How to Implement GDPR Part 1 :Roadmap for Implementation

00:01

[Music]

00:13

[Music]

00:15

hey guys welcome to the session on

00:17

coffee with PR and today we have a

00:19

special guest my friend Mr PKA chavan uh

00:22

in the past we you know Mr pach has did

00:25

uh sessions with us and um U you know I

00:28

was curious about how to Implement gdpr

00:30

and whenever I used to have a data

00:32

privacy queries I reach out to some of

00:34

the few folks and pankaj is one of them

00:36

so I thought the kind of information I

00:38

used to get from page in my one to1 call

00:41

I thought let me bring this on this

00:43

platform which is basically get benefit

00:45

by multiple people when it come to pach

00:47

8 plus year of experience uh in the data

00:50

privacy where he were involved in

00:52

Consulting products banking

00:54

manufacturing sector marketing and all

00:55

that so as you know data privacy is a

00:57

buz word and gdpr is is basically the

01:00

new things there's a lot of Scholars

01:02

were using CHP chat jpt and AI they

01:04

generating a Content but what is

01:07

practical GDP how practically we

01:09

Implement to be frank pach B I was

01:11

searching multiple videos on YouTube

01:13

where I could not find how to implement

01:15

gdpr apart from using a chat gbt prompt

01:18

but it is glad that okay in this

01:20

particular platform we got an

01:22

opportunity by Mr pachan who going to

01:24

share the Practical case study how to

01:26

implement gdpr from zero thanks Pang by

01:29

taking out the time from a weekend and I

01:30

know weekend is is something is very

01:33

very very busy in Dubai and taking out

01:36

the time for this community it is really

01:39

appreciating thank you thank you br uh

01:41

first of all I'm very happy to be in

01:44

your session and definitely I would like

01:46

to share some insights about how uh the

01:49

data privacy you know is implemented

01:52

internally within the organization so

01:54

like you rightly said so I have eight

01:56

plus years of experience and I have

01:57

worked with multiple industry currently

01:59

I'm working within Insurance sector MH

02:03

so probably um I assume you can see my

02:06

screen now on the screen you can see

02:08

there are lot of boxes lot of circles

02:11

and this is how the pathway of data

02:13

privacy is so the idea today is that um

02:16

I will tell you how I had started this

02:19

journey as a consultant and from there

02:21

how I developed my skill set on

02:24

implementing the endtoend data privacy

02:26

segment so uh I have worked with a lot

02:29

of of multiple jurisdictions gdpr being

02:32

one of them and I have worked with um

02:35

Middle Eastern regulations especially

02:37

from bahin Oman UAE Qatar and then I

02:41

have worked with Singapore data PR

02:42

regulation as well I have worked with

02:45

extensively with gdpr because I was

02:47

earlier associated with one of the

02:49

Swedish

02:50

firm so that is how I have this idea and

02:54

the logic that I'll be telling you you

02:56

guys today is more about how I have

02:59

implemented it when there was nothing in

03:02

the organization like from scratch I

03:04

have built certain programs and at the

03:06

and in few organization there was s

03:09

certain setups like privacy policy were

03:11

there and from there how I picked up uh

03:13

to implement the end to end program so

03:15

the entire conversation I guess will be

03:17

on those lines

03:18

today Pang before we going to discuss

03:21

about this gdpr okay uh you know there's

03:24

a one question I always ask my uh

03:26

panelist and all that you know the the

03:29

the people who come to the sessions and

03:30

all that if someone want to make a

03:33

career in data

03:34

privacy okay so what is the future of

03:38

this particular

03:39

vertical sure okay so uh if somebody

03:43

let's say is willing to join this um you

03:46

know good field of data privacy which is

03:49

a boom in today's world also I see it a

03:53

boom for at least next 5 to eight years

03:56

easily because everywhere the glob

03:59

landscape has been changing especially

04:02

after gdpr when it was launched back in

04:04

25th May 2018 after that many regulation

04:07

picked up CCPA came in then even today

04:10

we have India's privacy regulation which

04:11

is uh in the Forefront and which will

04:14

they have given certain timeline to

04:16

abide by so if you we can see a lot of

04:19

Scholars posting about India data

04:21

privacy dpd yeah a lot of people are

04:25

posting it and which is a good thing and

04:27

it's also good thing that uh government

04:30

has done from a perspective because you

04:32

you know right how many Tel calls we get

04:35

each day and our personal just being

04:37

sold to so from that angle if if you see

04:40

it's a very important aspect and this is

04:44

I would say a more technical field okay

04:47

so you don't have to like worry that

04:50

what I have studied so far and will that

04:53

