How to Implement GDPR Part 1 :Roadmap for Implementation
Summary
TLDRIn this informative session, guest speaker Mr. PKA Chavan discusses the implementation of GDPR from scratch, sharing his 8+ years of experience in data privacy across various sectors. He outlines the importance of understanding GDPR as a global regulation and provides practical steps for creating a data privacy program, including policy development, gap analysis, and the use of templates for assessments. Chavan also emphasizes the role of communication and change management in successfully implementing data privacy measures within an organization.
Takeaways
- π The session is focused on practical implementation of GDPR with the help of a special guest, Mr. PKA Chavan, who has extensive experience in data privacy across various sectors.
- π Mr. Chavan discusses the global impact of GDPR, emphasizing its significance beyond the European Union and how it has influenced data privacy regulations worldwide.
- π The importance of understanding the jurisdiction and customer base of a business is highlighted as the starting point for any data privacy program, including GDPR compliance.
- π The creation of a Global Privacy Handbook is suggested as a comprehensive manual that includes applicable regulations, data privacy frameworks, procedural documents, and policies.
- π The script outlines the process of developing a data privacy policy, emphasizing the need to understand the specific requirements of different jurisdictions and tailoring the policy accordingly.
- π The concept of 'Privacy by Design' is introduced as a critical aspect of data privacy, which involves assessing and implementing privacy measures from the outset of a project or process.
- πͺ Cookie compliance is presented as an 'easy win' for demonstrating quick progress in data privacy, as it involves obtaining consent from data subjects for the use of cookies.
- π The necessity of conducting Privacy Impact Assessments (PIA) is discussed to identify and mitigate risks associated with the processing of personal data.
- π Records of Processing Activity (RPA) are described as a crucial document for maintaining a comprehensive understanding of all business processes, especially those involving personal data.
- π The script touches on the importance of reviewing and updating existing policies and contracts to ensure they align with data privacy regulations and protect the organization legally.
- π€ The distinction between data controllers and data processors is clarified, along with the need for data processing agreements or Master Service Agreements (MSA) to ensure contractual protection in data handling.
Q & A
What is the main topic of the session in the provided transcript?
-The main topic of the session is about the practical implementation of GDPR (General Data Protection Regulation) from a professional with extensive experience in data privacy.
Who is the special guest in the session?
-The special guest in the session is Mr. PKA Chavan, who has over 8 years of experience in data privacy across various sectors.
What is the significance of GDPR in the context of this session?
-GDPR is significant as it is an advanced level regulation in data privacy within the European Union, and the session aims to discuss practical case studies on how to implement it from scratch.
Why is data privacy considered a buzzword in today's world?
-Data privacy is a buzzword because of the increasing awareness and importance given to personal data protection, especially after the introduction of regulations like GDPR, CCPA, and others.
What does the speaker suggest for someone looking to start a career in data privacy?
-The speaker suggests that starting with an analyst position and obtaining relevant certifications like CIPM can help stand out. Also, having a background in a related field and demonstrating technical knowledge along with program management skills can be beneficial.
What is the role of a data privacy officer or analyst in an organization?
-The role of a data privacy officer or analyst includes understanding and implementing data privacy regulations, creating privacy policies, conducting gap analysis, and ensuring the organization's compliance with data protection laws.
What is the importance of a Global Privacy Handbook in the context of data privacy?
-A Global Privacy Handbook serves as a comprehensive manual that incorporates applicable regulations, data privacy frameworks, procedural documents, and policies, providing a guide for the organization's data privacy practices.
What does the speaker mean by 'easy wins' in the context of data privacy implementation?
-In the context of data privacy implementation, 'easy wins' refer to quick and relatively simple tasks that can demonstrate progress, such as cookie compliance, which can help build momentum and motivation within the organization.
What is the purpose of a Records of Processing Activity (RoPA) document?
-The purpose of a Records of Processing Activity (RoPA) document is to provide a comprehensive understanding of all business processes within an organization, particularly how personal data is handled, its source, destination, and the legal basis for processing.
What is a Privacy Impact Assessment (PIA) and why is it important?
-A Privacy Impact Assessment (PIA) is a process to identify and evaluate the risks involved in processing personal data. It's important to ensure that appropriate controls are in place to protect the data and to comply with data privacy regulations.
Why is it necessary to review and update existing contracts in the context of data privacy?
-Reviewing and updating existing contracts is necessary to ensure that data privacy clauses are included, which protect the organization legally and contractually, especially in cases where data processing involves third-party vendors or processors.
