How to Implement GDPR Part 2 :Roadmap for Implementation

00:01

[Music]

00:13

[Music]

00:15

um let me come to the next part then

00:18

I'll also again discuss in detail the

00:20

transfer impact assessment BC part so

00:23

it'll come in the next slide so that

00:25

time I'll give more brief about it

00:28

okay okay so now that you have done the

00:31

vendor side so let's now focus on the

00:33

training side okay so training so my

00:37

idea of training is to do it two ways

00:40

okay so one if you let's say take gdpr

00:44

what gdpr says that everybody in the

00:46

organization should be trained at least

00:48

once okay okay now what I will do I will

00:52

either make a if let's say I have a LMS

00:55

portal I will make a training video post

00:57

it people see it I capture the

01:00

recordings of the like who how many

01:03

people attended and so on so that I have

01:05

attendance because this is also one of

01:07

the artifact which we need to maintain

01:09

as a part of accountability standard

01:11

okay so this is one way let's say you

01:13

don't have a LMS portal so how we'll do

01:16

so at least you will have something like

01:18

teams or Zoom or something on that teams

01:20

also you can nowadays take attendance so

01:24

also I used to take it from the back end

01:25

team but now it's pretty straightforward

01:28

you can just take the so you try to

01:30

maintain this so you run two three

01:32

sessions in like one once a week twice a

01:35

week whatever and then those who are

01:37

free can Jo join in and make sure that

01:39

they have attended these are two way so

01:42

the idea here is to give them a basic

01:44

Insight that yes what is data privacy

01:46

what is a data controller processor what

01:49

are the what is records of processing

01:51

activity what is dpia and all those

01:53

things so that because the idea is that

01:56

these are the things which will be

01:58

coming towards them in some way or the

02:01

other probably in the near future when

02:04

the data privacy office thinks about

02:05

doing certain assessment or thinks about

02:07

doing certain analysis then these are

02:10

the activities so it's good that they

02:12

have knowledge about this and also for

02:14

us as a regulatory requirement it is

02:16

very necessary that everybody's trained

02:18

at least once so this is how

02:20

we okay now the next part which is in

02:24

the next slide is role Based training

02:26

okay so this is a general training then

02:28

second is a role Based training

02:30

how I approach rule-based training is I

02:32

conduct a let's say 1 hour or two hour

02:35

Workshop in which I make sure uh the

02:38

relevant business team sits let's take

02:40

the same example of HR okay so the HR

02:43

will HR team will come so there will be

02:45

two our Workshop where I'll tell them

02:47

that as a part of records of processing

02:49

activity what is uh the requirement I

02:52

have from you guys then what is a dpia

02:55

I'll try to give them a insight about

02:58

you know what is the process and how we

03:01

will help you to identify risk at the

03:03

same time we just want certain inputs

03:05

from you so the idea here is to make

03:07

people understand the concept who are

03:10

facing the business who or who are

03:13

facing the sensitive part of the

03:14

business so those who are handling lot

03:16

of personal data so HR being the one

03:19

sales team customer uh relationship team

03:22

so these are the people who generally

03:24

are face of the know data subject right

03:27

so for them we take these kind of

03:29

departments on priority and train them

03:31

in a role Based training so that they

03:33

they know that okay these are the kind

03:35

of Concepts uh we need to understand and

03:39

let me give you an example in

03:40

recruitment for

03:41

example what I had identified earlier in

03:44

recruitment um the company in one of the

03:48

company where I was working they were

03:50

keeping the resume for one year under

03:53

the pretext that um they will it might

03:56

be of help to them no it was not one

03:59

year it was around two two to 3 years

04:02

okay now what we argued that okay

04:08

even even certain person's uh you know

04:11

qualification or at least work

04:13

experience changes in two to three years

04:15

so at least try to keep it 6 months or

04:17

one year because the purpose the

04:19

underlying purpose only you are missing

04:21

out and whenever we also found out that

04:24

whenever they had a opening in the

04:26

organization they always used to post it

04:28

on LinkedIn nobody bothered visiting

04:30

that and so far because resume has lot

04:33

of personal information

04:36

we it's nightmare for us to manage kind

04:39

of data so that is where then you know

04:42

you in that um role Based training

04:45

session you try to identify that these

