How to Implement GDPR Part 2 :Roadmap for Implementation
Summary
TLDRIn this informative session, the speaker discusses key aspects of a data privacy program, including training strategies for GDPR compliance, role-based training, and the importance of maintaining records of processing activities. The talk covers the necessity of privacy impact assessments for both internal processes and third-party vendors, as well as the challenges of consent management and data subject requests. The speaker emphasizes the significance of data retention policies, privacy by design, and the role of the Data Protection Officer (DPO) in ensuring compliance, concluding with insights on conducting audits and the importance of continuous review and improvement.
Takeaways
- 😀 Training is crucial for data privacy awareness and should be conducted at least once for everyone in the organization, as per GDPR requirements.
- 🎓 Utilizing a Learning Management System (LMS) portal or video conferencing tools like Teams or Zoom can facilitate training and attendance tracking for compliance.
- 👥 Role-Based training is essential for specific departments handling sensitive data, such as HR, sales, and customer relationship teams, to ensure they understand data privacy concepts and processes.
- 📝 Maintaining records of processing activities and a Personal Information (PI) inventory list helps categorize data and identify sensitive information, which is critical for compliance and risk management.
- 🔒 Technical and organizational measures should be in place for sensitive data protection, including encryption, data masking, and access control to prevent data exposure and harm to individuals.
- 🗂️ Regular updates and maintenance of data inventories and policies are necessary to adapt to changes in business processes and regulatory requirements.
- 🤝 Consent management is complex and requires a deep understanding of data flows within an organization to handle consent revocation effectively, possibly aided by a consent management tool.
- 📧 Data subject requests must be managed through a clear policy that outlines the process for handling requests such as data access, rectification, and erasure.
- 🗑️ Data retention policies should be established to determine how long data should be kept and ensure its deletion when no longer necessary, aligning with data minimization principles.
- 🛡️ Privacy Impact Assessments (PIAs) are necessary for both internal processes and vendor management to evaluate and mitigate risks associated with data processing activities.
- 🚨 Breach management policies should outline clear procedures for responding to data breaches, including notification timelines and breach response teams.
Q & A
What is the purpose of a Transfer Impact Assessment (TIA) in the context of data privacy?
-A Transfer Impact Assessment (TIA) is used to evaluate the risks associated with transferring personal data across borders, ensuring compliance with data protection regulations and assessing the adequacy of privacy protections in the recipient country or organization.
Why is training important in the context of GDPR and data privacy?
-Training is crucial because GDPR mandates that everyone in an organization should be trained at least once to ensure they understand data privacy principles, roles of data controllers and processors, and concepts like records of processing activities and Data Protection Impact Assessments (DPIAs).
What is the significance of maintaining an attendance record during training sessions for data privacy?
-Maintaining an attendance record is important as it serves as an artifact to demonstrate compliance with the accountability principle of GDPR, showing that the organization has taken steps to train its employees on data privacy.
How can organizations without an LMS portal conduct effective data privacy training?
-Organizations without an LMS portal can use platforms like Microsoft Teams or Zoom to conduct training sessions, taking advantage of their attendance tracking features to ensure that employees participate and are trained on data privacy matters.
What is the difference between general training and role-based training in data privacy?
-General training provides a basic understanding of data privacy concepts to all employees, while role-based training is tailored to the specific needs and responsibilities of different roles within the organization, such as HR or sales teams, who handle sensitive personal data.
Why is it necessary to identify and categorize personal data and sensitive personal data?
-Identifying and categorizing data is essential because regulations often distinguish between the processing of personal data and sensitive personal data, requiring additional safeguards and measures for sensitive data due to the higher risk of harm if it is compromised.
What is the role of a Data Protection Officer (DPO) in an organization?
-A DPO is responsible for overseeing the organization's data protection strategy and ensuring compliance with data privacy regulations. They report to the highest level of management and are tasked with monitoring the implementation of data privacy measures and conducting audits.
How does an organization maintain a data inventory list?
-An organization maintains a data inventory list by regularly updating it to reflect the personal data it processes, categorizing it as personal or sensitive, and ensuring it aligns with the records of processing activities. This list helps prioritize data protection efforts, especially for sensitive data.
What are the challenges in implementing a consent management process?
-Challenges in implementing consent management include understanding the data flow within the organization, preparing for situations where consent is revoked, and ensuring that the business process can adapt quickly to such changes. Additionally, creating a user-friendly and effective consent management tool can be resource-intensive.
Why is it important to have a data subject request policy?
-A data subject request policy is important because it outlines the process for handling requests from individuals about their personal data, such as accessing, modifying, or deleting it. This policy helps organizations comply with data subject rights under GDPR and other regulations.
What is the role of a privacy impact assessment for vendors?
-A privacy impact assessment for vendors evaluates the data privacy practices and controls of third-party vendors to ensure they meet the organization's standards and regulatory requirements. This assessment helps mitigate risks associated with sharing personal data with external parties.
What is the concept of Privacy by Design and why is it significant?
-Privacy by Design is a concept that emphasizes considering data privacy at the early stages of product or service development, rather than as an afterthought. It is significant because it ensures that privacy protections are embedded into the design and architecture of systems, reducing the risk of privacy breaches.
How often should an organization review its data privacy controls?
-An organization should review its data privacy controls regularly, ideally during internal audits or risk assessments, to ensure they remain effective and compliant with current regulations and best practices.
What is the role of a breach response team in managing data breaches?
-A breach response team is responsible for managing the process following a data breach, including assessing the impact, containing the breach, notifying relevant stakeholders and regulators, and implementing measures to prevent future breaches.