Outlines
π€ Introduction to the GDPR Implementation Session
The session begins with a warm welcome and introduction to a special guest, Mr. PKA Chavan, who is an expert in data privacy with over 8 years of experience. The host expresses his eagerness to discuss GDPR implementation, a topic he has previously consulted with Mr. Chavan on. The conversation aims to benefit a wider audience by sharing practical insights on data privacy, particularly focusing on the General Data Protection Regulation (GDPR). Mr. Chavan's expertise spans various sectors, and the host appreciates his willingness to share his knowledge during a busy weekend. The session is intended for those curious about data privacy and GDPR, with Mr. Chavan promising to share his journey and skill set development in data privacy, starting from scratch.
π The Future of Data Privacy and Career Insights
This paragraph delves into the future prospects of a career in data privacy, a field that is booming and predicted to grow for the next 5 to 8 years. The speaker discusses the global landscape changes post-GDPR, with new regulations emerging worldwide. The paragraph emphasizes the importance of data privacy in protecting personal information and differentiates it from information security. The speaker shares his background as a computer engineer with an MBA in marketing before transitioning into data privacy, suggesting that if he can do it, anyone can. The focus then shifts to the importance of certification, such as CIPM, to stand out in the field and the value of combining technical skills with program management abilities for career advancement in data privacy.
π Understanding GDPR and Data Privacy Basics
The speaker provides an overview of the GDPR, explaining its significance as an advanced regulation in data privacy within the European Union. The paragraph outlines the evolution of GDPR from its proposal in 2012 to its enforcement in 2018, emphasizing its global impact due to the internet and globalization. The speaker then discusses the initial steps in implementing a data privacy program, starting with understanding the business location and customer base to determine the applicable regulations. The paragraph highlights the importance of a gap analysis between different regulations and creating a comprehensive plan for data privacy, including the development of a global privacy handbook as a reference for ongoing tasks.
π οΈ Building a Data Privacy Framework from Scratch
The paragraph discusses the process of building a data privacy framework from the ground up, especially in organizations without existing controls. It begins with identifying the jurisdiction and regulations that apply to the business, followed by the creation of a data privacy policy. The speaker suggests using industry-specific policies as a starting point and customizing them to fit organizational needs. The paragraph also touches on the importance of granularity in the framework, making it measurable and actionable. The speaker emphasizes the role of a data privacy officer or analyst in translating policy into practical, manageable tasks and the significance of creating templates for processes like privacy impact assessments.
π The Importance of Records of Processing Activities
This paragraph underscores the importance of maintaining Records of Processing Activities (RoPA) as a central document in the data privacy program. It serves as a comprehensive repository of all business processes, detailing the purpose, data sources, legal bases for processing, and types of personal information involved. The RoPA is crucial for understanding the flow of personal data within the organization and is a mandatory requirement in jurisdictions like the GDPR. The paragraph explains how the RoPA aids in identifying the source and destination of data, legal bases for processing, and the specific personal data used in various processes, thereby facilitating subsequent privacy modules.
π Navigating Data Privacy Agreements and Risk Assessments
The speaker discusses the role of data privacy agreements, particularly in the context of vendors and contracts. The paragraph explains the distinction between data controllers, who make decisions about data, and data processors, who act on behalf of controllers. It highlights the importance of ensuring contracts include data privacy clauses to protect the organization legally. The paragraph also introduces the concept of Privacy Impact Assessments (PIA), which aim to identify the risks associated with processing personal data and to evaluate the controls in place to mitigate those risks. The speaker emphasizes the significance of understanding and managing these aspects as part of a data privacy officer's responsibilities.
Mindmap
Keywords
π‘GDPR
π‘Data Privacy
π‘Data Subject
π‘Consent
π‘Data Controller
π‘Data Processor
π‘Privacy Policy
π‘Data Flow Diagram
π‘Privacy Impact Assessment (PIA)
π‘Records of Processing Activities
π‘Cookie Compliance
Highlights
Introduction to a session on data privacy with a focus on GDPR implementation.
Pankaj Chavan's expertise in data privacy with over 8 years of experience across various sectors.
The importance of understanding GDPR as a buzzword and its practical implementation.
Pankaj's approach to sharing insights on data privacy gained through personal experience.
The significance of data privacy in the current global landscape, especially post-GDPR.
Career opportunities in data privacy and its projected growth over the next 5 to 8 years.
The value of obtaining certifications like CIPM for a career in data privacy.
The distinction between data privacy as a subset of information security.
The basics of data privacy focusing on the protection of personal information.