make sense so basically my background is

04:55

I am a computer engineer and I have done

04:57

MBA in marketing after I have jumped

05:00

into Data privacy so it's like if I can

05:03

do it anybody can do it sort of a thing

05:06

so basically uh the future I see here is

05:10

more uh towards you can if you are

05:12

starting new in your career then analyst

05:14

position probably the better way to

05:17

start is get a certification because

05:20

certification generally will make you

05:22

stand out of the entire crowd so that

05:25

like C and cipm all those kind of

05:28

certificate

05:30

I and obviously if you are in a let's

05:33

say mid level mid managerial level and

05:35

you are looking for a bump in data

05:37

privacy then in that case probably your

05:40

work experience along with uh relevant

05:44

um you know implementation of certain

05:47

aspect not related to data pracy but

05:49

let's say you have uh skills of program

05:52

management you know how to run entire

05:54

end to end program you know how to uh

05:56

convince the stakeholders you know how

05:58

to get things things done so from that

06:00

perspective if you see even in mid

06:02

manager position if you get the

06:04

technical skill set let's say by certain

06:07

courses by reading certain books if you

06:09

are able to demonstrate that knowledge

06:11

that along with my program management

06:13

skills I can do this then that is also

06:16

one of the uh thing I can see which will

06:18

land you in a data privacy Road okay

06:21

that is the case so so um you know we we

06:24

say that for the information security

06:25

I'm sorry I'm I'm going bit know we we

06:28

just starting a session with something

06:29

else but uh you know you know because

06:32

this video is watched by those people

06:34

who also new to the data privacy and all

06:36

that see when we say in information

06:38

security we need to know DNS we need to

06:40

know information security Concepts and

06:41

all that to understand data privacy what

06:43

is the basics what are the basics are

06:45

required so Basics are you just need to

06:49

know the regulation so if um data

06:51

privacy as a concept you should know so

06:53

information like it's a very big concept

06:55

but there are a lot of asps but if you

06:57

see data privacy is more um know focused

07:01

it's more about protecting personal

07:03

information okay if somebody if somebody

07:06

tells you data privacy then you should

07:08

just think that it is about personal

07:09

data and then there are seven to eight

07:12

modules which are associated with it so

07:14

we will be discussing those seven to

07:16

eight modules today but that is just a

07:18

general thought process you should also

07:20

have when you think about the word data

07:22

privacy so when you go in the

07:23

organization so it will be very easy uh

07:27

as compared to information security so I

07:29

call it data privacy as a subset of

07:31

information security because it's a very

07:34

large we can able to maintain privacy by

07:36

information security controls

07:38

only I wouldn't say throughout

07:41

because requirement I'm saying yeah yes

07:45

the basic ISO 2701 if you even do that

07:48

then yes you are I would say more than

07:51

above average people who are know

07:53

thinking about privacy so when you think

07:55

about privacy think like you have to

07:59

give control of the data to the person

08:02

who whose data it is in the question so

08:05

data subject is what we call them and

08:07

when you think about information

08:09

security the control is more towards

08:10

organization that how an organization

08:12

takes care of the data that what

08:14

controls put in place they don't have to

08:17

go they don't ask generally the data

08:19

subject right that what should we do

08:21

it's their it's their um you know

08:24

technological ability and all those

08:26

aspect whereas in data privacy we have

08:28

to make sure that in the decision making

08:31

Pro process even the uh consent of the

08:34

data subject is taken into consideration

08:36

and there that is where the data privacy

08:39

as a domain becomes separate from

08:41

information security to some extent

08:44

understood that is the idea so so if if

08:47

you take a example of today like you

08:50

know we today talking about know gdpr

08:53

perspective and all that so will it give

08:56

a high level view to the people who new

08:59

to gdpr or will this session will be

09:01

useful for those also who want to impl

09:03

gdpr but want to know high level how it

09:05

works actually so can can can we say

09:07

that this this this session what we're

09:08

going to do

09:09

today give give them a

09:12

framework and based on that they can

09:14

able to enhance yeah yep yeah yes so

09:17

this is someone who let's say doesn't

09:19

have any knowledge about data privacy so

09:22

yes we will be having the conversation

09:26

from those lights and let's say somebody

09:28

