
• Country Laws Analysis
• US Laws
• Australia
• Canada
• Singapore
• EU-GDPR
• India : Existing and Upcoming (PDPA)

Basic Concepts
4
 Civil Law  Laws
 Criminal Law  Rules

 Civil & Criminal Penalties/  Regulations
Liabilities
 State vs Central (or ‘Federal’) Laws
 LEAs – Law Enforcement Agencies
 Judicial Systems
NOTE: Privacy Laws are always playing ‘catch-up’ with technology and other developments and trends

Privacy - a ‘Fundamental Human Right’?
5
 India and EU have this approach

 Some Implications:
 governments and businesses restrict the Personal Data that is collected from individuals in the
first place
 Personal Data that is collected continues to be ‘owned’ by the individual and the entity collecting
the data is considered to have a ‘fiduciary relationship’ when it comes to the individual’s data
 NOT considering this as a fundamental right – for e.g.: In US

 Legislations do NOT strictly restrict what data can be collected in the first place.
 focus on
◼ limiting the means of collecting data,
◼ what can be done with the data once collected
◼ making information collectors accountable for the Personal Data they collect
Privacy Laws - Governance
6
Should governance be left to markets & self-regulation – aided by law?

 Why this thought:
 Different approaches to legislation: EU’s horizontal to US’ sectoral
 Industry has adopted alternatives to formal regulations (like Codes of Practice, ISO standards,
Trust Seals)
 Many aspects of privacy have been introduced into other legislations or regulations (for e.g. – in
consumer protection laws)
 Therefore, should governance of privacy
 be an evolving ‘hybrid’ approach
 with participation from markets as they self-regulate,
 from industry-bodies as they develop best practices and codes of conduct for their members
 supported by laws and regulations

Privacy Laws – Comprehensive vs. Sectoral
7
Comprehensive vs Sectoral laws

 Comprehensive legislation e.g.: EU GDPR, Singapore.
 The Indian IT act is also sector-agnostic
 Proposed Indian Personal Data Protection Act is also a comprehensive one
 Sectoral legislation e.g.: US

 has sectoral legislations for healthcare, financial services, video rental, etc

Privacy Laws
8
Transborder data flows – should be restricted or governed?

 On one hand: Disparities in national legislations have the potential to actually hamper data flows in
some cases – giving rise to constraints in trade development.
 At the same time, countries have to protect the interests of its citizens and safeguard their right to
privacy
 particularly so where an average citizen does not comprehend what goes on ‘behind the scenes’
or its possible implications.
 how to achieve a balance between the two forces. Should such flows be governed at all in the first
place? If yes, in what manner?

Privacy Laws
9
Should there be a strong regulatory infrastructure overall?

 Citizen groups and civil society often pitch for strong regulation to ensure that citizen’s privacy is
safeguarded.
 Strong regulations can prescribe specific measures for organizations to take – like appointing a
Data Protection Officer, requiring Data Controllers to register with a Data Protection Authority in
the country, getting approvals for specific actions, etc.
 Businesses, on the other hand, often complain that strong regulation

 stifles innovation and
 raises the costs of services which get passed on the same citizens.

Data Protection Regime: Core components (1/2)
10
Components Explanation
Fines Multifold increase, per breach fine, even to an extent of % of
income
Criminal Penalties Fines, Imprisonment for willful neglect or violation as part of
pattern
Technical & Organizational Measures High level v/s Stringent requirements, prescriptive controls,
insists on CPO/DPO
Data transfer Specific legal requirements, technical means, overseeing
mechanism, BCR, Safe harbor
Legal Relationship Relationship- Data Subject, Exporter (Controller), Importer
(Processor) , Supervisory authority

Data Protection Regime: Core components (2/2)
11
Regulatory Infrastructure Infrastructure- Privacy/Information Commissioner, FTC,
EU, DPAs
Liability - Data Controller (Data Exporter) x Liability towards data subject

Data Processor (Data Importer)
Data Breach notification Notification requirements, Europe is following US here,

Responsibility of service providers
Contract Guidelines & Monitoring Model contract guidelines, monitoring & controls e.g.
SCCs

Framework for Analysing Privacy Laws
12
Scope and Regulatory Regulatory Definition of

Exceptions
Applicability Infrastructure Mechanisms Personal Data
Dispute
Data Transfer Data Breach
Privacy Principles Resolution Liabilities
Instruments Notification
Mechanisms
Definition of
Rights of Data Organizational
Legal
Subjects Measures
Relationships

Categories of Regulations
13
Generic vs Prescriptive
State vs National Level
Functional vs Entity
Self Regulation vs Co-

Regulation
Privacy Codes

14 Structure of a Privacy Regulation

Standard Elements of a Privacy Regulation
15
A. Privacy Principles are rules that help ensure that Personal

Information is processed lawfully, fairly and in a transparent
manner in relation to the data subject
C. A. Privacy Principles
Controller/Processor
Obligations B. Data Subject Rights – Rights are provided to data
subjects to help them have more control over their PI
C. Controller/Processor obligations comprise a mix of People,

Process and Technology measures to help organization manage
B. Data Subject Rights Privacy

Elements of a Privacy Regulation: Details
Each element of Privacy Regulation comprises Sub Elements. Arrka Privacy Assessment Framework assesses an
Organization against each sub element and provides recommendations to help achieve compliance
16
A. Privacy Principles B. Data Subject Rights C. Controller/Processor
Obligations
Lawfulness of
Processing
Breach Data Privacy Records of
Management Impact Processing
Security Purpose Assessment
Safeguards Limitation
+ +
Privacy Data protection Data Protection Cross Border
Principles by design and Officer Transfer
by default Appointment
Data Quality Data
(Accuracy) Minimization
Processor
Contract
Storage Management
limitation

17 EU GDPR

GDPR - INTRODUCTION
18
In 2016, the EU adopted the General Data Protection Regulation (GDPR), one of its greatest
achievements in recent years. It replaces the 1995 Data Protection Directive which was adopted at a
time when the internet was in its infancy.
Enforcement date: Applicable to all companies including

non-EU companies that process
25 May 2018 Personal Data of EU residents.
Non-compliance will lead to heavy fines
2-4% of annual global turnover
Or
€ 10-20 million whichever is
HIGHER
Applicability
19
 Applies to • An Indian travels to France for a 2 month

project and gives his personal info to a hotel in
 Any Entity – anywhere in the France
world • Applicable? – YES
 Dealing with • An Indian travels to France for a 2 month

project and accesses his Indian Bank account
 Personal Data via the Bank’s Mobile App
• Applicable to this transaction for the
Indian Bank? – YES
 Of
 EU Residents – not just citizens • A German travels to Mumbai for a holiday and
gives his personal details to a hotel he is staying
at in Mumbai.
• Applicable to the hotel in Mumbai? - NO

GDPR Scope
20
 Material Scope  Territorial Scope

 Applies to the processing of  Applies to any Establishment in the
Personal Data wholly or partly by EU
automated means.  Applies to entities not established
 This also includes manual in the EU but “targeting” EU
processing of Personal Data individuals by:
contained or intended to be ◼ Offering of good/services to
contained in a filing system. individuals in the EU, even free of
charge.
◼ Monitoring the behaviour of
individuals located in the EU

Key Definitions
21
'Personal data' means any information relating to an identified or identifiable natural person ('data subject'); an
identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
'Controller' means the natural or legal person, public authority, agency

or other body which, alone or jointly with others, determines the 'Processor' means a natural or legal
purposes and means of the processing of Personal Data; where the person, public authority, agency or other
purposes and means of such processing are determined by Union or body which processes Personal Data on
Member State law, the controller or the specific criteria for its behalf of the controller
nomination may be provided for by Union or Member State law
'Processing' means any operation or set of operations which is performed on Personal Data or on sets of Personal
Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure or destruction

Key Definitions
22
“Any information relating to an identified or identifiable natural person ('data subject')”
Identifiable natural person: “one who can be identified, directly or indirectly, in particular by reference
to an identifier such as a name, an identification number, location data, an online identifier or to one or
more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity
of that natural person
Special Categories of Data defined:

Online Identifiers: those that could be
- Personal Data revealing racial or ethnic origin,
provided by ‘devices, applications, tools and
political opinions, religious or philosophical beliefs,
protocols, such as internet protocol addresses,
or trade-union membership, genetic data, biometric
cookie identifiers or other identifiers such as
data, data concerning health or data concerning a
radio frequency identification tags.’
natural person's sex life or sexual orientation

Overall Layout of the GDPR
23
PART A: Of Direct Relevance to a Company
1.General Provisions (Scope, applicability, definitions)
2. Principles
3. Rights
4. Controller & Processor
5. Transfer (out of the EU)
PART B: Governance & Regulatory related
6. Independent Supervisory Authorities
7. Cooperation & Consistency (between Supervisory Authorities)
8. Remedies, Liabilities & Penalties
9. Provisions relating to specific processing situations
10. Delegated Acts and Implementing Acts
11. Final Provisions

Key Privacy Principles
24
Lawfulness, fairness and transparency Purpose Limitation

Notice Personal data shall be collected for:
Choice - specified,
Consent - explicit and
- legitimate purposes
And not further processed in a manner that is

incompatible with those purposes.
Accuracy Data Minimisation

- Personal data Shall be kept Accurate & Up-to- Personal data collected shall be
date - adequate,
-Where it is found to be inaccurate, it should be: - relevant and
Rectified or Erased without delay - limited to
what is necessary in relation to the purposes for
which they are processed