The GDPR's impact as an advanced regulation in data privacy within the European Union.
The process of conducting a gap analysis between different data privacy regulations.
Creating a global privacy handbook as a comprehensive manual for data privacy practices.
The strategy of starting with small wins in data privacy, such as cookie compliance.
The importance of records of processing activities as a central document in a privacy program.
Conducting privacy impact assessments to identify and mitigate risks associated with personal data processing.
Managing data privacy clauses in contracts and the use of data processing agreements.
The concept of data controllers and data processors in the context of data privacy regulations.
Transcripts
[Music]
[Music]
hey guys welcome to the session on
coffee with PR and today we have a
special guest my friend Mr PKA chavan uh
in the past we you know Mr pach has did
uh sessions with us and um U you know I
was curious about how to Implement gdpr
and whenever I used to have a data
privacy queries I reach out to some of
the few folks and pankaj is one of them
so I thought the kind of information I
used to get from page in my one to1 call
I thought let me bring this on this
platform which is basically get benefit
by multiple people when it come to pach
8 plus year of experience uh in the data
privacy where he were involved in
Consulting products banking
manufacturing sector marketing and all
that so as you know data privacy is a
buz word and gdpr is is basically the
new things there's a lot of Scholars
were using CHP chat jpt and AI they
generating a Content but what is
practical GDP how practically we
Implement to be frank pach B I was
searching multiple videos on YouTube
where I could not find how to implement
gdpr apart from using a chat gbt prompt
but it is glad that okay in this
particular platform we got an
opportunity by Mr pachan who going to
share the Practical case study how to
implement gdpr from zero thanks Pang by
taking out the time from a weekend and I
know weekend is is something is very
very very busy in Dubai and taking out
the time for this community it is really
appreciating thank you thank you br uh
first of all I'm very happy to be in
your session and definitely I would like
to share some insights about how uh the
data privacy you know is implemented
internally within the organization so
like you rightly said so I have eight
plus years of experience and I have
worked with multiple industry currently
I'm working within Insurance sector MH
so probably um I assume you can see my
screen now on the screen you can see
there are lot of boxes lot of circles
and this is how the pathway of data
privacy is so the idea today is that um
I will tell you how I had started this
journey as a consultant and from there
how I developed my skill set on
implementing the endtoend data privacy
segment so uh I have worked with a lot
of of multiple jurisdictions gdpr being
one of them and I have worked with um
Middle Eastern regulations especially
from bahin Oman UAE Qatar and then I
have worked with Singapore data PR
regulation as well I have worked with
extensively with gdpr because I was
earlier associated with one of the
Swedish
firm so that is how I have this idea and
the logic that I'll be telling you you
guys today is more about how I have
implemented it when there was nothing in
the organization like from scratch I
have built certain programs and at the
and in few organization there was s
certain setups like privacy policy were
there and from there how I picked up uh
to implement the end to end program so
the entire conversation I guess will be
on those lines
today Pang before we going to discuss
about this gdpr okay uh you know there's
a one question I always ask my uh
panelist and all that you know the the
the people who come to the sessions and
all that if someone want to make a
career in data
privacy okay so what is the future of
this particular
vertical sure okay so uh if somebody
let's say is willing to join this um you
know good field of data privacy which is
a boom in today's world also I see it a
boom for at least next 5 to eight years
easily because everywhere the glob
landscape has been changing especially
after gdpr when it was launched back in
25th May 2018 after that many regulation
picked up CCPA came in then even today
we have India's privacy regulation which
is uh in the Forefront and which will
they have given certain timeline to
abide by so if you we can see a lot of
Scholars posting about India data
privacy dpd yeah a lot of people are
posting it and which is a good thing and
it's also good thing that uh government
has done from a perspective because you
you know right how many Tel calls we get
each day and our personal just being
sold to so from that angle if if you see
it's a very important aspect and this is
I would say a more technical field okay
so you don't have to like worry that
what I have studied so far and will that
make sense so basically my background is
I am a computer engineer and I have done
MBA in marketing after I have jumped
into Data privacy so it's like if I can
do it anybody can do it sort of a thing
so basically uh the future I see here is
more uh towards you can if you are
starting new in your career then analyst
position probably the better way to
start is get a certification because
certification generally will make you
stand out of the entire crowd so that
like C and cipm all those kind of
certificate
I and obviously if you are in a let's
say mid level mid managerial level and
you are looking for a bump in data
privacy then in that case probably your
work experience along with uh relevant
um you know implementation of certain
aspect not related to data pracy but
let's say you have uh skills of program
management you know how to run entire
end to end program you know how to uh
convince the stakeholders you know how
to get things things done so from that