has uh brief knowledge that okay these

09:31

are some of the things that I know so

09:33

for them also it will be beneficial

09:35

because we'll be seeing in-depth

09:37

analysis of how each phase has to be

09:39

conducted understood so this is based on

09:42

my experience my work experience which I

09:44

have been doing in my Consulting forms

09:46

and even in standard Lear organization

09:48

so from that perspective I see it

09:51

beneficial for both the audience

09:53

understood no issues so so we can we can

09:56

basically start with this aspect about

09:58

uh what is gdpr and sorry how the gdpr

10:01

is basically Implement in the

10:03

organization and what is basically the

10:04

road map yeah sure so for those who

10:08

don't know let's say gdpr gdpr stands

10:10

for General data protection regulation

10:12

so it is uh you can say kind of an

10:15

advanced level regulation in data

10:17

privacy which was proposed in the

10:19

European Union so European Union consist

10:22

of 28 countries so during uh two uh last

10:26

decade the proposal was made during 2012

10:29

then slowly it came into um the force in

10:33

2016 and then in 2016 the organizations

10:36

were given 2 years of timeline to comply

10:38

with gdpr that was in 2018 so by 2018

10:41

everybody has to be comping so what

10:44

makes gdpr stands out with respect to

10:48

the earlier versions of data privacy

10:50

regulation is that it contains more

10:54

controls over how things are driven in

10:57

today's technological world world so

10:59

let's say the let's say the you know how

11:04

system system because the earlier

11:06

regulation were more um of a what I can

11:11

say more computerized but not that

11:15

advanc so it was more like for paper

11:17

based data also the same regulation were

11:19

there so same regulations were

11:21

applicable but in today's world where

11:23

the internet has you know has given

11:26

people the closeness the globalization

11:29

so earlier regulation were more

11:31

Standalone to the European Union itself

11:33

but through gdpr now the control has

11:36

expanded towards the entire Globe so

11:39

that was kind of a major change which

11:41

gdpr bought in okay okay so um when we

11:46

talk about gdpr or let's say any data

11:48

privacy program so gdpr we can keep that

11:51

as a reference let's say any data

11:53

privacy program be it in any

11:55

jurisdiction so this workflow definitely

11:58

will help you you uh in achieving that

12:01

okay so let's say you are hired as a

12:05

analyst for example okay you are

12:07

starting new now what would you do now

12:10

basically there can be two aspects to it

12:13

either an organization has certain level

12:16

of controls or organization is starting

12:19

pretty new okay so we'll take the first

12:22

uh second case which is starting pretty

12:24

new they have nothing in place so they

12:26

have just hired you as an analyst or

12:28

consult or a DPO whatever you call it

12:31

and then uh it grows from there so the

12:36

first thing so what will be the first

12:38

thing that you will do so for me when I

12:42

go to an organization my first question

12:44

to them is where is your business

12:48

generally located and where are your

12:50

customer bases because that becomes my

12:52

starting point to do the entire analysis

12:55

why this is important now when I say

12:59

certain jurisdiction let's say if I'm

13:01

working in India and my customer base

13:04

vendor base let's say they are also in

13:06

India itself then I know that for me the

13:09

prime thing or prime jurisdiction I need

13:11

to focus is the data protection bill

13:13

passed by the India the

13:15

dpdp now similarly if I am working in

13:19

India but my I have clients or customers

13:22

in European Union that means I have to

13:25

comply by Indian Privacy Law and I have

13:27

to comply by European Privacy Law

13:29

so the first point for me would be to

13:32

knowing what regulations are going to

13:35

come ahead so that I can plan my entire

13:37

program accordingly so that helps me to

13:41

device a perfect plan that okay uh now

13:44

there are two regulations let's say in

13:47

European union and in India so what I

13:49

would do as a first step I'll do a gap

13:51

analysis between the two regulation that

13:53

what are the common common items between

13:56

both the and then what are the SE

13:59

separate ones which I need to take care

14:01

only for the European Union and only for

14:04

India so that will be my first task that

14:06

I'll do an

14:08

example so um when I was working here so

14:11

currently I am working

14:14

for uh so I am the regional manager for

14:16

four different countries and the four

14:18

different countries have different data

14:20

privacy laws so it some are sectorial

14:23

law some are federal law when I say

14:25

sectorial it means free zone based law

14:27

so only specific to that area not to the

14:30

entire country so likewise so what I did

14:33

so basically in an Excel okay in a