04:47

kind of processes which are happening

04:49

which probably I'm not saying that you

04:51

at the same time give the U know outcome

04:53

to them but at least you write it down

04:56

and do your thorough analysis and then

04:58

you can come come up with the outcome so

05:00

that is the idea of role Based training

05:02

so that you can even deliver and at the

05:04

same time take it from them that how

05:06

things are working around so that is the

05:08

logic so that was one example I wanted

05:10

to give real time so the way we have

05:13

isms trainings like you know mandatory

05:15

to have a security awareness and all

05:17

that same like when GDP requirement is

05:19

there to conduct the Privacy awareness

05:21

training right yes yes so yes it's a

05:24

non-compliance if you don't do that like

05:25

it's like it's a non-compliance so

05:29

depends on which jurisdiction you fall

05:30

into if you fall into the these

05:33

stringent ones like gdpr then yes it's a

05:36

non- compliance but if you are into

05:38

Middle East and probably it's not that

05:40

much of a know intensity right now but

05:44

in some places like Saudi Arabia

05:45

definitely in UAE it's still upcoming so

05:48

UA will grow as as soon as possible so

05:52

that is the case but my idea would be

05:54

that yes make sure that at least one

05:56

basic round of training happens so that

05:58

nobody question questions the data

06:00

privacy office

06:02

understood

06:04

okay after that uh the records of

06:07

processing activity that you make on the

06:09

basis of that you make a pi inventory

06:11

list now what is the idea of this

06:14

list

06:16

so when your organization is there there

06:20

will be certain personal information it

06:23

will be using say 20 50 100 when I was

06:27

working with TCS they had more than um

06:29

120 attributes personal attributes they

06:32

were using okay so they were taking

06:34

really good care of it because they had

06:36

an idea of how these things were

06:39

structured okay now this Pi inventory

06:42

list how it helps because you have this

06:45

Pi inventory list you can categorize

06:48

what is a personal data what is a

06:49

sensitive personal data now why these

06:52

two distinction is important so when it

06:55

comes to regulation in regulation there

06:59

is a

07:00

specific distinction between these two

07:04

processing of the data so what the

07:06

regulation tells is that if there is

07:08

some data identified as sensitive data

07:10

then you need to take extra care of it

07:13

like there should have they should have

07:15

a good Technical and organizational

07:17

measures when we say Technical and

07:18

organizational measures basically these

07:20

are all isms standards only so you have

07:23

no good encryptions uh you have data

07:26

masking in place then you have good

07:29

access control privilege access

07:30

management all these things comes under

07:32

that so why it is important because the

07:35

idea of sensitive data is um the

07:38

regulation says that it's that data that

07:41

if it gets exposed let's say

07:43

accidentally then it might cause a

07:45

considerable harm to a person so for

07:48

example if my um let's say criminal

07:52

record gets you know release out in

07:55

public I might not be very comfortable

07:57

with people will frown upon me because

07:59

of the mistakes that I have might have

08:01

done earlier or whatever it can be

08:02

whatever or it can be a false case but

08:05

it's still a criminal record because

08:07

generally in HR uh when you are joining

08:10

they do the background check and in that

08:12

we have submit the police verification

08:14

report to in some organizations for

08:16

example in that cases we need to be very

08:18

careful so for such cases so for such

08:21

places what I'll do I'll make sure that

08:24

the data either it's deleted once the

08:26

background check is done for example or

08:28

if there is a positive background check

08:31

in it let's say there was some criminal

08:33

record if you are storing it only one or

08:36

two person will have access to it and if

08:38

you have to open that account probably

08:40

you'll have to take approval from infos

08:42

team and ID team and then only you get

08:45

to accept so these kind of controls I

08:47

put in place so this is where the

08:50

identification of sensitive

08:52

and personal data comes into play where

08:56

out of 100 it can be a possibility that

08:58

10 are sensitive data then how which

09:02

first of all your um idea will be that

09:04

which all the processes let's say in my

09:06

200 processes I have so in the 200

09:09

process it can happen that 20 process

09:11

are using sensitive personal data then

09:14

my

09:15

uh program plan I will device in such a

09:19

way that when I am doing a privacy

09:21