perspective if you see even in mid
manager position if you get the
technical skill set let's say by certain
courses by reading certain books if you
are able to demonstrate that knowledge
that along with my program management
skills I can do this then that is also
one of the uh thing I can see which will
land you in a data privacy Road okay
that is the case so so um you know we we
say that for the information security
I'm sorry I'm I'm going bit know we we
just starting a session with something
else but uh you know you know because
this video is watched by those people
who also new to the data privacy and all
that see when we say in information
security we need to know DNS we need to
know information security Concepts and
all that to understand data privacy what
is the basics what are the basics are
required so Basics are you just need to
know the regulation so if um data
privacy as a concept you should know so
information like it's a very big concept
but there are a lot of asps but if you
see data privacy is more um know focused
it's more about protecting personal
information okay if somebody if somebody
tells you data privacy then you should
just think that it is about personal
data and then there are seven to eight
modules which are associated with it so
we will be discussing those seven to
eight modules today but that is just a
general thought process you should also
have when you think about the word data
privacy so when you go in the
organization so it will be very easy uh
as compared to information security so I
call it data privacy as a subset of
information security because it's a very
large we can able to maintain privacy by
information security controls
only I wouldn't say throughout
because requirement I'm saying yeah yes
the basic ISO 2701 if you even do that
then yes you are I would say more than
above average people who are know
thinking about privacy so when you think
about privacy think like you have to
give control of the data to the person
who whose data it is in the question so
data subject is what we call them and
when you think about information
security the control is more towards
organization that how an organization
takes care of the data that what
controls put in place they don't have to
go they don't ask generally the data
subject right that what should we do
it's their it's their um you know
technological ability and all those
aspect whereas in data privacy we have
to make sure that in the decision making
Pro process even the uh consent of the
data subject is taken into consideration
and there that is where the data privacy
as a domain becomes separate from
information security to some extent
understood that is the idea so so if if
you take a example of today like you
know we today talking about know gdpr
perspective and all that so will it give
a high level view to the people who new
to gdpr or will this session will be
useful for those also who want to impl
gdpr but want to know high level how it
works actually so can can can we say
that this this this session what we're
going to do
today give give them a
framework and based on that they can
able to enhance yeah yep yeah yes so
this is someone who let's say doesn't
have any knowledge about data privacy so
yes we will be having the conversation
from those lights and let's say somebody
has uh brief knowledge that okay these
are some of the things that I know so
for them also it will be beneficial
because we'll be seeing in-depth
analysis of how each phase has to be
conducted understood so this is based on
my experience my work experience which I
have been doing in my Consulting forms
and even in standard Lear organization
so from that perspective I see it
beneficial for both the audience
understood no issues so so we can we can
basically start with this aspect about
uh what is gdpr and sorry how the gdpr
is basically Implement in the
organization and what is basically the
road map yeah sure so for those who
don't know let's say gdpr gdpr stands
for General data protection regulation
so it is uh you can say kind of an
advanced level regulation in data
privacy which was proposed in the
European Union so European Union consist
of 28 countries so during uh two uh last
decade the proposal was made during 2012
then slowly it came into um the force in
2016 and then in 2016 the organizations
were given 2 years of timeline to comply
with gdpr that was in 2018 so by 2018
everybody has to be comping so what
makes gdpr stands out with respect to
the earlier versions of data privacy
regulation is that it contains more
controls over how things are driven in
today's technological world world so
let's say the let's say the you know how
system system because the earlier
regulation were more um of a what I can
say more computerized but not that
advanc so it was more like for paper
based data also the same regulation were
there so same regulations were
applicable but in today's world where
the internet has you know has given
people the closeness the globalization
so earlier regulation were more
Standalone to the European Union itself
but through gdpr now the control has
expanded towards the entire Globe so
that was kind of a major change which
gdpr bought in okay okay so um when we
talk about gdpr or let's say any data
privacy program so gdpr we can keep that
as a reference let's say any data
privacy program be it in any
jurisdiction so this workflow definitely
will help you you uh in achieving that
okay so let's say you are hired as a
analyst for example okay you are
starting new now what would you do now
basically there can be two aspects to it
either an organization has certain level
of controls or organization is starting
pretty new okay so we'll take the first
uh second case which is starting pretty
new they have nothing in place so they
have just hired you as an analyst or
consult or a DPO whatever you call it
and then uh it grows from there so the
first thing so what will be the first