14:36

normal Exel I copy pasted all the

14:39

um regulations okay after that you know

14:45

if you guys have seen the regulation you

14:47

know certain in regulation there are

14:50

articles so certain articles are just

14:52

information based and certain articles

14:55

are uh on which you have to take certain

14:58

actions

14:59

so I have in one once I have listed the

15:02

entire regulation in one item then I

15:04

have selected the Articles which are

15:07

only actionable obviously the some ones

15:10

have like just definitions right just

15:11

definitions who the so those you kind of

15:15

ignore so after finding out that okay

15:18

let's say out of 100 articles 75 are

15:21

actionable 25 are just definition so

15:24

then these 75

15:26

articles what I do I try to see that

15:30

okay now if I take Oman for example if

15:34

there are 75 articles in Oman then I

15:37

will see in UAE what are the common ones

15:40

okay what are the common ones and try to

15:43

Club them together so okay so I know so

15:46

let's say Club 25 might be common

15:48

between two so 50 stands here 50 stands

15:50

out there then I will try to what are

15:53

the individual gaps so similarly when I

15:55

am working for in multi-jurisdiction

15:58

kind of a a setup then uh this becomes

16:01

my easily one or two months task to you

16:05

know identify all the reg all the

16:07

Articles finding out the gaps and so

16:11

on so this is my first step and after

16:15

that what I generally have so I now

16:19

since I have been working in this field

16:20

for long I know that I know what my

16:23

program plan will look like but for you

16:25

guys you are starting new so it will

16:27

also be a question that okay now you

16:29

have identified the regulation now what

16:31

now what is the next so next step so

16:34

next step probably uh as a suggestion I

16:39

would say probably yes you can make use

16:41

of this um PPD which we'll be showing

16:44

you today it's just the two slid nothing

16:46

else you can definitely use this or else

16:50

there are lot of online um versions

16:53

available on how to know do a basic data

16:56

privacy program and I'm sure you'll find

16:59

similar steps in this but this is more

17:00

on a detailed side so framework then

17:05

what you do so let's say there are uh 50

17:08

control items in the framework so even

17:11

in data privacy policy let's say in data

17:13

privacy policy looks very easy but then

17:16

identification of jurisdiction is one

17:18

part of that then I after that revie and

17:22

uh first is making a privacy policy then

17:25

getting it either signed by the audit

17:28

committee or relevant committees within

17:30

your organization so all these uh

17:33

functions form as a part of your

17:35

framework so it is your responsibility

17:38

as a DPO or analyst to see that how can

17:42

I drill down one particular item into

17:45

multiple small small item so that it

17:47

becomes measurable for them so this is

17:49

how when you say let's say only privacy

17:51

but is I have to do privacy by Design

17:53

it's a very vast topic and I don't know

17:56

so I want to make it measurable so so

17:58

that's why then I'll try to make a

18:00

policy first then I'll try to do the Gap

18:03

analysis that this is the thing which we

18:05

are currently doing but this is missing

18:07

then I'll try to make a assessment

18:09

template on basis on which I'll do the

18:11

Privacy by Design assessment and so on

18:13

so that granularity as long as you have

18:16

in your framework it will be very easy

18:19

for you to map that granularity to the

18:22

regulation okay that is the idea so then

18:26

now we can start with the workflow if

18:29

please please yeah okay

18:32

fine all right so then to start let's

18:35

look at now the workflow one by one okay

18:38

so the first part I have put as a global

18:40

privacy handbook now obviously this will

18:45

not be like a start to finish kind of a

18:48

thing okay this Global privacy handbook

18:50

when we say it will be a continuous

18:53

document but let's assume let's say you

18:55

start with this because this privacy

18:58

hand handbook is something like a manual

19:00

for you it's like a manual on what are

19:02

the things you'll be doing so it will

19:04

incorporate uh your regulations

19:07

applicable regulations it will

19:09

incorporate your data privacy framework

19:11

it will incorporate your procedural

19:13

documents it will Inc even policies to

19:16

some extent so I had made I remember

19:19

when I was working with KH times it was

19:21

one of the newspaper company I had a 135

19:24

pag of global privacy handbook it was so

19:27

comprehensive

19:29

and U it was very good actually I was

19:31

also very proud of myself to make it

19:35

because it had very intricate details

19:37

about what needs to be done and how it

19:40

needs to be handled and so on so that is

19:42

why um after that experience only I have

19:45

started making this Habit to have a