Privacy Principles
25
Storage Limitation
- Data would be kept in a form which permits identification of data subjects no longer necessary for the
purposes.
- Data may be stored for longer periods for only:
• archiving purposes in the public interest,
• scientific or historical research purposes or
• statistical purposes,
subject to implementation of the appropriate technical and organisational measures to safeguard the
rights and freedoms of the data subject.
Integrity and Confidentiality

Appropriate security of Personal Data using technical or organisational measures while processing.
Accountability
The controller shall be responsible for and be able to demonstrate compliance with all the privacy
principles.
Data Subjects have the right to..
26
..know what is ..request

..have
going to be copies of all ..have data
incorrect data
done with data being erased
corrected
their data processed
..not be
..object to
..restrict ..data subject to
data being
processing portability automated
processed
processing

Data Controller must..
27
..be ..adopt data

..if not in EU, ..take care when
accountable, protection by ..keep records of
appoint a using Processors
demonstrate design and by processing
representative for processing
compliance default
..communicate
to the
..communicate ..appoint a Data
supervisory ..provide ..cooperate with
to data subjects Protection
authority if they appropriate the supervisory
about data Officer where
have a breach security authority
breaches specified
(within 72
hours)
..carry out data protection impact
.. determine responsibilities of each controller,
assessments and consult supervisory
if two or more controllers are involved
authority

Data Breach Notification
28
Notification to Data
Subject
If this risk is ‘high’, then
the same has to be
Notification to notified to the affected
Supervisory Authority individual(s) as well.
(Within 72 hrs.)
• If a breach is expected to result in a risk to the rights and the freedom of an individual, the same has to be
reported to the Supervisory Authority.
• The assessment of whether a particular breach falls under the risk vs high risk category will have to be done on
a case-by-case basis.
• Different threshold levels applicable for notification to each of the above.
• If the nature of the breach is serious enough to require notification to the public at large, then the same must be
done without undue delay.
Obligations of Processors
29
May use code of

Shall not engage
Shall be governed by a conduct and Shall appoint a
another processor
contract or other legal certification mechanism representative, if not in
without authorisation of
act to demonstrate the union
controller
sufficient guarantee
Maintain a record of Shall provide sufficient Shall designate a Data

processing activity guarantee Protection Officer (DPO)
If processor determines
purpose and means of
processing then it shall be
Shall implement considered as controller
Shall notify controller
appropriate Shall cooperate with
without undue delay of
organisational and Supervisory Authority
a Personal Data breach
technical measures

Administrative Fines
30
PRINCIPLES
Violation
RIGHTS of DATA SUBJECTS

Up to €20M or 4%
global turnover
DATA TRANSFER

Administrative fines
31
Controller Processor
Up to
Violation €10M or Violation
2% global
turnover
Supervisory Authority
32
 Every EU Member state is required to have one or more public independent

authority – ‘Supervisory Authority ’.
 The role of the Supervisory Authority is to
Monitor, guide and ensure the adequate implementation of the GDPR in the
geography under their scope.
Undertake Awareness activities
Ensure privacy during trans-border data flows,
Address complaints, investigate data breaches, levy fines/sanctions and all

such activities required for regulation implementation and enforcement.

Statistics: Fines by Types of Violations
33
Violation Sum of Fines # of Fines % of Fines

4% Insufficient technical and organizational measures to ensure information
€ 332,717,927 51 72%
security
Insufficient legal basis for data processing € 110,015,147 86 24%
Non-compliance with general data processing principles € 16,131,370 31 4%
24% Insufficient fulfilment of data subjects rights € 792,787 20 0.2%
Insufficient fulfilment of information obligations € 554,065 14 0.1%
Insufficient fulfilment of data breach notification obligations € 158,425 6 0.03%
72%
Lack of appointment of data protection officer € 61,000 2 0.01%
Insufficient cooperation with supervisory authority € 18,511 6 0.004%
Insufficient data processing agreement € 14,380 2 0.003%
Total € 460,463,612 218
Source: C/M/S GDPR Enforcement Tracker

POP QUIZ #13 ?
34
Which one of these is not one of the privacy

principles as per GDPR?
1. Challenging compliance
2. Lawfulness, fair and transparency
3.Security
4. Accuracy

POP QUIZ #14 ?
35
Which one of these is not a right of Data Subject as

per GDPR?
1.Right to Anonymity
2.Right to be Informed
3.Right to Object
4.Right to Data Portability

36 US Laws

US – Complex Regime
39
• Federal Trade Commission Financial Information Children's Privacy

Act • Gramm-Leach-Bliley Act (1999) • Children's Online Privacy
• Taxpayer Browsing Protection • Fair Credit Reporting Act (1970) Protection Act – 1998
Act (1997) (COPPA)
• Fair and Accurate Credit • Children's Internet
• Electronic Funds Privacy Act Transactions Act (2003) Protection Act of 2001
(EFTA) • Right to Financial Privacy Act (CIPA)
(1978) • Children's Online
Protection Act of 1998
(COPA)

HIPPA/HITECH
40
 Background:
 HIPAA (or the Health Insurance Portability and Accountability Act)
◼ passed in 1996
◼ to enable Electronic Healthcare Transactions.
 HITECH (The Health Information Technology for Economic and Clinical Health Act)
◼ enacted in Feb 2009
◼ to promote health information technology (HIT) and enable electronic exchange of health
information.
 Scope and Applicability
 Physicians, healthcare orgns and their business associates – including patient safety
organizations (PSOs), health information organizations (HIOs), subcontractors, e-
prescribing gateways, other persons that provide data transmission services or facilitate
access to health records, and vendors of personal health records
HIPPA/HITECH
41
 Definition of Personal Data (PD)

 PHI or Protected Health Information: an individual's medical record or payment history.
 Regulatory Infrastructure
 HIPAA is enforced by the US Dept of Health and Human Services (HHS).
 Rights of Data Subjects
 The various players in the healthcare system are not permitted to use or disclose PHI unless
specified by the individual.
 Liabilities
 HIPAA has both civil and criminal penalties including significant fines and imprisonment.
 HHS can proceed directly to imposition of civil monetary penalties.
 $100-500k per occurrence / Max annual penalty $1.5 Million

GLBA – Gramm Leach Bliley Act
42
 Background:
 Passed in 1999
 Official name is ‘The Financial Services Modernization Act’
 Applicable to Financial Institutions
 Three Rules Specific to Privacy:
◼ ‘Financial Privacy Rule’ - governs the collection and disclosure of customers’ personal financial
information by financial institutions as well as any other entity that receives this kind of
information
◼ ‘Safeguards Rule’ - requires the abovementioned entities to design, implement and maintain
safeguards for the protection of customer information
◼ ‘Pretexting Rule’ - ‘Pretexting’ = social engineering. Rule encourages organizations to
implement safeguards against pretexting
GLBA – Gramm Leach Bliley Act
43
 ‘Non-public Personal Data’ – covers information provided by an individual, information gathered from
other sources and via transactions
 Privacy Principles
 Notice, Choice, Disclosure, Security
 Under respective regulators for each type of entity.
 For e.g.: The US Securities & Exchange Commission (SEC), Commodities Futures Trading Commission,
Federal Banking Agencies, etc.
 Those entities that are not covered by any regulator come under the purview of the Federal Trade
Commission
 Liabilities
 Civil penalties -up to $100,000 per violation for an institution and up to $10,000 per violation for
individual directors & officers of the institution. Criminal penalties - imprisonment up to 5 years.

California Consumer Privacy Act - Introduction
44
On June 28, 2018, Governor Brown signed Assembly Bill 375, now known as the California Consumer
Privacy Act of 2018
Applicable to all businesses that

Effective from: a) collect California resident’ Personal Data or on the
01 January 2020 behalf of which such information is collected;
b) determine the purposes and means of the
processing of consumers’ Personal Data
Depending on the violation occurred the c) does business in the State of California,
civil penalty may be up to: d) satisfies one or more of the defined criteria
$2,500 for each violation;

$7,500 for each intentional violation
Any violation of the CCPA is assessed and recovered

Confidential (c) Arrka,in2020
a civil action brought by the Attorney General.
LicensedCivil
to Maya
penalties can be issued meaning that the penalty isuser
Misra <Maya.Mishra@ril.com> on 07-04-2020. Single license
issued by only, copying and networking prohibited.
a court.
California Consumer Privacy Act
45
The right of Californians to
“Personal Data” means information that identifies,
know what Personal Data is being collected
relates to, describes, is capable of being associated with,
about them.
or could reasonably be linked, directly or indirectly, with
a particular Californian resident or household.
know whether their Personal Data is sold or
disclosed and to whom.
say no to the sale of Personal Data.