thing that you will do so for me when I
go to an organization my first question
to them is where is your business
generally located and where are your
customer bases because that becomes my
starting point to do the entire analysis
why this is important now when I say
certain jurisdiction let's say if I'm
working in India and my customer base
vendor base let's say they are also in
India itself then I know that for me the
prime thing or prime jurisdiction I need
to focus is the data protection bill
passed by the India the
dpdp now similarly if I am working in
India but my I have clients or customers
in European Union that means I have to
comply by Indian Privacy Law and I have
to comply by European Privacy Law
so the first point for me would be to
knowing what regulations are going to
come ahead so that I can plan my entire
program accordingly so that helps me to
device a perfect plan that okay uh now
there are two regulations let's say in
European union and in India so what I
would do as a first step I'll do a gap
analysis between the two regulation that
what are the common common items between
both the and then what are the SE
separate ones which I need to take care
only for the European Union and only for
India so that will be my first task that
I'll do an
example so um when I was working here so
currently I am working
for uh so I am the regional manager for
four different countries and the four
different countries have different data
privacy laws so it some are sectorial
law some are federal law when I say
sectorial it means free zone based law
so only specific to that area not to the
entire country so likewise so what I did
so basically in an Excel okay in a
normal Exel I copy pasted all the
um regulations okay after that you know
if you guys have seen the regulation you
know certain in regulation there are
articles so certain articles are just
information based and certain articles
are uh on which you have to take certain
actions
so I have in one once I have listed the
entire regulation in one item then I
have selected the Articles which are
only actionable obviously the some ones
have like just definitions right just
definitions who the so those you kind of
ignore so after finding out that okay
let's say out of 100 articles 75 are
actionable 25 are just definition so
then these 75
articles what I do I try to see that
okay now if I take Oman for example if
there are 75 articles in Oman then I
will see in UAE what are the common ones
okay what are the common ones and try to
Club them together so okay so I know so
let's say Club 25 might be common
between two so 50 stands here 50 stands
out there then I will try to what are
the individual gaps so similarly when I
am working for in multi-jurisdiction
kind of a a setup then uh this becomes
my easily one or two months task to you
know identify all the reg all the
Articles finding out the gaps and so
on so this is my first step and after
that what I generally have so I now
since I have been working in this field
for long I know that I know what my
program plan will look like but for you
guys you are starting new so it will
also be a question that okay now you
have identified the regulation now what
now what is the next so next step so
next step probably uh as a suggestion I
would say probably yes you can make use
of this um PPD which we'll be showing
you today it's just the two slid nothing
else you can definitely use this or else
there are lot of online um versions
available on how to know do a basic data
privacy program and I'm sure you'll find
similar steps in this but this is more
on a detailed side so framework then
what you do so let's say there are uh 50
control items in the framework so even
in data privacy policy let's say in data
privacy policy looks very easy but then
identification of jurisdiction is one
part of that then I after that revie and
uh first is making a privacy policy then
getting it either signed by the audit
committee or relevant committees within
your organization so all these uh
functions form as a part of your
framework so it is your responsibility
as a DPO or analyst to see that how can
I drill down one particular item into
multiple small small item so that it
becomes measurable for them so this is
how when you say let's say only privacy
but is I have to do privacy by Design
it's a very vast topic and I don't know
so I want to make it measurable so so
that's why then I'll try to make a
policy first then I'll try to do the Gap
analysis that this is the thing which we
are currently doing but this is missing
then I'll try to make a assessment
template on basis on which I'll do the
Privacy by Design assessment and so on
so that granularity as long as you have
in your framework it will be very easy
for you to map that granularity to the
regulation okay that is the idea so then
now we can start with the workflow if
please please yeah okay
fine all right so then to start let's
look at now the workflow one by one okay
so the first part I have put as a global
privacy handbook now obviously this will
not be like a start to finish kind of a
thing okay this Global privacy handbook
when we say it will be a continuous
document but let's assume let's say you
start with this because this privacy
hand handbook is something like a manual
for you it's like a manual on what are
the things you'll be doing so it will
incorporate uh your regulations
applicable regulations it will
incorporate your data privacy framework
it will incorporate your procedural
documents it will Inc even policies to
some extent so I had made I remember
when I was working with KH times it was
one of the newspaper company I had a 135
pag of global privacy handbook it was so
comprehensive
and U it was very good actually I was
also very proud of myself to make it
because it had very intricate details
about what needs to be done and how it
needs to be handled and so on so that is
why um after that experience only I have