impact assessment let's say then I will

09:23

make sure that this 20 comes first

09:26

rather than the rest because these are

09:28

more high risk kind of environment so

09:30

this is where a pi inventory list comes

09:32

handy and it's not like it's a separate

09:35

thing probably when you are doing a

09:37

records of processing activity itself

09:39

during that time only you can side by

09:40

side maintain the inventory list so that

09:43

is the idea

09:44

okay okay so this was on the first um

09:49

going ahead

09:50

then we have maintaining data inventory

09:54

basically yes maintaining is nothing but

09:56

whatever you have you have to you know

09:58

keep it updated every year so it's not

10:00

like a onetime kind of an activity so

10:02

you'll realize that most of the

10:04

activities that we do here are more

10:08

repetitive so every year or every two

10:11

years you have to uh see because for

10:13

example risk analysis you have to do it

10:16

every year uh records of processing

10:18

activity probably you will have to

10:20

update it but in order to update you

10:22

need to reach out to everyone right

10:24

because you don't reach out you will not

10:26

know what is new in the business true

10:29

so similarly uh this also you need to

10:32

maintain at a regular interval to see

10:35

maybe you can have it every two years

10:36

also that's fine but make a habit that

10:40

do it in a cyclic way after that we come

10:44

to the uh cons

10:47

policy so consent management okay so

10:50

consent

10:51

management again a very difficult um I

10:56

would say process to implement like the

10:59

name suggest people are very you know

11:02

Keen that oh consent is yeah we will

11:03

take consent from the data subject then

11:05

that's it but that is not how it works

11:08

because you see the you understand the

11:10

background of it you are taking consent

11:14

and uh you are processing the data so

11:17

the idea is that you are so well wored

11:19

with your business process that you know

11:22

each thing in and out of the business

11:24

process why because if tomorrow a

11:27

business or the data subject revokes the

11:30

consent removes their consent then that

11:33

flow should happen within your business

11:36

process so majorly that is the challenge

11:38

that how that should flow within the

11:40

business process one good way to do it

11:43

that you H have a uh consent management

11:46

tool in place which will solve most of

11:49

your queries here but uh like I said

11:53

data privacy is a very new thing so not

11:56

people don't have budget for these kind

11:58

of project but is

12:00

mandatory uh yeah in India it's

12:03

mandatory now so let's see how that will

12:05

roll out because we haven't seen yet the

12:08

implications so people will have to I

12:11

think start now the consent management

12:13

tool guys will have a good time I

12:15

believe with you know selling this

12:18

particular product so the idea is to

12:22

manage consent so tool is one part but

12:24

let's say you doing it manually now how

12:27

would you do it manually so

12:29

consider if you don't have our records

12:32

of processing activity or the data flow

12:34

thing it will be very difficult for you

12:36

right managing con because my it can

12:39

happen that HR HR is collecting all the

12:42

personal information from HR it is going

12:44

to finance department it can happen that

12:46

from finance department it is going to

12:48

operations department and not directly

12:50

from HR this is like on the sub level so

12:54

in that case it becomes very important

12:56

for me to know what is the source

12:59

and if I have this understanding of data

13:02

flow between uh within the organization

13:05

then I can even manually say that okay

13:08

that particular person has revoked the

13:10

consent so either within s days you stop

13:13

processing the data but again I

13:16

personally find it very difficult and

13:19

even I have realized that not many

13:21

organization the legal based concept

13:23

that we were discussing earlier not many

13:25

organization you use this consent as a

13:30

legal basis probably they will rely on

13:32

legitimate interest or they will rely on

13:33

performance of contract so these are the

13:35

two major ones which are used followed

13:37

by legal

13:39

obligation okay so um that is where

13:42

consent becomes very very difficult so

13:45

policy making is still easy but this

13:48

process set up the consent creation

13:50

process this is very very difficult

13:52

process so probably that is why people

13:55

keep it as a phase two or a phase three

13:57

because first phase it's always about

13:59

making sure that you have policies in

14:01

place and you have records of processing

14:03

activity if these two align with each

14:05

other then the rest things follow