NO Privacy/Data Processing
Principles access their Personal Data.
equal service and price, even if they exercise

their privacy rights.
However, the CCPA authorizes the California Attorney General toConfidential (c) Arrka,
issue guidance on 2020
the law. It would make sense for that guidance to describe
the CCPA data protection principles
Annexure – [CCPA Scope]
46
Applicable to all businesses that

1) collect consumers’ Personal Data or on the behalf of which such information is collected
2) determine the purposes and means of the processing of consumers’ Personal Data
3) does business in the State of California,
4) satisfies one or more of the following thresholds:
a) with annual revenues of twenty-five million dollars or more
b) annually buys, receives sells, or shares the Personal Data of 50,000 or more consumers,
households, or devices, for commercial purposes
c) derives 50 percent or more of its annual revenues from selling consumers’ Personal Data

47 Australia

Australia
48
 Background:
 Legislations both at the central (federal) and state level
 At the central level:
◼ the Privacy Amendment (Enhancing Privacy Protection) Act 2012
◼ passed in December 2012 and has been applicable from March 2014
◼ Contains the Australian Privacy Principles (APPs)

 Applicable to most government entities as well as some private sector organizations
 Small businesses with an annual turnover of less than A$ 3m are exempted, unless
◼ they provide any health related services or
◼ hold any health information (except that of employees), or
◼ disclose or collect any Personal Data in the course of a service they provide or
◼ is a contractor to the government Confidential (c) Arrka, 2020
Australia
49
 Personal Data is information or opinion of an individual whose identity is apparent, or can reasonably
be ascertained, from the information or opinion
 Sensitive Personal Data is ‘information or opinion about an individual’s racial or ethnic origin, political
opinions, political association, religious beliefs, philosophical beliefs, professional or trade association,
trade union, sexual preferences or practices, health information or genetic information, biometric
information templates
 Privacy Principles
 Notice, Purpose, Access & Correction, Disclosure, Security & Accountability.
 Allowing the use of Pseudonyms: Where it is practical, an individual must be given the option of using a
pseudonym and thereby not disclose his or her real identity.
 Unsolicited Personal Data: If an entity receives any Personal Data via any unsolicited means, the Personal Data
needs to be destroyed.
 Direct Marketing: An individual must be given the option of opting out of any direct marketing from an entity
collecting her Personal Data. Further, the individual can also request that her Personal Data is not shared with third
parties who will use it for direct marketing.

Australia
50
 The Office of the Australian Information Commissioner (IC) is the entity vested with the powers to
oversee the Act.
 Regulatory Mechanism
 The Act supports co-regulation
◼ A formal mechanism has been instituted for recognition of external dispute resolution schemes
(EDRs) who can handle privacy-specific complaints and issues of individuals.
◼ Till date the Telecom Industry Ombudsman, the Credit Ombudsman service and the Financial
Ombudsman service have been recognized and others are in the pipeline.
 The Act also recognizes any industry codes of practice around privacy – and formally terms them as
‘APP Codes’.
 Liabilities
 Fines up to A $220,000 for an individual and
 A $1.1 million for organisations for serious or repeated interferences with the privacy of individuals.
51 Canada

Canada
52
 Background & Scope:

 Canada has two ‘horizontal’ privacy laws at the federal (central) level:
◼ The Privacy Act – passed in 1983.
◼ Applicable to the public sector & government institutions
◼ The PIPEDA (Personal Information Protection and Electronic Documents Act) – passed in the
late 1990s and applicable to the private sector
◼ In addition to the above, there are some sectoral legislations that address privacy at the state
or federal level.
 Privacy Principles:
 Privacy principles covered by PIPEDA are: Consent, Purpose specification, Use Limitation,
Collection Limitation, Disclosure, Retention, Data Quality, Access & Correction, Openness, &
Accountability.
 Additionally, it defines a principles called ‘Challenging Compliance’ - that requires organizations
to investigate every complaint received
Canada
53
 Under the Privacy Act, the Office of the Privacy Commissioner of Canada was established.
 Data Breach Notification
 The amendment requires organizations to notify data subjects of any compromise to their
Personal Data resulting in a ‘real risk of significant harm’ to the individuals.
 Organizations are also required to maintain records of all data breaches and same have to be
reported to the Privacy Commissioner as well.
◼ However, this requirement will come into force only when the federal government passes
associated regulations which are expected to provide greater clarity.

54 Singapore

Singapore
55
 Background & Scope:

 Singapore’s Personal Data Protection Act (PDPA) came into effect in January 2013.
 Definition of Personal Data:

 Personal data is defined as ‘data, whether true or not, about an individual who can be identified;
from that data; or from that data and other information to which the organisation has or is likely
to have access.’
 No separate definition for sensitive Personal Data

Singapore
56
 Privacy Principles:
 The main principles covered in the PDPA are consent (express or deemed), purpose specification,
security, access & correction, etc
 The Personal Data Protection Commission (PDPC) is established under the PDPA to oversee the
PDPA, and to investigate and enforce compliance with the PDPA.
 Liabilities:
 The PDPC, after investigation of a complaint, can take several measures like
◼ destroying any Personal Data collected in contravention to the PDPA
◼ levying a penalty up to S$ 1 Million.

POP QUIZ #15 ?
57
Which one of these is one of the privacy principles as

per Australia?
1.Challenging compliance
2. Anonymity
3. DPIA
4. Record Processing

POP QUIZ #16 ?
58
Which one of these is the supervisory authority

established under Singapore Privacy Act?
1.Personal Data Protection Commission

2.Personal Data Protection Authority
3.Personal Data Privacy Commission
4.Personal Data Privacy Authority

POP QUIZ #17 ?
59
Which one of these is the right provided under

California Consumer Privacy Act (CCPA)?
1.Data portability
2.Equal service and price
3.Opt-out of automated decision making
4.Anonymity

60 India

India Privacy Timeline
61
2000
2008
2012
2017
2018
2019
IT Act 2000 - An IT The Justice A. P. The Indian The committee A draft bill -
Act to provide (Amendment) Shah panel government set headed by India PDPA -
legal Act, 2008 –IT recommended up a Justice BN introduced in
recognition for Act 2000 an over-arching Committee of Shrikrishna Parliament
transactions amended to law to protect experts headed submitted its Gone to a Joint
carried out by include Data privacy and by Justice report on Data Parliamentary
means of Protection personal data Shrikrishna. Protection Committee
electronic data Security and in the private Their task was framework and (JPC)
interchange Privacy and public to provide Personal Data
and other spheres Ministry of Protection Bill
means of Electronics and to the
electronic IT (MEITY) with Government.
communication a draft of
; India’s first data
protection law.
Legal Framework in India – IT (Amendment) Act,
62
2008: Security, Privacy, Cyber crimes
❑ IT Act 2000 - An Act to provide legal recognition for transactions carried out by means of electronic data
interchange and other means of electronic communication; effective from October 17, 2000
❑ IT (Amendment) Act, 2008 –IT Act 2000 amended to include (not limited to):
▪ Data Protection – Security & Privacy
▪ Cyber Security –Role of CERT-In, Nodal Agency for Critical Information Infrastructure Protection
▪ National Security – information retention, interception & monitoring
▪ Computer related offences to include cyber terrorism, identity theft, pornography, violation of
privacy, etc.
▪ Role of Intermediaries
▪ Encryption Policy
▪ Increase in penalties

Data Protection under IT (Amendment) Act, 2008
63
❑ Sec 43A
❑ “Where a body corporate possessing, dealing or handling any Sensitive Personal Data or
information in a computer resource which it owns, controls or operates, is negligent in
implementing and maintaining reasonable security practices and procedures and thereby
causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay
damages by way of compensation to the person so affected.”-Effective from October 27, 2009
❑ Definition of ‘Reasonable Security Practices

❑ means security practices and procedures designed to protect such information from
unauthorized access, damage, use, modification, disclosure or impairment, as may be
specified in an agreement between the parties or as may be specified in any law for the time
being in force and in absence of such agreement or any law, such reasonable security practices
and procedures, as may be prescribed by the Central Government in consultation with such
professional bodies or associations as it may deem fit.”

64
Sensitive Personal Data Privacy Principles Reasonable Security Practices

Password, Financial info, Privacy Policy, Choice & • Security Program having
Physical, Physiological & Mental Consent, Collection & Use managerial, technical,
Reasonable Security
health condition, Medical Limitation, Retention, operational & physical controls
Practices
records & history, Biometric Access & Correction, commensurate with assets
Security, Disclosure and being protected
Address Discrepancies & • ISO 27001 or Codes of Practices
Grievances by industry associations
approved by the Government
(self-regulation)
Support & help to Adjudicating Officer: Power to direct compensation • Audit once a year by
citizens of up to Rs 5 Crore, Civil Court for more
independent auditor approved
compensation
Redress of by Government
Body corporate has responsibility to appoint a
grievances grievance officer

65
 Sec 72 - Breach of confidentiality and privacy.- Save as otherwise provided in this Act or
any other law for the time being in force, any person who, in pursuant of any of the powers
conferred under this Act, rules or regulations made there under, has secured access to any
electronic record, book, register, correspondence, information, document or other material
without the consent of the person concerned discloses such electronic record, book,
register, correspondence, information, document or other material to any other person
shall be punished with imprisonment for a term which may extend to two years, or with
fine which may extend to one lakh rupees, or with both

66
 Sec 72A – “Save as otherwise provided in this Act or any other law for the time being in
force, any person including an intermediary who, while providing services under the terms
of lawful contract, has secured access to any material containing Personal Data about
another person, with the intent to cause or knowing that he is likely to cause wrongful loss
or wrongful gain discloses, without the consent of the person concerned, or in breach of a
lawful contract, such material to any other person, shall be punished with imprisonment
for a term which may extend to three years, or with fine which may extend to five lakhs
rupees, or with both.”