started making this Habit to have a
global privacy handbook so the idea here
is like I said in the first phase you
identify the regulation keep a track in
the handbook and then you identify the
freame framework that you are going to
follow it can be anything it can be a n
framework it can be ISO 27,000 27701
framework it can be this framework which
we'll be discussing any framework so
once you have identified just have it in
the manual and then you try to map it
okay so This Global privacy handbook
gives you a picture that okay my now I
know what are the jurisdiction now I
need to follow ahead after
that uh the first thing then you will do
is try to device a policy now because
you know the jurisdiction because you
have a good idea about you know what are
the specific factors so for example in
European Union uh international data
transfer is a big question because if
you want to do it there are certain ways
in which only you can do it for example
you need to have a standard contractual
Clauses or there should finding
corporate rules or there can there
should be approved code of conduct and
so on so there are multiple ways to do
it so your privacy policy because as
long as you don't know the regulation
devising a privacy policy will be very
difficult correct so that is why that
becomes our firstep and next is after
identifying the jurisdiction we devise a
privacy policy now if you ask me whether
you do a privacy policy from scratch
obviously not I use my industry you know
um so for example now currently I'm
working in Insurance I'll see many
Insurance privacy policies I'll see what
are how those are Dev and then I'll try
to tweak it to my needs and requirements
so that is how I do it so obviously if
somebody wants to make hit from scratch
that's your call you can do it
definitely but
uh um if you want help that is fine but
don't please don't copy as is the policy
uh make sure that you have your own
agenda in it you make sure your
organization needs are catered in that
your data subjects are catered in that
and so on so that is how I make the
policy okay
now after making uh this particular
policy um so this again in policies also
there are multiple ways to do it one is
the data privacy policy let's say it's
sitting in the Apex okay either you can
have a single data privacy policy or you
can have multiple short shot other
policies so for example data retention
is one privacy by Design is one how to
conduct dpia is one and so on that is
completely your call I like to go with a
single privacy
policy where if it's a smaller
organization let's say not more than 100
200 you know people if it's a big
organization then I would like to go
with uh smaller ones because it's easy
to communicate the smaller ones rather
than a bigger one because in a smaller
organization in one or two training you
can you know let know the people that
okay these are the conditions and these
are the things why which we'll be
following but in a larger organization
this becomes a challenge so that is why
I have this habit of having a chunk of
policies and then I'll keep it in a
intranet somewhere so that everybody has
access okay so after policy making uh
The Next Step would be um to create to
design certain templates so these
templates are what now these templates
generally will help you to know know
more about the business so there can be
many template so there can be a records
of processing activity template there
can be a privacy impact assessment
template there will there can be a
transfer impact assessment template that
if you have to transfer data from one
jurisdiction to other then so these are
kind of template making template
building so till now if you realize till
now you are not depending on any other
um departments within your organization
create this so this is this you are
doing wholly and solely by yourself
because as as you dwell into this role
you will understand that our dependency
on people is more rather than we doing
our task so if it was on me I would have
finished a lot of things pretty fast but
obviously it's a group thing it's a no
organization wide thing so we have to
depend on people we have to respect
their time as well because not all
people when we want they'll be free
right so from that aspect what I do
whatever is possible from my end I try
to create it as soon as possible and
then it gives me a buffer time that okay
oh
somebody if someone is free then I can
you know immediately start with the
assessment for there to see whether
there are any risk and so on and so
forth so that's why this template
building is one key
aspect okay after that um okay you have
created certain policies you have
created C templates now what now maybe
you try to see what is the existing part
within the organization
Now privacy policy being one of them so
generally people have privacy policy now
why I have not you know focused it to
make it before like for example the
fourth step why I have why I haven't
kept it as a first step because when you
see any existing policy um the notion
your thought process becomes very
streamlined to that angle so which I
generally avoid so that's why what I do
I make my own privacy policy first it
doesn't take a lot of time maybe a week
or so that should be if I am very good
with the regulations a week or so would
be good enough for me to create one so
that is why so once I have that
knowledge that okay these are the kind
of things that should be there in my
policy then I go and see that okay what
is the existing policy so that I can see
the difference and make the changes
so that is where so at the fourth step
what you do you see what are the
existing policy probably there can be a
retention policy as well there can be a
trading policy there can be any number
of policies so you check and
you map it to the ones that you have
created so that if there is any Gap you
try to fill it so that is the idea
basically and you try to know uh once
you are in this role you'll realize that