14:09

easily okay then we have data subject

14:12

request policy now data subject request

14:14

is also one of a technical term you can

14:17

say so what is a data subject request so

14:21

each regulation across the globe they

14:24

have given

14:25

certain uh rights to the data subject

14:28

okay so for example right to be informed

14:31

right to have access to that data right

14:33

to delete my data right to Erasure right

14:36

to rectification and there are many

14:39

more so there are these seven eight

14:41

rights which are common which are common

14:44

in let's say all the regulation like

14:45

right to inform right to access right to

14:49

eraser these are common ones basically

14:51

there are some different on for example

14:53

gdpr has right to data

14:55

portability sorry so in right to data

15:00

portability so things will be pretty

15:03

different so it will be it means that

15:06

you have to Port the data from my

15:08

organization so for example if I'm an

15:10

insurance company if a data subject

15:12

comes tomorrow that kindly share my data

15:14

to that particular insurance company

15:16

it's my obligation to do that so that is

15:19

in gdpr so I think in India it's not

15:21

there is nowhere nothing mentioned on

15:23

right to data portability as of now okay

15:26

so yeah we were discussing on data

15:28

subject

15:29

request so lot of jurisdiction have lot

15:32

of these rights so you identify then if

15:36

basis on your jurisdiction you identify

15:38

that okay these are the my policies uh

15:41

so no so these are my jurisdiction so

15:43

what are the rights and then basis on

15:44

the rights you make a data subject

15:46

request policy so what is this policy

15:48

DSR policy is nothing but how you will

15:52

be managing the entire process of data

15:55

subject request now once data subject

15:58

comes to you what will you what will be

16:00

your step so you should know right you

16:02

should have a clear background idea

16:05

about it how would you do

16:08

it so first thing let's say you set up a

16:13

interface through which the data subject

16:15

request will come to you either it can

16:17

be via web either it can be via call

16:20

center it can be via email or it can be

16:23

through direct phone call so that um

16:26

this is so you identify as per your

16:29

business what is your key requirement

16:31

after that uh they let's say raise data

16:35

subject raises a request then your step

16:38

should be to validate whether the person

16:42

who's calling me is really my you know

16:46

is really present in my system or they

16:48

are calling on someone's behalf so that

16:50

particular setup so for that probably

16:52

you might have to take certain unique

16:54

identifier from them your system it can

16:56

be possible that email address is your

16:58

unique identifier because name can be

17:00

common but email address cannot be so

17:02

email so likewise you ask them that what

17:05

is okay then for that so and so for uh

17:07

request we need your so you valid

17:10

validate once you

17:12

validate there should be a setup in your

17:14

business process so that you know where

17:17

to go for example if I was asked to

17:20

remove um know my roke my consent on

17:24

marketing or I don't want to receive

17:26

marketing emails for example then I

17:28

should know internally that which are

17:30

the departments in which the my

17:34

particular data subjects data is Flowing

17:36

so it can either be marketing team and

17:38

it can be sales team so once I remove it

17:41

from I informed them both that kindly

17:44

remove

17:46

then I can go back to the data subject

17:48

and tell that okay from 7even Days

17:50

onwards you will not receive that

17:51

confirmation so this entire data subject

17:54

request is a big process so that is why

17:57

a policy is requ required so that these

17:59

kind of processes can be built around it

18:03

now it becomes difficult again to

18:07

manually make it work but it's not as

18:09

difficult as consent

18:11

management I have built it like in one

18:15

of the organizations from ground up the

18:17

entire DSR process and it worked well

18:19

because we had a very comprehensive

18:20

records of processing activity so that

18:23

is why it worked well okay so that is on

18:27

the DSL side then again data retention

18:31

um I have kept it separately why

18:36

because you'll realize that in a once

18:39

you start this program data deletion is

18:42

a major challenge not many organization

18:46

uh delet know data they if you ask them

18:49

they said that we have data from

18:52

inception okay so that is the case so

18:55

that is why this data retention policy

18:57

uh is important important now many

18:59

people in data retention policy also

19:01

argues that data retention is the

19:05