19:48

global privacy handbook so the idea here

19:50

is like I said in the first phase you

19:53

identify the regulation keep a track in

19:55

the handbook and then you identify the

19:57

freame framework that you are going to

19:59

follow it can be anything it can be a n

20:01

framework it can be ISO 27,000 27701

20:05

framework it can be this framework which

20:06

we'll be discussing any framework so

20:08

once you have identified just have it in

20:11

the manual and then you try to map it

20:13

okay so This Global privacy handbook

20:15

gives you a picture that okay my now I

20:17

know what are the jurisdiction now I

20:19

need to follow ahead after

20:22

that uh the first thing then you will do

20:24

is try to device a policy now because

20:27

you know the jurisdiction because you

20:29

have a good idea about you know what are

20:33

the specific factors so for example in

20:35

European Union uh international data

20:39

transfer is a big question because if

20:42

you want to do it there are certain ways

20:44

in which only you can do it for example

20:46

you need to have a standard contractual

20:47

Clauses or there should finding

20:49

corporate rules or there can there

20:51

should be approved code of conduct and

20:53

so on so there are multiple ways to do

20:55

it so your privacy policy because as

20:59

long as you don't know the regulation

21:01

devising a privacy policy will be very

21:03

difficult correct so that is why that

21:05

becomes our firstep and next is after

21:07

identifying the jurisdiction we devise a

21:09

privacy policy now if you ask me whether

21:13

you do a privacy policy from scratch

21:15

obviously not I use my industry you know

21:19

um so for example now currently I'm

21:21

working in Insurance I'll see many

21:24

Insurance privacy policies I'll see what

21:26

are how those are Dev and then I'll try

21:29

to tweak it to my needs and requirements

21:32

so that is how I do it so obviously if

21:35

somebody wants to make hit from scratch

21:37

that's your call you can do it

21:39

definitely but

21:41

uh um if you want help that is fine but

21:44

don't please don't copy as is the policy

21:48

uh make sure that you have your own

21:50

agenda in it you make sure your

21:52

organization needs are catered in that

21:54

your data subjects are catered in that

21:57

and so on so that is how I make the

21:59

policy okay

22:02

now after making uh this particular

22:05

policy um so this again in policies also

22:10

there are multiple ways to do it one is

22:13

the data privacy policy let's say it's

22:15

sitting in the Apex okay either you can

22:18

have a single data privacy policy or you

22:21

can have multiple short shot other

22:23

policies so for example data retention

22:25

is one privacy by Design is one how to

22:28

conduct dpia is one and so on that is

22:31

completely your call I like to go with a

22:34

single privacy

22:36

policy where if it's a smaller

22:38

organization let's say not more than 100

22:41

200 you know people if it's a big

22:43

organization then I would like to go

22:45

with uh smaller ones because it's easy

22:49

to communicate the smaller ones rather

22:52

than a bigger one because in a smaller

22:53

organization in one or two training you

22:56

can you know let know the people that

22:58

okay these are the conditions and these

23:00

are the things why which we'll be

23:01

following but in a larger organization

23:03

this becomes a challenge so that is why

23:05

I have this habit of having a chunk of

23:09

policies and then I'll keep it in a

23:10

intranet somewhere so that everybody has

23:13

access okay so after policy making uh

23:17

The Next Step would be um to create to

23:21

design certain templates so these

23:23

templates are what now these templates

23:25

generally will help you to know know

23:28

more about the business so there can be

23:30

many template so there can be a records

23:32

of processing activity template there

23:35

can be a privacy impact assessment

23:38

template there will there can be a

23:41

transfer impact assessment template that

23:43

if you have to transfer data from one

23:45

jurisdiction to other then so these are

23:47

kind of template making template

23:49

building so till now if you realize till

23:53

now you are not depending on any other

23:57

um departments within your organization

24:00

create this so this is this you are

24:01

doing wholly and solely by yourself

24:04

because as as you dwell into this role

24:07

you will understand that our dependency

24:09

on people is more rather than we doing

24:12

our task so if it was on me I would have

24:14

finished a lot of things pretty fast but

24:17

obviously it's a group thing it's a no

24:20

organization wide thing so we have to

24:22

depend on people we have to respect

24:24

their time as well because not all

24:26

people when we want they'll be free

24:28

right so from that aspect what I do

24:31

whatever is possible from my end I try

24:34