POP QUIZ #18 ?
67
Which panel recommended an over-arching law to

protect privacy and personal data in the private and
public spheres?
1. Ajay Prakash Sawhney

2.Justice A. P. Shah
3.Justice BN Shrikrishna
4.Ravi Shankar Prasad

POP QUIZ #19 ?
68
Which of the following data element is not part of the

sensitive data as per IT Amendment Act (2008)?
1. Password
2. Caste & Tribe Details
3. Financial Information
4. Biometric Data

69 Personal Data Protection Bill 2019

Personal Data: At the Core
70
Further sub-categories
Any data that can – directly
or indirectly - or in What is
combination with other Personal Data Sensitive
data – make a person (PD)? Critical Personal
‘identifiable’
Personal Data
Data (CPD)
(SPD)
What does this mean?

Any compromise of this category of That is critical to
Above – the – surface (ATS) Personal data data can cause greater harm to the Indian National
person as compared to other types Interest**
Demographic/ Financial Data Health/ Political Affiliations/ of PD
Identity Data Biometric/Genetic/ Personal beliefs/
Govt Ids Gender Data Criminal History/etc Can be processed
Comprises:
only in India
Financial data, health data, official
identifier, sex life, sexual orientation,
Device Identifiers Metadata Social Media Markers Data that has been
biometric data, genetic data, transgender
processed using
status, intersex status, caste or tribe,
analytics that can
Online Identifiers Location Data Trackers & Cookies religious or political belief or affiliation*
identify a person
Below – the – surface (BTS) Personal data

PDP Bill 2019 - New Terminology Introduced
71
71
DATA SUBJECT Is now DATA PRINCIPAL
DATA CONTROLLER Is now DATA FIDUCIARY
DPA to decide who fits in here – which Two special categories constituted
would be based on volume & sensitivity - Who operates commercial
of PD processed, turnover of the data Who has the websites or online services
fiduciary, risk of harm resulting from Guardian
potential to Significant directed at children
processing undertaken, use of new cause greater
Data - Who processes large volumes
technologies, and any other factor that Data Fiduciary
harm Fiduciary of Personal Data of children
may cause harm
Applicability
72
Territorial
• Processing of Personal Data
• collected, disclosed, shared within India Processing of Personal Data for
• by State, Company, Indian citizen or body of persons incorporated under Indian law
Extra-Territorial
• Processing of Personal Data for
• Systematic activity of offering goods or services to data principals within the territory of
India;
• in connection any business carried on in India
• any activity which involves profiling of data principals within the territory of India
Central Government may exempt from the applicability of this law the processing of personal data of data
principals who are not within the territory of India, pursuant to any contract
Grounds for Processing Personal Data
73
Data Principal’s
Consent
Function of State
Compliance with law

or order of court/ tribunal
Grounds for Processing Personal Data
Prompt action in
case emergencies
Purposes related
to employment
Reasonable
Purpose of data
fiduciary
Sensitive
Licensed Personal
to Maya Misra Data can
<Maya.Mishra@ril.com> only be
on 07-04-2020. processed
Single using
user license only, copying and explicit consent.
networking prohibited.
Data Principal Rights
74
Confirmation and Access Right to be Forgotten
Data Portability Correction and erasure

Transparency and Accountability
75
Significant Data Fiduciaries
Guardian Data Fiduciaries
Data Protection officer
Data Protection Impact Assessment
Record Keeping
Grievance Redressal
Data Audits
Privacy by Design
75
Restrictions and Conditions Transfer of Personal Data Outside India
Personal Data
Processed
outside India
Sensitive Personal Data

(a) Explicit consent + Subject to standard
Must also
contractual clauses or intra-group continue to be
schemes; or stored in India
(b) Explicit consent + Central Govt in
consultation with DPA has permitted to a
particular country; or Passwords
excluded
(c) Explicit consent + DPA has allowed
transfer
Critical Personal Data

Exceptions
• Health Services
• Emergency Services
• Central Govt in consultation with DPA has permitted transfer to
approved country
Personal Data Protection Bill, 2019
77
Data Protection Authority of India
77
The bill establishes an

independent authority empowered
to oversee the enforcement of the
bill.
The adjudication process will be

looked after by the adjudication wing
of the Authority.
DPA
The authority is to performs wide
variety of functions and powers
including: issuing codes of practices,
setting criteria for data audits, issuing
directions, creating awareness, etc.
Why should this law be taken Seriously?
78
STIFF Penalties Criminal Liabilities
5 yrs imprisonment 3 yrs imprisonment

15 Cr/ 4% of 5 Cr/ 2% of
/ 3 L Fine / 2 L Fine
Global Turnover Global Turnover
• Processing of PD/SPD/ • Not taking prompt & Intentional or - Intentional/ reckless

Children’s PD in violation appropriate action on a reckless collection collection /transfer/selling
of principles data breach /transfer/selling of of Personal Data
• No security safeguards • DPIA not done Sensitive Personal - Re-identification of de-
• Violation of cross border • Data Audit not done Data identified data
Data Transfer rules • DPO not appointed
• Did not register withConfidential
DPA (c) Arrka, 2020
79 The Aadhaar Act

The Aadhaar Act
80
 The Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016
 was published and gazetted on 25th March 2016
 Regulations under the Act

 came into force in Sept 2016
 The Act puts a legal framework around Aadhaar – the 12-digit unique identification number issued
to residents of India, and captures their biometric and demographic data.
 This can then be used by various entities – both from the government and private sector – to
identify residents and verify their credentials.

The Aadhaar Ecosystem
81
Three categories of entities:
 The UIDAI (Unique Identification Authority of India)
 Responsible for carrying out the processes in relation to enrolment and authentication of Aadhaar
 The database of the identity & biometric information is known as the CIDR (Central Identities Data Repository)
 The ‘Requesting Entity’
 This is the entity that connects to the CIDR, for authentication and/or verification purposes.
 Two types of requesting entities
◼ The Authentication User Agency (AUA) – that uses the ‘Yes/No” facility provided by UIDAI
◼ The e-KYC User Agency (KUA) that in addition to being an AUA also uses the e-KYC authentication facility provided by
UIDAI.
 A user agency can be a government or a private sector entity.
 A user agency connects to the database via an entity known as the “Service Agency”
◼ whose primary purpose is to provide UIDAI-compliant network connectivity
 The individuals whose data resides on the CIDR

Privacy Principles
82
 Notice
 The requesting entity as well as any other entity than the requesting entity is expected to
inform the individual, at the time of e-KYC authentication details about purpose of processing
 Consent
 A requesting entity is required to obtain the consent of an individual
◼ before collecting his identity information for the purposes of authentication
◼ A record or log of the consent is also required to be maintained in the format specified by
UIDAI.
 Disclosure
 No core biometric information, collected or created under this Act, shall be shared with
anyone for any reason whatsoever
 No identity information available with a requesting entity shall be disclosed further
◼ except with the prior consent of the individual to whom such information relates

Privacy Principles
83
 Access & Correction

 The Authority may require Aadhaar number holders to update their demographic information
and biometric information, from time to time, to ensure continued accuracy of their information
in the CIDR
 The Authority shall maintain authentication records in such manner and for such period as may
be specified by regulations.
 Security & Safeguards
 The requesting entity has to implement strict restrictions & controls in their organization to
manage the security and confidentiality of the identity information they have access to or keep a
record of.
 No entity shall retain Aadhaar numbers or any document/ database containing Aadhaar numbers
beyond the time limit required to for meeting the purpose consented to by the individual.

84 Trans-Border Data Flows
• History
• Common Themes and Approach
• European Union and Transborder Flows
• Instruments: Binding Corporate Rules and Standard Contractual Clauses
• EU-US Privacy Shield
• Transborder Data Flows : APEC
• Indian Perspective
• Transborder Data Flow and Cloud
History of Trans Border Data Flow
85
1980(OECD)
In close with Council of
Europe, but guidelines
1981(Council of Europe
were not binding
Convention for
Protection of
Late 1970(Council of Individuals)
Europe and European
Included regulations on
Parliament)
transborder data flows
Early 1970(Expert
Discussing on how to and allowed some
Group in Council of
remove these trade restrictions on
Europe)
barriers while transborder, where data
Identified transnational preserving data needs to be transferred
character of protection to lower protection
computerization and country
need for international
regulatory
harmonization
History of Trans Border Data Flow contd..
86
2007(APEC)
Come out with its own
Framework Pathfinder, to
1990(UN General Assembly) enable transborder data flow
Adopted guidelines concerning

computerized data files ,
1985(OECD) however this was voluntary, no
real impact found
Another declaration on
transborder data flows (dealt
with data flows within
transnational corporations,
trade barriers)

Common Underlying Theme
87
 The need of the hour is supporting and enabling global movement of

data
Privacy Principles are

Figuring out ways and not eroded, especially Considering the
means to ensure that principles pertaining to Consent of the data
rules and frameworks security, fair usage, subject in a trans-
are not perceived to be accountability and the border data flow
restrictive rights of the data scenario
subject

Approaches to Trans Border Data Flows
88
#2 Trans-border Data flows

#1 Trans border data flows
with limited rules and
that are regulated
regulations
#3 Special International / #4 Un-regulated trans-border

Multilateral & Bilateral data data flows
transfer arrangements

European Union & Transborder Data Flows
89
Any transfer of Personal Data to a third country or to an international organisation

shall take place only on the basis of
 Adequacy decision
 Appropriate Safeguards
 Binding Corporate Rules
 Standard Contractual Clauses

Exceptions
90
Consent
Performance of a Contract
Fulfilling a Contract where third party is involved
Public Interest
Vital Interests

European Union & Transborder Data Flows
91
 EU: Concept of ‘Adequacy’

 A country that meets certain criteria is considered adequate from a privacy point of view
◼ With such countries, there are no specific restrictions on transfer of PD data of EU

Citizens
 Currently, countries considered ‘adequate) are: Andorra, Argentina, Australia, Canada
(commercial organisations), Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man,
Jersey, New Zealand, and Uruguay.
◼ Japan has recently been added to this list
 For transfer to other countries, other specific mechanisms available
◼ Special mechanism for transfer to the US: Privacy Shield

Data Transfer to regions that are not ‘Adequate’
92
 Binding Corporate Rules-

 Applicability: For data transfer outside the EU between different entities from the same
group of companies.
 Standard Contractual Clauses-

 Applicability: For an organization in the EU that transfers data to an organization that is
not part of EEA, US or deemed adequate by EU.
 There are specific clauses that need to be included in the contract between the data
controller and the data processor before data processing can be initiated.