you start with small small wins first so
that you know you also feel motivated at
the same time uh the organization also
feels that yes there there is certain
progress which is happening why I'm
saying this because many people see data
privacy as a you know uh what you can
say compliance department they call it
as a complicated Department generally in
our world so you don't want to know
showcase that we are just blocking their
work because for us data privacy is a
full-time role but for them data privacy
is like some somewhat over and above
what they do because that is something
the controls that we need to put
obviously now that is that comes under
organization policy and all those stuff
but you will realize that change
management is one of the very key aspect
in this role so making people understand
certain things um making them learn
making them change the way they were
doing things earlier that is quite
challeng ing than I think any of the
other cases so if very if you are very
good at communication skills you know
personal development way so I think this
role will be pretty easy that way
because once you have the technical
knowledge this this part becomes easy
but even if you have technical knowledge
and this is challenging then it becomes
a pretty messy thing that's should this
is what I have learned okay so okay so
once you have reviewed everything then
you move to uh the easy wins so for me
Cookie compliance is the basic easy win
because cookie compliance obviously you
can't do it with by yourself um you need
have certain tools for it because
cookies are generated automatically so
you can't manually manage the cookies
which are going right so there are not
very expensive software I could say um
probably your company might be using
many U many of the what do you call
softwares which generally comes with the
cookie related things okay uh so you can
either enable that or you can ask for
you know that cookie implementation is
better now few people might say that
cookie policy and implementation can be
taken up as phe two or phase three which
is also fine why I have kept it here
because like I said it's a easy win and
that's why if you want to demonstrate
something on a quicker scale this is a
easy way okay so once you have that
cookie policy is nothing but uh as you
know we whatever cookies are getting
stored on the browser certain
regulations have given them the idea
that yes you can do that but you only
and only if the data subject has given
consent to it so that's why after gdpr
you might have recognized like since
last four five years there lot of cookie
banners which comes on every website
right a lot of cookie banners you have
to allow or reject the cookie before you
can even see it so that the reason that
data privacy that is why this has come
up okay okay so that's the case now once
I have done this so the next step would
be that okay I try to uh either see
records of processing activity or I see
privacy impact assessment now let's
understand these both process in detail
what it is now when I say records of
process processing activity so this
activity you can call it as you know the
main the Bible of the entire privacy
program that you are running now why I
am seeing this now what are the contents
let's understand what are the contents
of records of processing activ so the
idea behind this particular document or
activity is that you have a
comprehensive knowledge of all the
business process which is within your
organization irrespective of whether it
has personal data or not so that is a
prime responsibility of a data
Protection Officer or those who are
working in data privacy office that this
particular document is maintained now in
certain jurisdiction like gdpr this is a
pretty mandatory document where um if
the regulator asks they have to present
it in certain case it's a good to have
kind of a environment so so but in but
we will go with the idea that yes we
have to have this document because you
will see that if you have this
particular document all the Privacy
modules which you are about to follow
next will be will become very very easy
okay now let's understand what are the
contents of these documents so like I
said all the business processes then it
will have idea as to for example let's
take HR okay now HR has has payroll as a
process HR has recruitment as a process
HR has Performance Management as a
process correct so let's take these
three process
now um we will try to have this
documented in the records of processing
activity now against each process there
will be a purpose now obviously payroll
the purpose of processing is to process
the payroll of the organ of the
employees similarly recruitment and
Performance Management is evaluation of
employees so so on so we will take
purpose for each after that it it will
be like from where the data is coming we
we will try to find out the source for
that for the payroll data let's say it
is coming from an hrms system for
example okay so we are trying to find
out the source of the data or it can
also happen that in recruitment the
recruitment process itself is the source
of the data okay so why this is
important this is important because if
we know that from where the data is
coming or from or they are the source it
will be very easy for us to build a data
flow diagram okay that we will further
why a data flow diagram is important
okay now that is where this records of
processing activity comes handy where we
will know the source of the data
destination of the data we will know lot
of technical aspects as
to if the data is traveling to any Third
Country so that gets captured in this if
the data has relevant um you know legal
basis now for those who don't know what
a legal Base legal basis is so in order
for an organization to process personal
data there are certain legal bases which
are defined in the regulation okay so
this is this idea this uh terminology of