to create it as soon as possible and

24:36

then it gives me a buffer time that okay

24:38

oh

24:40

somebody if someone is free then I can

24:42

you know immediately start with the

24:44

assessment for there to see whether

24:46

there are any risk and so on and so

24:48

forth so that's why this template

24:49

building is one key

24:51

aspect okay after that um okay you have

24:55

created certain policies you have

24:57

created C templates now what now maybe

25:01

you try to see what is the existing part

25:05

within the organization

25:08

Now privacy policy being one of them so

25:11

generally people have privacy policy now

25:13

why I have not you know focused it to

25:18

make it before like for example the

25:20

fourth step why I have why I haven't

25:23

kept it as a first step because when you

25:26

see any existing policy um the notion

25:29

your thought process becomes very

25:31

streamlined to that angle so which I

25:34

generally avoid so that's why what I do

25:36

I make my own privacy policy first it

25:38

doesn't take a lot of time maybe a week

25:40

or so that should be if I am very good

25:42

with the regulations a week or so would

25:44

be good enough for me to create one so

25:47

that is why so once I have that

25:48

knowledge that okay these are the kind

25:49

of things that should be there in my

25:51

policy then I go and see that okay what

25:53

is the existing policy so that I can see

25:56

the difference and make the changes

25:58

so that is where so at the fourth step

26:01

what you do you see what are the

26:03

existing policy probably there can be a

26:04

retention policy as well there can be a

26:07

trading policy there can be any number

26:09

of policies so you check and

26:11

you map it to the ones that you have

26:14

created so that if there is any Gap you

26:16

try to fill it so that is the idea

26:19

basically and you try to know uh once

26:23

you are in this role you'll realize that

26:26

you start with small small wins first so

26:29

that you know you also feel motivated at

26:31

the same time uh the organization also

26:35

feels that yes there there is certain

26:37

progress which is happening why I'm

26:38

saying this because many people see data

26:41

privacy as a you know uh what you can

26:44

say compliance department they call it

26:46

as a complicated Department generally in

26:49

our world so you don't want to know

26:52

showcase that we are just blocking their

26:55

work because for us data privacy is a

26:58

full-time role but for them data privacy

27:01

is like some somewhat over and above

27:03

what they do because that is something

27:05

the controls that we need to put

27:07

obviously now that is that comes under

27:08

organization policy and all those stuff

27:11

but you will realize that change

27:13

management is one of the very key aspect

27:17

in this role so making people understand

27:19

certain things um making them learn

27:22

making them change the way they were

27:25

doing things earlier that is quite

27:27

challeng ing than I think any of the

27:29

other cases so if very if you are very

27:33

good at communication skills you know

27:35

personal development way so I think this

27:37

role will be pretty easy that way

27:39

because once you have the technical

27:40

knowledge this this part becomes easy

27:42

but even if you have technical knowledge

27:44

and this is challenging then it becomes

27:46

a pretty messy thing that's should this

27:49

is what I have learned okay so okay so

27:53

once you have reviewed everything then

27:55

you move to uh the easy wins so for me

27:58

Cookie compliance is the basic easy win

28:01

because cookie compliance obviously you

28:03

can't do it with by yourself um you need

28:06

have certain tools for it because

28:07

cookies are generated automatically so

28:09

you can't manually manage the cookies

28:11

which are going right so there are not

28:14

very expensive software I could say um

28:17

probably your company might be using

28:19

many U many of the what do you call

28:23

softwares which generally comes with the

28:25

cookie related things okay uh so you can

28:29

either enable that or you can ask for

28:33

you know that cookie implementation is

28:36

better now few people might say that

28:39

cookie policy and implementation can be

28:42

taken up as phe two or phase three which

28:44

is also fine why I have kept it here

28:47

because like I said it's a easy win and

28:49

that's why if you want to demonstrate

28:51

something on a quicker scale this is a

28:54

easy way okay so once you have that

28:57

cookie policy is nothing but uh as you

28:59

know we whatever cookies are getting

29:02

stored on the browser certain

29:04

regulations have given them the idea

29:07

that yes you can do that but you only

29:12

and only if the data subject has given

29:14

consent to it so that's why after gdpr

29:17

you might have recognized like since

29:19

last four five years there lot of cookie

29:22

banners which comes on every website