Binding Corporate Rules
93
BCR’s are expected to contain:

BCRs are internal rules in
-Privacy principles applicable
organizations and ensure:
-Tools used to ensure effectiveness –
-That protection of the Personal
for e.g.: training programs, audit
Data outside of the EEA is at the
mechanisms & timetables, systems
same level as it is within the EEA
instituted for handling complaints etc.
-That obligations of the organization
-An element proving that the BCR are
are clearly spelt out
binding

Standard Contractual Clauses
94
Model Clauses’/ Standard Contractual

Clauses (or SCCs) are clauses that a Data
Controller is required to incorporate into
its contracts with a recipient organization
when sending out Personal Data of its data
subjects
The EU has issued SCCs for two categories
of transfers:
-For transfer of Personal Data to other
Data Controllers outside the EEA
-For transfer of Personal Data to Data
Processors outside the EEA
EU-US Privacy Shield
95
 The EU-U.S. Privacy Shield Framework: designed by the U.S. Department of

Commerce and the European Commission
 Objective: To provide companies on both sides of the Atlantic with a mechanism to
comply with data protection requirements when transferring Personal Data from
the European Union in support of transatlantic commerce.
 On July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield
Framework adequate to enable data transfers under EU law.
 Enforcement of Privacy Shield: By the US Federal Trade Commission (FTC) & Dept of
Transportation (DOT) – for organizations that fall under their respective purviews
 A similar independent Privacy Shield framework exists between for Swiss-U.S.
Personal Data transfer.
How does Privacy Shield Work?
96
 Organizations have to comply with the seven privacy principles and the eleven
supplemental principles outlined in the framework
 Process of Self-Certification by the organization to the Dept of Commerce (DOC).

 Self-certification has to be done annually
 DOC maintains a list of organizations that have self-certified + those that were previously
certified but no longer are

Privacy Principles under Privacy Shield
97
 Notice
 Choice & Consent
 Express affirmative consent required for Sensitive PD
 Accountability for onward transfer (to 3Ps)

 3P’s categorised into those acting as controllers and as agents
 Security
 Data Integrity & Purpose Limitation
 Data Integrity is defined as data being reliable for its intended use by being accurate,
complete and current
 Access & correction
 Recourse, enforcement & liability
The APEC Cross Border Privacy Rules System (CBPR)
98
APEC Data Privacy Pathfinder The result of the Pathfinder project was the
initiative was launched in 2007. APEC Cross Border Privacy Rules (CBPR) system.
The CBPR system was endorsed by APEC member
Objectives of the Pathfinder economies in November 2011 and consequently
initiative: were to develop a simple became a reality.
and transparent system that could The CBPR system has a defined set of baseline
be used by organizations for program requirements pertaining to PD that
protection of Personal Data (PD) needs to cross borders based on the nine APEC
moving across APEC countries. privacy principles.
The resultant framework was to be applicable to only organizations to transfer PD across APEC
borders – it was not meant for governments or individuals
Domestic laws & regulations would continue to govern PD collection and management within
individual APEC countries
CBPR: The Ecosystem
99
 To facilitate cross border PD movement and its management & oversight, the CBPR system
has instituted the following concepts & entities:
CBPR Joint Oversight

Accountability Agents Panel (JOP)
Cross Border Privacy

Enforcement
Arrangement (CPEA)

CBPR Elements
100
 At its core, the CBPR system has the following elements:
SELF ASSESSMENT ENFORCEMENT
COMPLIANCE REVIEW RECOGNITION

Progress So Far
101
 As of September 2018, 23 Organisations have been certified under the CBPR
 Incidentally, India is not a member of APEC.

 APEC currently has 21 members most of which have a coastline along the Pacific Ocean.
 India has what is known as an ‘observer’ status which allows India to participate in key
proceedings at the APEC.

POP QUIZ #20 ?
102
Which of the below country is not a member of APEC?
1. Japan
2. United States of America
3. India
4. Hong Kong

103 Beyond Information Privacy
• Other Types of Privacy
• Communication Privacy – Surveillance
• Ongoing Discussions on Privacy
• Metadata and Surveillance
• Privacy and Human Body

Introduction
104
 Privacy Is not just Information Privacy.

 It can be:
Privacy in
Bodily Privacy Territorial Privacy
Communication

Communication Privacy
105
 Refers to Privacy of communication between individuals or groups of

individuals.
 The violation of this is when
 some uninvited individuals snoop on the conversation or the communication.
 When there is mass surveillance under the pretext of national security, criminal
investigation, law enforcement, public safety etc.

When Surveillance is carried out without Privacy
106
Safeguards
Role of
Private
? Sector Concerns
about
Potential
Without Abuse
Privacy
Safeguard
Fear of a
Scale of
Totalitarian
Data
Lack of State
Clarity in
Objectiv
es
Forms of Surveillance
107
Wiretapp
ing Compute
Social r or
Media Network
Analysis Surveillan
ce
Malicious Tracking
Surveillance
Software via Wi-Fi
Location
Data
Web
based
Tracking Tracking Surveillan
by ce
Compani
es

Ongoing Discussions on Privacy
108
Metadata and
Privacy and Anonymity
Surveillance
Privacy and Security

Metadata and Surveillance
109
 Surveillance, interception or information access looks at two things:

 Content: This is the actual content of a communication
 Meta-Data: Metadata if data about the communication.
▪ It is the information that is generated by the devices and the service providers
used by individuals for communication.
▪ For e.g., in case of telephone or mobile calls, this would be information like the
number called, time and duration of call, location information etc.

Metadata and Surveillance-scenario
110
 Consider this scenario:

 An individual’s mobile phone is constantly with him/ her.
 The phone, at the minimal, gives out its location data.
 So during the course of a day, with just the location data, it is possible to track all
the geographical locations the individual has been to.
 If some of these locations come up on a routine basis (for eg, the individual’s
home & office), by analysing the time of the day, it would be easy to figure out
where exactly the individual lives and works.

Privacy and Anonymity
111
 Anonymity is when one or one’s actions are visible but may not be necessarily
identified with the person.
 For eg:
 When you walk on the road and no one recognises you, you are anonymous.
 If you make a posting on a public website –if you have masked your IP address –
the posting is public but you can remain anonymous.
 However, when you post a photograph with a friend on a social networking site and
tag the friend, in effect, the friend loses her anonymity.
 Anonymity nurtures freedom on one hand
 On the other hand, it is a tool for criminals and perpetrators as well.

Privacy and Security
112
 The general impression often created is that privacy and security cannot co-
exist
 and privacy should be sacrificed to ensure national security.
 However, in reality, the two have to be balanced and remain in tandem.
 Discussions today:
 State surveillance programs that are designed to protect citizens and ensure their
security should be launched with adequate controls and checks & balances.
 The checks and balances are required to ensure that innocent citizens are not targeted
by these programs and their privacy thereby violated.
 Further, if such violation does take place, the citizen can avail of proper recourse
measures.
Privacy and Human Body
113
 Two major developments over the last couple of decades that affect privacy of an
individual concern the human body –
 DNA
 Biometric Identifiers

Privacy and Human Body
114
 DNA profiles are built based on bodily samples. The associated ecosystem to support and
enable this involves collection, use, analysis and storage of bodily samples.
 Used widely in tracking and identifying offenders and criminals.
 In order to enable this, many countries have built up large centralised databases
containing DNA profiles of individuals .
 DNA
 Biometric Identifiers
 Healthcare sector also uses this for treatment of abnormalities, disorders, research etc.
 CrPC amendment in 2005- Allowed collection of medical details of accused on arrest if it

was required to provide evidence.