maximum time I need to keep or minimum

19:08

time I need to keep the data but the

19:10

regulation doesn't say that you delete

19:12

the data after retention okay what they

19:16

say that kindly retain the data for 10

19:18

years but the

19:21

idea in some regulation the explicity is

19:24

not there the exclusiveness is not there

19:26

that delete the data but at the same

19:28

time if you refer so my argument to that

19:31

is if you refer the principles of those

19:34

any uh jurisdiction or any regulation

19:37

they will say that only use the data as

19:39

long as necessary so if your retention

19:41

is done and if the principle is saying

19:44

then how can you argue that it has to be

19:46

kept you know for the latest stage so

19:49

that is generally how I try to know see

19:52

it so this was this was with when I was

19:56

working with one of the Consulting for I

19:58

had this um experience so that is why

20:01

I'm sharing it and and and you know

20:04

there is always a um documentation

20:07

process which is common across them but

20:10

they use a different names for the for

20:12

the sake of their interal business

20:13

process so how you handle that

20:15

particular issue then because see if you

20:17

take example of having this policies or

20:20

you having the setup consent forms and

20:22

all that different different companies

20:23

basically using their different

20:24

different terms MH so how you overcome

20:27

that in that case so uh

20:31

standardize see either you decide as a

20:33

privacy office that these are the

20:35

nomenclatures I'll be using or you go

20:38

ISO standard which is 27701 so probably

20:42

in that in the iso toolkit there are lot

20:45

of toolkits available these days so

20:47

whatever the documentation so you go

20:49

with that so my idea is that I keep it

20:52

simple whatever is the content is the

20:54

name basically if it's a retention it's

20:56

a retention so I don't know think about

20:59

that what should come first and last I

21:01

try to keep it as minimalistic as

21:03

possible and that is how all my

21:06

documents are well structured well

21:08

documented everything so that is one way

21:11

to look at it and I think I don't know

21:14

toolkit if infos train gives the toolkit

21:17

or not but uh there are contents which

21:21

are available online which you can refer

21:23

okay that is the case the personally I I

21:27

like one was I think it was from it

21:30

governance. I think it was a good

21:34

toolkit at least the names I'm not

21:35

saying I have used the togit but the

21:37

naming wise it was very good so the

21:40

names of the policy that you want it's

21:42

there you can refer that if you

21:45

want

21:47

okay all right so then training of role

21:50

based we discuss setting up of consent

21:53

collection we discuss then comes privacy

21:56

impact assessment for vendors so earlier

21:58

privacy impact assessment we did for

22:00

internal business processes where let's

22:03

say sensitive data was used or where we

22:05

realized that there was high risk to the

22:07

data subject now similarly we also do

22:09

wender impact assessment so when let's

22:12

say when you're on boarding uh you do a

22:15

basic information security check so at

22:17

the same time you even do the Privacy

22:18

check you either align with the both the

22:20

team or you can have it separate but my

22:22

suggestion would be align because nobody

22:25

likes to fill a two assessment it's the

22:28

boring because I get so many assessment

22:30

myself to fill as a vendor so that's why

22:35

and uh secondly U there will be lot of

22:38

existing vendors which will be there so

22:40

probably if you are starting something

22:42

program this program as a new program

22:44

then you have to do one round of check

22:47

on those people as well so that is where

22:49

you will do impact assessment so the

22:52

idea is pretty simple that you see what

22:55

kind of controls what they have agreed

22:57

in the contracts try to see whether they

23:01

are able to prove that via either

23:03

artifact so for example if they are able

23:05

to present the data privacy policy they

23:08

are able to present the confidentiality

23:10

agreement signed between them or those

23:13

who will be using the personal data so

23:15

on and so forth so there are these seven

23:17

eight ways or artifacts which you even

23:19

see it will be good enough to make a

23:23

judgment that okay particular vendor is

23:25

good enough and we can share the data

23:27

without any

23:28

so that is where the internal data

23:30

protection comes into

23:32

play then we have reach management

23:34

policy reach management again a very big

23:38

Concept in itself uh the idea here is um

23:43

we shouldn't run around when there is a

23:45

bridge there should be a proper idea in

23:47

place there should be a proper setup