29:24

right a lot of cookie banners you have

29:25

to allow or reject the cookie before you

29:27

can even see it so that the reason that

29:30

data privacy that is why this has come

29:33

up okay okay so that's the case now once

29:39

I have done this so the next step would

29:42

be that okay I try to uh either see

29:46

records of processing activity or I see

29:49

privacy impact assessment now let's

29:51

understand these both process in detail

29:53

what it is now when I say records of

29:57

process processing activity so this

30:00

activity you can call it as you know the

30:03

main the Bible of the entire privacy

30:07

program that you are running now why I

30:08

am seeing this now what are the contents

30:11

let's understand what are the contents

30:12

of records of processing activ so the

30:15

idea behind this particular document or

30:19

activity is that you have a

30:23

comprehensive knowledge of all the

30:26

business process which is within your

30:28

organization irrespective of whether it

30:30

has personal data or not so that is a

30:33

prime responsibility of a data

30:35

Protection Officer or those who are

30:37

working in data privacy office that this

30:40

particular document is maintained now in

30:43

certain jurisdiction like gdpr this is a

30:46

pretty mandatory document where um if

30:49

the regulator asks they have to present

30:52

it in certain case it's a good to have

30:55

kind of a environment so so but in but

30:59

we will go with the idea that yes we

31:01

have to have this document because you

31:04

will see that if you have this

31:06

particular document all the Privacy

31:08

modules which you are about to follow

31:11

next will be will become very very easy

31:14

okay now let's understand what are the

31:16

contents of these documents so like I

31:18

said all the business processes then it

31:21

will have idea as to for example let's

31:24

take HR okay now HR has has payroll as a

31:28

process HR has recruitment as a process

31:32

HR has Performance Management as a

31:34

process correct so let's take these

31:37

three process

31:39

now um we will try to have this

31:43

documented in the records of processing

31:45

activity now against each process there

31:47

will be a purpose now obviously payroll

31:50

the purpose of processing is to process

31:52

the payroll of the organ of the

31:55

employees similarly recruitment and

31:57

Performance Management is evaluation of

31:59

employees so so on so we will take

32:01

purpose for each after that it it will

32:04

be like from where the data is coming we

32:06

we will try to find out the source for

32:08

that for the payroll data let's say it

32:10

is coming from an hrms system for

32:13

example okay so we are trying to find

32:14

out the source of the data or it can

32:17

also happen that in recruitment the

32:19

recruitment process itself is the source

32:21

of the data okay so why this is

32:23

important this is important because if

32:26

we know that from where the data is

32:27

coming or from or they are the source it

32:29

will be very easy for us to build a data

32:31

flow diagram okay that we will further

32:34

why a data flow diagram is important

32:37

okay now that is where this records of

32:39

processing activity comes handy where we

32:41

will know the source of the data

32:43

destination of the data we will know lot

32:46

of technical aspects as

32:48

to if the data is traveling to any Third

32:52

Country so that gets captured in this if

32:54

the data has relevant um you know legal

32:59

basis now for those who don't know what

33:02

a legal Base legal basis is so in order

33:06

for an organization to process personal

33:10

data there are certain legal bases which

33:13

are defined in the regulation okay so

33:15

this is this idea this uh terminology of

33:19

legal basis is common across all the

33:21

jurisdiction probably the number of

33:24

legal bases might be six somewhere

33:26

probably somewhere might be four only

33:28

that is the difference so you need to

33:31

understand that for you as an

33:34

organization to process a personal data

33:37

it has to fall under either one of the

33:40

legal base now what are these legal

33:42

bases so consent is one legal

33:45

base uh then U uh legitimate interest is

33:49

one legal base performance of contract

33:51

is one legal base uh then legal

33:54

obligation is one legal basis and so on

33:57

so do you want me to go into technical

33:59

terms no no that's okay we can we can

34:01

have a next session on that better yeah

34:03

yeah okay so these legal bases get

34:06

captured and once the legal bases get

34:09

captured once you know the incoming and

34:10

outgoing Source it also captures that

34:12

what kind of personal information is

34:14

used for example in payroll can happen

34:16

that bank details is used employee ID is

34:19

used employee email is used and let's

34:21

say their home address is us for example

34:24

so these gets captured so now this