legal basis is common across all the
jurisdiction probably the number of
legal bases might be six somewhere
probably somewhere might be four only
that is the difference so you need to
understand that for you as an
organization to process a personal data
it has to fall under either one of the
legal base now what are these legal
bases so consent is one legal
base uh then U uh legitimate interest is
one legal base performance of contract
is one legal base uh then legal
obligation is one legal basis and so on
so do you want me to go into technical
terms no no that's okay we can we can
have a next session on that better yeah
yeah okay so these legal bases get
captured and once the legal bases get
captured once you know the incoming and
outgoing Source it also captures that
what kind of personal information is
used for example in payroll can happen
that bank details is used employee ID is
used employee email is used and let's
say their home address is us for example
so these gets captured so now this
particular document is my repository of
all the business processes for example
in my previous organization we had
identified more than 230 business
processes which were there it was
a big form so we had 230 plus processes
in it and in that 230 plus
processes we tried to
identified uh which were using personal
data and which were not so that was the
first case and then after that we Tred
to find the source and the destination
so once you have have an idea about how
and where the personal data is lying
within the organization then obviously
next steps becomes easy for example
privacy impact ass Now privacy impact
assessment again it's a technical term
so in privacy impact assessment the idea
is to
identify what are the risk involved if
you are using personal data of a data
subject so risk involved to the data
subject not to the company to the data
subject so for example if you use my
name and date of work probably the risk
is pretty minimum but if you are
processing my credit card details you're
processing my bank account then the risk
is high then the evaluation here you are
doing is to
see that whether I should be you know
processing this at the first place if
yes then what are the controls in place
what kind of information security
controls do I have at my end in order to
make sure that this uh particular data
doesn't get exposed to any unauthorized
entity okay so this is type of risk you
try to identify so that is the phe that
after that you come to making of data
privacy addendum or say this is a kind
of a document which
is first of all when there are vendors
involved there will be contracts in
contracts there will be certain terms
and condition Clauses involved
our role here is to
check the uh existing
contracts uh that whether data privacy
Clauses were accepted or not okay
because this is a pretty easy step you
just need to see and if it is not there
obviously you will either update that
existing contract or put an addendum on
top of
it idea here is you get contractually
protected due to on the basis of uh this
thing and so that in tomorrow something
happens let's say breach happens at a
vendor's place then at least you had
made sure that all the liability was
transferred to the um particular vendor
so this is why this is where uh the
contract makes uh life easy of a data
privacy officer because the liability
wise it balances out both the towns okay
okay so again this becomes an easy win
because managing contracts you just have
to Let's say it can be it can happen
that you have a central portal where all
the contacts are managed or you have to
take a list from let's say your vendor
team or so on decentralize yeah okay
yeah so that's where that is why and
just see the context don't go into much
detail so there are two ways to even see
at it
so in one case you are the owner of the
data like you are collecting data so
there are two concepts in it one is
called as data controller and one is
called as data processor data controller
is someone who H who makes decision
about the data and data processor you
can think of someone who doesn't have
its own mind it just acts on behalf of
data controller whatever data controller
says only that way the data processor
will act and give back the data so that
is the idea so when you are working as a
data processor that time you can make a
data processing agreement that yes if
you give us the data and if we are
vendor for you then these are the
contracts or these are the obligations
which will be following and so on so we
will not go in detail but there are two
kinds of documents data processing
agreement which will go on the processor
side and it can one will be General MSA
which is Master service agreement so
that is how it is done that is that is
one of the important Insight I find
because when it come to people always
get confused with this two type of
agreement and thanks for bringing that
particular Topic in the session because
that that give a very good Clarity and
second important part you talk about
this SEC or BCR and all that that's also
an important part which people used to
you know don't give attention to that
and I have seen lot of people get
confused on that area thanks thanks for
bringing that point in this session page
yes yes no worries
so
Browse More Related Video
![](https://i.ytimg.com/vi/3IDnuvs0kNs/hq720.jpg?v=65e1ef52)
How to Implement GDPR Part 2 :Roadmap for Implementation
![](https://i.ytimg.com/vi/ReqahB92hjA/hq720.jpg)
How to Build a GDPR Implementation Plan
![](https://i.ytimg.com/vi/ugHmTNup-ys/hq720.jpg)
"Unlock the Secrets of Data Privacy Interviews - You Won't Believe What They Ask!"
![](https://i.ytimg.com/vi/MtcDtFn7HYI/hq720.jpg)
GDPR Compliance Journey - 05 Policy
![](https://i.ytimg.com/vi/a99IE8y_1cU/hq720.jpg)
GDPR Compliance Journey - 06 Data Protection Impact Assessment
![](https://i.ytimg.com/vi/AEW7xVkKeNU/hq720.jpg)
GDPR Compliance Journey - 08 Privacy Notice
5.0 / 5 (0 votes)