23:49

which you have already deviced for

23:50

example fire fire fire yeah exactly what

23:54

kind of template you will be using to

23:56

the regulations then you should know

23:59

that if a breach happens

24:01

then the intensity of the breach so you

24:05

decide so for example 0 to 100 if let's

24:07

say 0 to 100 records of bre uh then only

24:11

inform The Regulators don't inform the

24:14

data subject if more than thousand are

24:17

B inform the data subject as well so so

24:20

on so this will be again depending upon

24:23

your organization business with

24:25

jurisdiction and that that way there is

24:27

no standard one way to go with this the

24:30

standard one way is just report in 72

24:32

hours the brid should be reported to

24:34

Regulators in 72 hours and 72 calendar

24:38

days not working days that is very

24:40

important and so this is where um the

24:46

idea of having a setup so you should

24:48

have a breach response team in place so

24:51

for example information security will be

24:53

contacted first uh the Senior Management

24:56

will be contacted will be notified about

24:58

it then the let's say it happened in

25:02

certain business process let's say HR or

25:04

marketing so marketing head or market so

25:07

we should know that these are the people

25:09

key people who will be uh involved in

25:11

this then we also decide that what will

25:13

be the kind of procedure probably it

25:15

will be cut off the system from the

25:17

entire rest of the know organization

25:21

till the time we identify whether this

25:23

bre is internal external or what it is

25:25

so um I think from information security

25:28

perspective also this is very important

25:30

that breach so infosec and data privacy

25:33

team generally work together in this

25:36

particular thing one key thing to note

25:39

here is you maintain a privacy risk

25:42

register just to make sure that you know

25:45

that what kind of breaches are happening

25:48

it doesn't necessarily have to be that

25:50

if something for example somebody have

25:53

put in the wrong password so the so sock

25:55

team will still give you an alert so

25:57

that does doesn't mean a breach so it

25:59

means gen genu so it's upon data privacy

26:03

officer to decide after looking at an

26:06

incident whether it's a breach and if

26:08

it's a breach whether it needs to be

26:10

informed to The Regulators or not okay

26:12

if record if one unauthorized access is

26:15

there we will not record this to the

26:16

regulator of course because that's

26:19

because that's waste of time similarly

26:21

if there are more than 1,000 records

26:23

getting you know exposed out in the

26:25

public so on then we need to in

26:28

that's the case the reason why I space

26:31

because in in one of the services where

26:33

I was involved in breach management and

26:36

all that so there is no policy there's

26:37

just a process and this origin is also

26:40

so initially what happened when you're

26:42

talking about uh information security

26:45

incidents and all there was no

26:46

established process we had so so from

26:50

that perspective I believe this is a

26:52

very good point that you have

26:54

raised yeah that's that's what people

26:56

you know generally Miss

26:58

out but this is very important because I

27:00

also learned from

27:02

experience that we need to be pretty

27:04

much ready before it happens it's very

27:09

difficult H okay then coming to the last

27:13

part of it privacy by Design as many

27:16

also like to call it good to have rather

27:19

than have but in if you go work in

27:22

regulations like gdpr and all data

27:25

privacy by Design is also one of the key

27:27

aspect so what is the idea here so idea

27:30

here is that when you are starting a

27:34

business process or anything related to

27:37

personal data you have to think about

27:41

protection of personal data as a first

27:44

phase and not as a last phase so let's

27:46

say you are doing

27:47

sdlc okay software development life

27:50

cycle so you know right then first is

27:52

requirement phase then design phase then

27:55

Implement then deploy and production so

27:59

they are saying that don't think about

28:00

privacy in the production phase when you

28:02

everything so think about privacy in the

28:04

requirement phase itself as early as

28:07

possible as early as possible that is

28:09

the idea so if you know as early as

28:11

possible that okay these are the things

28:14

which I need to have

28:16

then you will also think on those lines

28:20

that okay when let's say while

28:23

collecting while writing a code for

28:26

example you you will say what like when

28:28

I was working in TCS we have observed

28:30

this what people used to do the

28:32

application team who used to develop

28:34

select star and take all the data from