34:27

particular document is my repository of

34:30

all the business processes for example

34:32

in my previous organization we had

34:34

identified more than 230 business

34:36

processes which were there it was

34:38

a big form so we had 230 plus processes

34:41

in it and in that 230 plus

34:44

processes we tried to

34:46

identified uh which were using personal

34:49

data and which were not so that was the

34:51

first case and then after that we Tred

34:54

to find the source and the destination

34:56

so once you have have an idea about how

34:58

and where the personal data is lying

35:00

within the organization then obviously

35:02

next steps becomes easy for example

35:04

privacy impact ass Now privacy impact

35:07

assessment again it's a technical term

35:10

so in privacy impact assessment the idea

35:12

is to

35:13

identify what are the risk involved if

35:17

you are using personal data of a data

35:19

subject so risk involved to the data

35:21

subject not to the company to the data

35:23

subject so for example if you use my

35:25

name and date of work probably the risk

35:28

is pretty minimum but if you are

35:30

processing my credit card details you're

35:33

processing my bank account then the risk

35:35

is high then the evaluation here you are

35:38

doing is to

35:40

see that whether I should be you know

35:45

processing this at the first place if

35:47

yes then what are the controls in place

35:49

what kind of information security

35:51

controls do I have at my end in order to

35:54

make sure that this uh particular data

35:57

doesn't get exposed to any unauthorized

35:59

entity okay so this is type of risk you

36:02

try to identify so that is the phe that

36:07

after that you come to making of data

36:10

privacy addendum or say this is a kind

36:15

of a document which

36:17

is first of all when there are vendors

36:20

involved there will be contracts in

36:23

contracts there will be certain terms

36:25

and condition Clauses involved

36:27

our role here is to

36:29

check the uh existing

36:32

contracts uh that whether data privacy

36:34

Clauses were accepted or not okay

36:37

because this is a pretty easy step you

36:39

just need to see and if it is not there

36:42

obviously you will either update that

36:44

existing contract or put an addendum on

36:46

top of

36:47

it idea here is you get contractually

36:51

protected due to on the basis of uh this

36:54

thing and so that in tomorrow something

36:57

happens let's say breach happens at a

36:58

vendor's place then at least you had

37:01

made sure that all the liability was

37:03

transferred to the um particular vendor

37:07

so this is why this is where uh the

37:09

contract makes uh life easy of a data

37:13

privacy officer because the liability

37:15

wise it balances out both the towns okay

37:20

okay so again this becomes an easy win

37:22

because managing contracts you just have

37:26

to Let's say it can be it can happen

37:28

that you have a central portal where all

37:29

the contacts are managed or you have to

37:32

take a list from let's say your vendor

37:34

team or so on decentralize yeah okay

37:37

yeah so that's where that is why and

37:39

just see the context don't go into much

37:41

detail so there are two ways to even see

37:44

at it

37:45

so in one case you are the owner of the

37:50

data like you are collecting data so

37:52

there are two concepts in it one is

37:54

called as data controller and one is

37:56

called as data processor data controller

37:58

is someone who H who makes decision

38:02

about the data and data processor you

38:05

can think of someone who doesn't have

38:07

its own mind it just acts on behalf of

38:10

data controller whatever data controller

38:11

says only that way the data processor

38:14

will act and give back the data so that

38:17

is the idea so when you are working as a

38:19

data processor that time you can make a

38:22

data processing agreement that yes if

38:25

you give us the data and if we are

38:27

vendor for you then these are the

38:29

contracts or these are the obligations

38:31

which will be following and so on so we

38:33

will not go in detail but there are two

38:35

kinds of documents data processing

38:37

agreement which will go on the processor

38:39

side and it can one will be General MSA

38:41

which is Master service agreement so

38:43

that is how it is done that is that is

38:45

one of the important Insight I find

38:47

because when it come to people always

38:49

get confused with this two type of

38:50

agreement and thanks for bringing that

38:52

particular Topic in the session because

38:54

that that give a very good Clarity and

38:55

second important part you talk about

38:57

this SEC or BCR and all that that's also

38:59

an important part which people used to

39:02

you know don't give attention to that

39:03

and I have seen lot of people get

39:05

confused on that area thanks thanks for

39:06

bringing that point in this session page

39:09

yes yes no worries

39:14

so