Privacy and Biometrics
115
Collecting a citizen’s biometric information takes place at a number of instances:

-When one applies for a passport
-When one registers on the UIDAI Database for an Aadhaar card (in India)
-When one visits a foreign country – at the time of entry into the country
-Even in attendance management systems in private sector organizations
If an individual’s biometric data is Regulations:

compromised, the individual is left with -UIDAI
virtually no recourse (one cannot get a - Rules Under Section 43A of Information
fresh set of fingerprints!) Technology (Amended)Act,2008

116 Information Lifecycle
• Phases
• Aspects of Information Lifecycle Management
• Policy
• Operation and Infrastructure
• Value of Data
• Lifecycle Data Protection Management

Phases of an Information Lifecycle
117
Handling info that • Available in the public domain
• Is less frequently accessed ‘Creation’ mechanisms
Creation • Created in-house
• Has met its assigned usage &
retention periods
and • Collected on behalf of the Orgn.
Collection • Received from an outside source
Entails
• Ensuring others cannot obtain Collection’ mechanisms
access • Manually filling paper forms
• Collected Online
• Protecting privacy & Use and
confidentiality Disposition
Distribution Distribution:
• Within the organization
Techniques for Disposition of
• To 3Ps
‘digital’ data: Data Clearing or
• Govt agencies, Statutory Bodies
erasure, Data Purging, Data
and Law Enforcement
Destruction, Encryption
Maintenance Usage:
Includes Filing, Retention, Retrieval, • Info is: Categorised, Refined,
Updates, Transformation to other Processed, Converted to other
formats formats
• Can be used for: Small periods OR
Extended periods

Aspects of Information Lifecycle Management: Policy
118
 ILM policy consists of

 direction and
 guidelines
for different phase of the information lifecycle.
 Policies
 directed by business goals and objectives.
 generally tie into the framework of overall IT governance and management.

Aspects of Information Lifecycle Management:
Operation and Infrastructure
119
 Operational Aspects
 address issues
 develop processes and procedures
related to data backup, data retention & disaster recovery
 Infrastructure aspects
 overall architecture of data processing and storage.

Value of Information
120

Lifecycle Data Protection Management
121
Who is using the information? When and how are they accessing the
Information?
What are they doing with that

information?
What is the security of its storage and

How is the information being used? archival?

Operations likely to present risks - Examples
122
Processing of Personal Data

Processing of special categories of Processing of Personal Data for
relating to a large number of
Personal Data, location data or data the provision of health care or
data subjects during any
on children or employees medical research
significant consecutive period
Where a Personal Data breach

Core activities of the controller/ Where Personal Data are made
would likely adversely affect
processor consisting of processing accessible to a number of
the protection of the Personal
operations which require regular persons which cannot
Data, the privacy, the rights or
and systematic monitoring of data reasonably be expected to be
the legitimate interests of the
subjects limited
data subject

POP QUIZ #21 ?
123
The different phases of information life cycle are:
1. Creation, Usage and Distribution, Retention and Disposal
2. Creation and Collection, Maintenance, Deletion and Retention
3. Creation and Collection, Use and Distribution, Maintenance, Disposition
4. Generate, Use, Dispose

124 Privacy in Organizational Ecosystems
A. Privacy Frameworks: Need and Requirements from a
Framework
B. Study of Privacy Frameworks: DPF, BS 10012, ISO 29100

Privacy Compliance
A Structured Framework is needed to meet regulatory requirements and ensure compliance
125
 The drivers for ensuring compliance:

 Legal and Regulatory requirements in all the geographies in which the
organization operates in
 Standards and frameworks related to privacy and data protection that the
organization may decide to comply with
 Specific client requirements
 Specific mechanisms need to be instituted to ensure compliance and address non-

compliance in a timely manner
 E.g.: KPI’s, internal and external privacy audits, end customer feedback
 E.g.: Incident management and breach reporting

Why is a Privacy Framework Needed?
A Structured Framework helps in translating philosophical & legal discussions into organizational practices
126
Where should an organization start What is privacy governance? What

for privacy? should it deliver?
How should an organization judge How would an organization ensure it

where it stands for privacy? invests proportionately for privacy?
What should qualify to be part How would an organization drive its

of privacy initiative? Privacy units & functions for privacy?
Framework
What are the components of What it entails to ensure privacy in
privacy program? complex business realities?
What key capabilities an organization What it takes to make transactions

should acquire for privacy? sensitive to privacy?
How would an organization bring What kind of technical, tactical &

predictability in privacy affairs? operational measures required for privacy?
A Robust Privacy Framework needs to address the aspect
of Privacy Governance & Accountability
127
 Privacy Governance mechanism of an organisation needs to ensure that an appropriate

framework is used to build and deploy a privacy program in an organization.
 Organisations having access to PD need to take on the responsibility of protecting
individuals from the risks of the usage of their data. Hence Accountability as a principle has
become critical and has evolved into an accepted approach towards privacy.
Organisation commitment to
Mechanisms to put privacy policies into effect,
accountability and adoption of internal
including tools, training and education
policies consistent with external criteria
Systems for internal, ongoing oversight and assurance

reviews and external verification
Transparency and mechanisms for Means of remediation and external

individual participation enforcement

128 Privacy in Organizational Ecosystems
A. Privacy Frameworks: Need and Requirements from a Framework
B. Study of Privacy Frameworks: DPF, BS 10012, ISO 27701,NIST
Privacy Framework

Privacy Program Frameworks
129
DPF
ISO27701 APEC
Some
Privacy
BS 10012
Program GAPP
Frameworks
NIST
Privacy OECD
Framework

1. DSCI Privacy Framework (DPF)
130
DSCI PRIVACY FRAMEWORK (DPF)
Personal # Practice Areas

Information 1 Visibility over Personal Information (VPI)
Security
9. PIS 2 Privacy Org & Responsibilities (POR)
3 Privacy Policy and Processes (PPP)
Information Usage 4 Regulatory Compliance and Intelligence (RCI)

7. IUA & Access, 5 Privacy Contract Management (PCM)
6. MIM 8. PAT Monitoring &
6 Privacy Monitoring and Incident Mgt (MIM)
Training
7 Information Usage & Access (IUA)
Privacy 8 Privacy Awareness and Training (PAT)

2. POR 4. RCI
Strategy & 9 Personal Information Security (PIS)
1. VPI 3. PPP 5. PCM Process

1. DSCI Privacy Framework (DPF)
131
DSCI PRIVACY FRAMEWORK (DPF)
Personal This layer derives strength from an organization’s

Information security initiatives. However, it demands a focus on
Security data security.
9. PIS
This layer ensures that adequate level of awareness exists
in an organization. A significant level of measures is
Information deployed to limit the information usage and access.
7. IUA Usage & Access, Moreover, a mechanism is deployed for privacy
6. MIM 8. PAT Monitoring & monitoring and managing incidents that may compromise
Training privacy.
Privacy Strategy and Processes: This layer aids in

2. POR 4. RCI Privacy establishing the strategic and tactical elements for
Strategy & privacy. Strategic elements involve defining Policy and
1. VPI 3. PPP 5. PCM Process setting up intelligence on global Privacy changes.
Tactical pieces involve setting up a Privacy org and
defining a Personal Data Inventory

VPI-Objectives
1.1 Visibility Over Personal Information (VPI)
132
01 Check the Awareness & Understanding to Enable the organization to become aware of
the Personal Data Elements, Categories, Storage, Formats , Access levels and usage
02 Assess the Current State Assessment to Enable the organization to map this against
its privacy program objectives.
03 Enables an organization to get a complete map of its business & operating

environment from privacy perspective.

POR-Assessment Guidance
1.2 Privacy Org & Responsibilities (POR)
133
01 Define Privacy Related Tasks, Activities & Operations and identify

the efforts and skills needed to execute the Tasks
02 Establish the Privacy Function, Structure, Roles and governance

mechanisms
03 Define engagement and outreach with the larger organization and

outside and inter-function collaboration

1.3 Privacy Policy and Processes (PPP)
134
01 Articulate Privacy Objectives, Develop Privacy Policy, defining Personal Data and
Organizational role and Provide Direction to implementing Privacy Initiatives
02 Build supporting processes to ensure policy objectives are achieved effectively and
consistently
03
Keep track of organization specific business and technology developments to ensure
policy is updated and remains relevant and new privacy risks are effectively addressed

PIS-Objectives
1.4 Regulatory Compliance and Intelligence (RCI)
135
Tracking of Legislations to ensure that the organization has a mechanism and

related capabilities to keep track of laws and regulations around privacy.
02 Determination of applicability, clarity in the Interpretation &

comprehension of Implications.
03 Management and integration of regulatory compliance intelligence for the

purpose of privacy

PCM-Objectives
1.5 Privacy Contract Management (PCM)
136
01
Establishing a process for incorporating privacy requirements into
contracts.
02
Understanding obligations, impacts & compliance requirements
arising out of contracts signed.
03
Management and execution of contracts for the purpose of privacy
and addressing privacy related issues

1.6 Privacy Monitoring & Incident Management (MIM)
137
Preparedness in setting up privacy monitoring and incident

management
Ensure capabilities, processes business rules and technology to:

Detect, Contain, Remediate & Communicate privacy incidents.
Execution of devised MIM plan and high level of cooperation and

collaboration within internal and with external stakeholders.

1.7 Information Usage & Access (IUA)
138
01
Establish organizational understanding of Personal Data access and
usage across different functions, processes or relationships
02
To establish necessary policies to limit the Access, and Usage of
Personal Data; and to ensure their lawful & fair handling
03
To establish technical and tactical measures to limit access and usage
of PD and monitor it on a regular basis to identify non-compliances.

1.8 Privacy Awareness and Training (PAT)
139
01 To create awareness & understanding amongst employees, stakeholders and external third
parties about privacy.
02 Communicate relevant organizational business context and explain the privacy policies,
principles, processes and other measures adopted by the organization as part of its privacy
program.
03
To train employees on how to ensure compliance and handle data breaches.