28:37

the table under the context that these

28:41

data might be usable in the

28:43

future but if you see our principle of

28:46

data minimization what it asks it asks

28:49

that collect only what is necessary so

28:51

this is where privacy by Design comes

28:53

very handy and we can evaluate these

28:56

kind of incidences which is happening

28:59

within the business process so this is

29:01

where then you design the template

29:03

accordingly so for application team it

29:05

will be different for businesses it will

29:06

be different for management it will be

29:08

different and so on so I mean it's a

29:10

lecture in itself so I'll not go into

29:12

detail here but just the idea is that

29:16

privacy by Design is very important and

29:18

we have to think about data privacy from

29:20

the beginning pH okay so these are the

29:24

core models which are there as a part of

29:27

uh any data privacy program you pick up

29:30

or any regulation you pick up these are

29:32

the things that that they will ask you

29:34

to do and that is what we do generally

29:37

in the Privacy program and after that

29:39

you just make sure that every month or

29:42

every quarter you have a a dashboard of

29:44

report stating that you let's say

29:47

reviewed 100 contracts in this quarter

29:49

or you did or you trained 500 people

29:53

this s so that dashboard basis on your

29:55

organization needs requirement Juris you

29:57

make and have it and then probably it is

30:01

good that you make that internal audit

30:05

done by yourself or either you hire uh I

30:09

wouldn't say hire hiring would be an

30:11

external audit but still make sure that

30:14

if you are a DPO either ask somebody

30:17

from infos team to do that particular

30:19

assessment so that there is a non-biased

30:22

audit and you'll get a better result for

30:25

it one one point I want to add here is

30:27

there is a right there is a lot of BS

30:29

word right now DP and ceso is working

30:32

together DP and ceso has a single role I

30:35

was surprised is it possible because we

30:38

need because I've seen lot of Link

30:40

profile mention de and global data

30:43

privacy officer and ciso so I was

30:45

wondering it's it's not a conflict of

30:47

interest the way we have audit audit

30:49

audit

30:50

activity I thought I will ask you this

30:53

yes so see the idea of DPO now if you

30:56

take GDP the idea of DPO is it reports

31:00

to the highest Authority in the

31:02

organization like same like inter board

31:06

of directors or C cxos that is the idea

31:10

why this is the idea it was the idea

31:13

because they didn't want any influence

31:15

at a mid manager level okay why this mid

31:19

manager level influence was not required

31:23

because while choosing let's say a

31:26

particular vendor

31:27

they will choose someone who will have

31:30

let's say influence of pricing or

31:32

probably they might have certain outcome

31:35

out of it because it it is less on their

31:37

budget though they are not taking care

31:39

of privacy it is less on that's why the

31:42

role had been designed in such a way

31:44

that the highest Authority the DP will

31:48

be reporting to only them so if you take

31:51

for example now

31:54

ciso is basically responsible let's say

31:58

in making sure what vendor they take for

32:02

let's say xdr MDR whatever you call it

32:05

uh then if they have to even hire for

32:08

penetration

32:10

testing vulnerability assessment they

32:12

will they will have their say in

32:14

selecting the vendor now that same

32:17

particular uh person cannot think on a

32:22

nonbiased way from data privacy angle

32:25

because they are the uh decision makers

32:28

so that is why the decision makers be it

32:31

any role not just C so are not generally

32:35

um taken into this dual role there are

32:39

many arguments over it that c does the

32:41

same thing and all but the decision

32:43

making power is what people generally

32:45

Miss if some role has a decision Mak

32:47

because DPO doesn't have a decision

32:49

making power exactly D only has the role

32:52

to see whether all the things are

32:55

happening as it should be okay even if

32:58

you have to hire or have a data privacy

33:02

tool it's the procurement team who

33:04

decides that what tool will come you you

33:07

give your proposal to them it's not you

33:09

who will decide that oh come to me so

33:11

that is the idea and that is why ceso

33:14

and DPO for me at least I don't see as a

33:17

thing or a role which is you know goes

33:19

hand in hand that's the case that's

33:23

great so when you done with this audit

33:25

and all that so what what is a final

33:27

report what do we have such kind of a

33:29

final report which say okay we are gdpr

33:30

compliance or we are so something like

33:32

that we call yes yes so we call it as a

33:35

DPO report generally now that DPO report

33:38

what it consists of it consists of um

33:41

the thing that first of all the

33:43

framework it will consist of your

33:44

framework it will consist of the um

33:49

obligations which were part of the

33:52

jurisdiction so let's say out of all the

33:54

four regulations might 15 were my major

33:58

obligations big chunks I that against

34:01

that I'll SP my status that okay this

34:03

are this is my status good bad or what

34:07

is that green number yellow green number

34:10

and so that one that I'll have after

34:13

that um I will then go into details that

34:16

I trained so so employees I uh managed

34:20

so and so like let's say 100 data

34:22

subject request I managed more than 100

34:25

vendors I review more than 500 contracts

34:28

I um you know eliminated or at least uh

34:34

erased or the data subject Bridge sorry

34:38

the bridge bridge so basically I worked

34:41

around the bridge 10 Bridges I worked in

34:43

a year so this is a kind of report which

34:45

gets generated on a yearly basis so this

34:49

report then goes to the management that

34:51

what the Privacy team has been doing so

34:54

far in the year that is the idea that

34:57

was a very good point because I was I

34:59

was wondering you know uh what can be

35:01

the holistic report we have and that and

35:04

that's a great point you have covered

35:05

thank you thank you so much so so on on

35:08

on this live session you know guys do

35:10

let us know shall I disturb again Mr

35:13

panach for the another privacy session

35:15

and I'm sure Pang B will be

35:17

available the best thing about this guys

35:19

is always available for the community

35:21

and giving back to the community with

35:23

the topics drills and all that and and

35:26

before we up this you know so we do we

35:28

have a review of gdpr like do we do do

35:31

we have any provision of review of these

35:32

controls and

35:34

everything review as in you need to see

35:37

what controls are there example like we

35:39

have a pcss review we have isms reviews

35:41

and all that right so do we have any

35:43

kind of a session timeline to review the

35:44

gdpr controls if actively working or not

35:47

something

35:48

or um so that review part probably when

35:52

you do the internal audit or internal

35:54

Rie is call it during that time only we

35:56

check that okay whether these control

35:58

whether these roas are working these DSS

36:00

are working understood

36:03

understood any last poter uh Pang before

36:06

we wind up this session any last pointer

36:07

you want to convey to the people who are

36:09

looking at gdpr

36:11

perspective yes uh so don't worry if

36:14

even if you are not from a legal

36:16

background because it's not a legal

36:18

background which is required just make

36:20

sure that you have a good understanding

36:22

of the regulation my suggestion be to

36:25

just go online read certain articles and

36:29

know the regulation and basis on that

36:31

try to device a program plan and like I

36:34

said try to have the spots as measurable

36:37

as possible because the the more tiny uh

36:42

you know articulation of points you will

36:45

have the more better your program will

36:46

look like so the last one I would like

36:49

to say so thanks thanks thanks FAS thank

36:52

you so much by and uh can I can I share

36:55

your LinkedIn profile in the YouTube

36:56

description box if someone want to reach

36:58

out to you for any kind of activities

37:01

yeah sure so team do let us know what is

37:04

the next topic we can discuss on data

37:05

privacy with Mr pankaj uh now I I from

37:09

this particular session I got one one

37:10

topic to be discussed in the next series

37:12

if page is available uh myth and fact

37:15

about data

37:17

privacy okay let's cover that see people

37:20

say know like on on a gunpoint you know

37:22

the we convince the people so for me the

37:24

guno is this record session definitely

37:25

you will not say no

37:27

that yeah yeah definitely but thanks

37:30

thanks M thank you so much so this is

37:32

all from ouri team and uh um if you're

37:36

new to the channel do subscribe to the

37:37

channel and click on the Bell icon to

37:39

make sure you should not miss the future

37:40

videos with the similar topics and Pang

37:43

by thank you so much for this detail

37:44

inside session I you know there were

37:46

some pointers you know which I found

37:48

very useful so I'm making a point for

37:50

that because for me also you know

37:52

getting so inside because I'm also in VC

37:54

Services sometimes so there some

37:57

question which I asked you it was asked

37:58

by my customer so I thought you know let

38:00

me ask I will use this

38:01

opportunity for it's a great

38:04

learning yeah yeah definitely definitely

38:07

but thanks M by thank you so much