PIS-Objectives
1.9 Personal Information Security (PIS)
140
01 To build the organization’s sensitivity towards security of Personal

Data
02
To establish components of a data security program and integrate
them with organization’s security & risk management processes
03
To help define the scope and coverage of data security program to
ensure security of Personal Data

2. BS 10012
141
Overview
• British standard that sets out the requirements for a Personal Information Management System
• aligns with the principles of the European General Data Protection Regulation (EU GDPR).
Contents
• outlines the core requirements organizations need to consider when collecting, storing, processing, retaining
or disposing of personal records related to individuals.
Alignment to GDPR
• Comprises of Key Privacy Principles , Data Subject Rights and Organizational Accountability Measures
• It also details out Privacy specific processes like Personal Data Inventory Mapping and details the
responsibilities of various Privacy Related roles
• GDPR and BS 10012 controls have a direct mapping and the mapping is part of the BS 10012 documentation
Structural Similarity to ISO 27K Family
• Overlaying the Privacy specific requirements that are covered, are the Management related components
which talk about how to go about setting up a Personal Information Management System
• BS 10012 follows a similar structure to ISO 27K when it comes to Management Related Controls around
Understanding Organization Context, Leadership, Support Requirements, Performance Monitoring and
Improvement.
4. ISO 27701 Overview: Privacy Extension for ISO 27001
142
Context Applicability Benefits Mapping Certifiability
• ISO 27701 is a privacy • Applicable to all types • Provides Best Practice • ISO 27701 is the first • ISO 27701 is intended
extension to ISO and sizes of and effective ways of ISO standard to to be a certifiable
27001&02 and organizations, managing Privacy reference to external extension to ISO27001
provides additional including public and processes written in a frameworks or certification.
guidance for the private companies, practical and usable publications not Organizations planning
protection of privacy, government entities manner. actually developed by to seek an ISO 27701
which is potentially and not-for-profit • As the overlap of ISO. This standard certification will also
affected by the organizations Privacy and Security provides mapping to need to have an ISO
processing of Personal processing Personal regulations increases, GDPR 27001 certification.
Data. Data there is a clear benefit • It provides mapping to • Despite the GDPR
• The standard outlines • Applies to for these two teams to other ISO Standards being in effect for
a framework for organizations playing collaborate, related to Privacy : ISO more than a year, to
organizations to different roles in the communicate more 29100 (Privacy date, there has been
manage privacy Personal Data effectively, and use Framework), ISO no certification
controls so that risk to Processing Ecosystem: common tools. ISO 27018(Cloud Privacy), standard for it. This
individual privacy Controllers, Joint 27701 provides this ISO 29151(Code of standard can be a
rights is reduced . Controllers, Processors platform practice for Personal viable option to
and Sub-Processors Protection) demonstrate
compliance to GDPR
ISO 27701 Structure: The Core Content is spread across 4
Clauses
143
143
PIMS specific requirement as related to ISO 27001 PIMS specific guidance as related to ISO 27002
• The clauses and sub-clauses in this section are the same as the mandatory • The clauses and sub-clauses in this section are the same as the mandatory
controls under ISO 27001. controls under ISO 27002 (and Annexure Controls under ISO 27001)
• PIMS-specific requirements have been added wherever applicable at a Clause • PIMS-specific control statements and guidance have been added wherever
& Sub-Clause level applicable at a Clause & Sub-Clause level
• As the Mandatory controls are mainly generic & “management” related, • This section is highly insightful as it provides answers to what Privacy
most areas do not have any additional PIMS specific requirement. related extensions need to be made to specific Security Controls.
• E.g. Risk Management clause recommends addition of the privacy risk • E.g. The Information Classification clause now recommends addition of Personal
assessment process to identify risks related to the processing of Personal Data, Data as part of the Classification Schema as an organization needs to track
within the scope of the PIMS. where PD is stored and where it flows
Additional Guidance for PD Controllers Additional Guidance for PD Processors

• This section covers Privacy specific Controls and Implementation Guidance for • This section covers Privacy specific Controls and Implementation Guidance for
organizations who qualify as Personal Data Controllers or Joint Controllers. organizations who qualify as Personal Data Processors or Sub-Processors
• Section covers the areas which would be part of any Privacy Regulation • This area is very helpful, especially from an Indian context, as a large part
• Privacy Principles for processing Personal Data (E.g. Notice, Accuracy) of our IT/ITES industry falls into the Processor bucket
• Lawful basis of Personal Data Processing (e.g. Consent, Legitimate Interest) • This section covers Privacy processes from the perspective of a Processor
• Individual Rights (e.g. Right of Rectification) • Lawful Basis of processing Personal Data (e.g. Client Agreements)
• Privacy specific processes (e.g. Privacy by Design & Impact Assessment) • Privacy Principles (e.g. Purpose Limitation as per Client instructions)
• Personal Data Sharing & Transfers (e.g. Cross Border Transfer of Data) • Privacy specific processes to help Controllers (E.g. Breach notification)
• Privacy By Design has been covered in detail and in a practical manner • Personal Data Sharing & Transfers (e.g. Sub-Processor appointment)
• This section is User Friendly as it segregates Processor specific controls
What makes ISO 27701 such an Attractive Standard?
144
Completeness in Structural Similarity to Privacy Enhancements to

coverage of ISO 27001 provides Security Controls have
requirements wrt. familiarity and will aid been listed in detail
Privacy Regulations Adoption
Certifiable Standard to Structural Uniqueness in Concept of Privacy By

demonstrate compliance separating Privacy Design has been
and assurance to requirements based on covered in a detailed
customers on regulations Organization Type and practical manner
like the GDPR (Controller/Processor)

NIST Privacy Framework
145
 The NIST Privacy Framework is designed to function as an Enterprise Risk Management Tool (Privacy Framework) and to help organizations consider
 How their systems, products, and services affect individuals; and
 How to integrate privacy practices into their organizational processes that result in effective solutions to mitigate these impacts and protect
individuals’ privacy
 It is structurally aligned to the NIST Cybersecurity Framework and the taxonomy that it provides is not country, region or sector specific
 Structural Difference with Privacy Regulations/Standards: Unlike a typical Privacy regulation or standard which structures itself along the lines of
Principles, Rights and Obligations, the NIST Framework follows a Risk Management Framework structure
NIST comprises 3 key sections

1. Core: The Core is the most important section and is a set of privacy protection
activities and desired outcomes. It can be considered a mix of Privacy Principles
and organizational obligations.
1. It is structured along the lines of a Risk Mgt framework and consists of five
concurrent and continuous functions—Identify, Protect, Control, Inform, and
Respond.
2. Together these functions provide a high-level, strategic view of the life cycle
of an organization’s management of privacy risk.
2. Profile: A Profile represents the privacy outcomes the organization aims to achieve.
Org can assess all functions using the activities in CORE to define Current Profile
and also develop a Target Privacy Posture / Profile and identify activities needed
to achieve target
3. Implementation Tiers: This section provides a Privacy Maturity Framework which
an organization see where it stands and where it wants to reach depending on its
circumstances. The 4 maturity tiers are: Partial, Risk Informed, Repeatable Confidential
& (c) Arrka, 2020
Adaptable Licensed to Maya Misra <Maya.Mishra@ril.com> on 07-04-2020. Single user license only, copying and networking prohibited.
Source: NIST Privacy Framework_V1.0
NIST Privacy Framework – Core Structure
146
• Functions organize basic privacy activities at their highest level.
• Categories are the subdivisions of a function into groups of privacy outcomes closely tied to programmatic needs and
particular activities. Examples include “Protected Processing,” “Inventory and Mapping,” and “Risk Assessment.
• Subcategories (Controls) further divide a category into specific outcomes of technical and/or management activities.
They provide a set of results that, while not exhaustive, help support achievement of the outcomes in each category.
Examples include
• “Systems/products/services that process data, or with which individuals are interacting, are inventoried”.
Data are processed to limit the identification of individuals
Function Description
Identify Develop the organizational understanding to manage privacy risk for individuals arising from data processing. Foundational for effective
implementation of Privacy Framework
Govern Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities
that are informed by privacy risk. Foundation from an organization level
Control Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy
risks. Function considers data processing management from the standpoint of both organizations and individuals.
Communicate Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how
data are processed and associated privacy risks. Function recognizes that both organizations and individuals may need to know how data are processed in
order to manage privacy risk effectively.
Protect Develop and implement appropriate data processing safeguards. Function covers data protection to prevent cybersecurity-related privacy events
Source: NIST Privacy Framework Confidential (c) Arrka, 2020

NIST Privacy Framework – Core Structure
147
Function Categories Function Categories

Identify Inventory and Mapping
Communicate Communication Policies, Processes, and Procedures
Business Environment
Risk Assessment Data Processing Awareness
Data Processing Ecosystem Risk Management Protect Data Protection Policies, Processes, and Procedures
Govern Governance Policies, Processes, and Procedures
Identity Management, Authentication, and Access
Risk Management Strategy Control
Awareness and Training
Monitoring and Review Data Security
Control Data Processing Policies, Processes, and Procedures Maintenance
Data Processing Management
Protective Technology
Disassociated Processing
Source: NIST Privacy Framework Confidential (c) Arrka, 2020

NIST Privacy Framework – Profile & Tiers
148
Profile • Organizations may not need to achieve every outcome or activity reflected in the Core.
• Profiles are a selection of specific Functions, Categories, and Subcategories from the Core that an
organization has prioritized to help it manage privacy risk. These may be org or sector dependent
and based on the business requirements, risk tolerance, privacy values, and resources of the
organization.
• Profiles can be used to describe the current & desired target state of specific privacy activities.
• Current State Profile and Future State Profile could be maintained and the gaps between current
and future could be filled by various activities defined in the core.
• Tiers support organizational decision-making about how to manage privacy risk by considering the
Implementation Tiers nature of the privacy risks engendered by an organization’s systems, products, or services and the
sufficiency of the processes and resources an organization has in place to manage such risks.
• The 4 maturity tiers are: Partial, Risk Informed, Repeatable & Adaptable. Tiers represent
progression, however, need not always want to be at the highest Tier
• When selecting Tiers, an organization should consider its Target Profile(s) and how achievement
may be supported or hampered by
• A. Current Privacy risk management practices
• B. Degree of integration of privacy risk into its enterprise risk management portfolio
C. Data processing ecosystem relationships
•
• D. Workforce
Licensed to Maya Misra <Maya.Mishra@ril.com> composition
on 07-04-2020. anduser
Single training program.
license only, copying and networking prohibited.
Source: NIST Privacy Framework_V1.0
Some Other Relevant Standards
149
ISO 27018: 2014
 Published on Aug 1st 2014, builds on the ISO 27002 standard.
 Applicable where public cloud computing service providers (for e.g.: Amazon Web Services (AWS)) act as
processors of PD. However, the standard does not cover the data controllers themselves.
 The standard addresses PD protection controls as a part of the implementation of an ISMS (Information Security
Management System) for cloud computing.
ISO 29101:2013
 This is a standard for developing a privacy architecture framework. Specifically, it deals with systems that process
PD with a focus on ICT systems that interact with Data Subjects.
ISO 29190: 2015
 This is a privacy capability assessment model. It gives a guidance to organizations on how to assess their
capabilities in managing privacy-specific processes.
ISO 29134
 This standard is currently under development. This is being designed specifically for privacy impact assessments.
ISO 27701
 A privacy extension to ISO 27001&02 and provides additional guidance for the protection of privacy, which is
potentially affected by the processing of Personal Data.

150 Key Privacy Trends Globally

Privacy Program Governance
151
 GDPR Compliance: Still a Struggle After All These Years

Source: IAPP – EY Governance Report Annual Governance Report 2019
Difficulty Level of GDPR Provisions
152
Fulfilling core GDPR obligations is perceived as easier for companies over the past year. Right to be Forgotten is the
most difficult GDPR Obligation

Privacy Organization
153
Half of privacy teams are located in the legal

department
Roughly 3 out of 4 firms have a data

protection officer

Privacy Team: Roles & Responsibilities
For nearly 4 out of 10 privacy pros, 100% of their job is doing privacy-related work.
154
The privacy team’s main duties include dealing When asked to choose the team’s most critical
with privacy policies and companywide training responsibilities, most pros say it is compliance

Privacy Incidents
155
Twice as many firms subject to GDPR have Only 2% of firms that have reported a breach
reported a data breach in 2019 as compared to last to a supervisory authority have been fined
year
38%
16%
% Orgs reporting Data Breach

2018 2019

156 DCPP Exam: Tips

DCPP Exam Tips – Overall Exam Structure
157
 DCPP© examinations are conducted online, in Pearson Vue test centers.

 Exam only has objective questions.
 There are a total of 75 questions distributed in 3 sections as mentioned below:
 Section 1 – Privacy Fundamentals: 22 questions
 Section 2 – Privacy Principles and Regulations: 32 questions
 Section 3 – Privacy Technologies and Organization Ecosystem: 21 questions
 Total exam time for answering all the questions is 150 minutes.
 There is no separate sectional time limit. Candidates are advised to distribute time accordingly.
 There are both single choice as well multiple choice questions in the exam.
 Please note that in case of multiple choice questions, only two options would be correct.

158
 You can determine whether the question is single choice or multiple choice by the language of the
question and answer box (Radio button for single choice and Check Box for multiple choice).
 There are some case study based questions, which are also objective type questions with one or two
options as correct answers.
 Exam is a mix of questions with varied difficulty levels – easy, medium and difficult.
 Differential marking scheme is used, which means that different questions with varied difficulty
levels have been allocated different marks.
 Candidates will not be informed about the difficulty level of any question in the exam, hence
candidates would not know which question will fetch them how many marks.
 No negative marks - Neither answering a question wrongly nor skipping any question will fetch
negative marks.

159
 Candidate can traverse back and forth all the questions in a section.
 Once a section gets over, candidates cannot jump from current section to answer questions of the
previous sections in the middle of the exam.
 But, a review screen is provided at the end of the exam after the last question of last section has
been attempted. From the review screen, candidate can jump to any question in any of the sections.
 Kindly note that ending the review screen ends the examination – candidates will not be able to
answer any more questions and all responses will be recorded.
 Candidates can decide the ordering of the section. Before candidates begin answering the
questions, a screen will be shown and candidates would be required to select the desired sequence
of sections
 Candidates will be given 3 minutes to provide their choice of sequence selection. In case, no choice
is provided in the given time limit, the exam will start with default sequence of sections (1-2-3) .
Once order is selected at the starting, it cannot be changed during the course of examination.
160 Training Feedback
Did the training meet the expectations stated at the start of the
training?

Pop Quiz – Answer Key
161
POP QUIZ! # Answer Key
1 4. Both the folders (Folder 1 & 2) have Personal Data
2 2. Insta Pharma is the data controller that uses Phoenix Tec as data processor to collect and process data of data subjects
3 1. Legal Obligation
2. Vital Interest
3. Performance of a Contract
4. Consent of the Data Subject
4 1. The customer was not given the choice to opt-in for insurance
2. The customer was not notified that the travel insurance was from ABC’s partner company
5 2. Only 2
6 3. Religion
5. Make of the Car Owned
7 1. RM should have informed the husband and taken his consent prior to sharing the account statement with wife.
8 2. Send the requested information to customer’s registered e-mail and inform the customer of the channel
9 2. Cookies
10 1. A form of cookies
2. Stored in different location than browser cookies
Pop Quiz – Answer Key
162
POP QUIZ! # Answer Key
11 4. Encryption
12 2. Offline Privacy Enhancing Tools
13 1. Challenging compliance
14 1.Right to Anonymity
15 2. Anonymity
16 1.Personal Data Protection Commission
17 2.Equal service and price
18 2.Justice A. P. Shah
19 2. Caste & Tribe Details
20 3. India
21 3. Creation and Collection, Use and Distribution, Maintenance, Disposition


DCPP Training Program Set2 v0.5 - Maya Misra

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DCPP Training Program Set2 v0.5 - Maya Misra

Uploaded by

Copyright:

Available Formats

DSCI CERTIFIED PRIVACY PROFESSIONAL (DCPP©)

Time Topic Covered

Confidential (c) Arrka, 2020

Confidential (c) Arrka, 2020

 Civil Law  Laws

 Criminal Law  Rules

 State vs Central (or ‘Federal’) Laws

 LEAs – Law Enforcement Agencies

Confidential (c) Arrka, 2020

 India and EU have this approach

 NOT considering this as a fundamental right – for e.g.: In US

Should governance be left to markets & self-regulation – aided by law?

 with participation from markets as they self-regulate,

 supported by laws and regulations

Confidential (c) Arrka, 2020

Comprehensive vs Sectoral laws

 Proposed Indian Personal Data Protection Act is also a comprehensive one

 Sectoral legislation e.g.: US

Confidential (c) Arrka, 2020

Transborder data flows – should be restricted or governed?

Confidential (c) Arrka, 2020

Should there be a strong regulatory infrastructure overall?

 Businesses, on the other hand, often complain that strong regulation

Confidential (c) Arrka, 2020

Confidential (c) Arrka, 2020

Liability - Data Controller (Data Exporter) x Liability towards data subject

Data Breach notification Notification requirements, Europe is following US here,

Confidential (c) Arrka, 2020

Scope and Regulatory Regulatory Definition of

Confidential (c) Arrka, 2020

State vs National Level

Self Regulation vs Co-

Confidential (c) Arrka, 2020

Confidential (c) Arrka, 2020

A. Privacy Principles are rules that help ensure that Personal

C. Controller/Processor obligations comprise a mix of People,

Confidential (c) Arrka, 2020

Confidential (c) Arrka, 2020

Confidential (c) Arrka, 2020

Enforcement date: Applicable to all companies including

 Applies to • An Indian travels to France for a 2 month

 Dealing with • An Indian travels to France for a 2 month

Confidential (c) Arrka, 2020

 Material Scope  Territorial Scope

Confidential (c) Arrka, 2020

'Controller' means the natural or legal person, public authority, agency

Confidential (c) Arrka, 2020

“Any information relating to an identified or identifiable natural person ('data subject')”

Special Categories of Data defined:

Confidential (c) Arrka, 2020

Confidential (c) Arrka, 2020

Lawfulness, fairness and transparency Purpose Limitation

And not further processed in a manner that is

Accuracy Data Minimisation

Confidential (c) Arrka, 2020

Integrity and Confidentiality

..know what is ..request

Confidential (c) Arrka, 2020

..be ..adopt data

Confidential (c) Arrka, 2020

May use code of

Maintain a record of Shall provide sufficient Shall designate a Data

Confidential (c) Arrka, 2020