What is the importance of data retention policies in data privacy?
-Data retention policies are important as they define how long an organization should keep personal data, ensuring that data is not retained longer than necessary. This helps organizations comply with data minimization principles and reduces the risk of unauthorized access or breaches.
Outlines
📚 Data Privacy Training Strategies
The speaker discusses the importance of training in a data privacy context, emphasizing the need for organization-wide training at least once, as mandated by regulations like GDPR. They suggest using an LMS portal for training videos and tracking attendance, or utilizing platforms like Teams or Zoom for those without an LMS. The goal is to provide basic insights into data privacy concepts such as data controllers, processors, records of processing activities, and DPIA. The speaker also introduces the idea of role-based training for specific departments handling sensitive data, using HR as an example to explain the process and importance of understanding data privacy in their specific roles.
📋 Role-Based Training and PI Inventory List
Continuing the discussion on training, the speaker elaborates on role-based training, using a workshop format to educate relevant business teams about their specific data privacy responsibilities. They highlight the importance of understanding the processing of personal data and the identification of sensitive data. The speaker then introduces the concept of a PI (Personal Information) inventory list, which helps categorize personal and sensitive personal data, and explain its significance in aligning with regulatory requirements and risk management.
🔒 Technical and Organizational Measures for Data Protection
The speaker explains the necessity of technical and organizational measures for protecting sensitive data, as dictated by regulations. They provide examples of such measures, including good encryption practices, data masking, access control, and privilege access management. The discussion also touches on the consequences of a data breach involving sensitive data and the importance of having strict controls in place, especially in departments like HR that handle sensitive information.
🗓 Regular Updates and Maintenance in Data Privacy
The speaker stresses the importance of regularly updating and maintaining data privacy-related activities, such as risk analysis and records of processing activities. They suggest reaching out to all relevant parties to ensure that the organization is aware of any new developments in the business that may affect data privacy. The speaker also discusses the challenges of consent management and the need for a consent management tool to handle it effectively, especially in the absence of budget for such projects.
🛡️ Implementing Data Subject Request Policies
The speaker outlines the process of handling data subject requests, which are rights given to individuals by data protection regulations. They discuss the creation of a data subject request policy, which includes setting up an interface for receiving requests and validating the identity of the requester. The policy should also detail the steps to be taken when a request is received, such as locating where the data subject's data is being used within the organization and ensuring compliance with the request.
🗑️ Data Retention and Deletion Challenges
The speaker addresses the challenges of data retention and deletion, emphasizing that organizations often struggle with data deletion due to long-standing data retention policies. They discuss the importance of having a data retention policy that aligns with regulatory principles of data minimization and necessity. The speaker also shares personal experiences and insights on how to approach data retention and deletion effectively.
🔄 Continuous Improvement in Data Privacy Practices
The speaker talks about the iterative nature of data privacy practices, suggesting that organizations should regularly review their policies and processes. They mention the importance of having a privacy risk register to track incidents and assess whether they constitute a breach. The speaker also highlights the role of the data privacy officer in deciding the severity of incidents and the necessity of reporting them to regulators.
🛡️ Privacy by Design and Its Integration in Business Processes
The speaker discusses the concept of 'Privacy by Design,' which involves considering data privacy from the earliest stages of business process development. They argue against treating privacy as an afterthought and instead advocate for integrating privacy considerations into every phase of processes like the software development life cycle. The speaker provides examples of how this can be implemented and the benefits of doing so.
🏢 The Role of DPO and the Importance of Non-Biased Audits
The speaker explores the role of the Data Protection Officer (DPO) and the potential conflicts of interest that can arise when the DPO also holds a decision-making role, such as a C-level position. They emphasize the DPO's responsibility to report to the highest authority in the organization to ensure unbiased oversight of data privacy practices. The speaker also discusses the importance of regular audits, suggesting that these should be conducted by parties other than the DPO to maintain objectivity.
📊 Yearly DPO Reporting and Continuous Learning
The speaker concludes by discussing the annual DPO report, which summarizes the activities and achievements of the data privacy team over the year. They mention the importance of this report for demonstrating compliance and providing a clear overview of the organization's data privacy efforts. The speaker also encourages continuous learning and adaptation in the field of data privacy, emphasizing the need for regular reviews and updates to stay current with regulatory requirements.
Mindmap
Keywords
💡Data Privacy
💡GDPR
💡Training
💡LMS Portal
💡Data Controller
💡Data Processor
💡Records of Processing Activity
💡DPIA
💡Consent Management
💡Data Subject Request
💡Privacy by Design
Highlights
Importance of training for data privacy, emphasizing GDPR's requirement for organization-wide training.
Utilization of LMS portals for training and maintaining attendance records for accountability.
Adapting training methods for organizations without LMS, using platforms like Teams or Zoom for attendance tracking.
Conducting role-based training to provide insights into data privacy roles and responsibilities.
The necessity of understanding data privacy concepts like data controllers, processors, and DPIA for business teams.
Identifying and addressing data handling issues in recruitment processes as an example of role-based training.
The significance of Privacy Awareness Training as a regulatory requirement and its importance in avoiding non-compliance.
Creating a PI (Personal Information) inventory list to categorize personal and sensitive data for better management.
Differentiating between personal and sensitive data to ensure appropriate technical and organizational measures are in place.
The challenge of maintaining updated data inventories and the importance of regular cyclic reviews.
The complexities of implementing consent management and the need for a thorough understanding of business processes.
The preference for legal bases like legitimate interest and performance of a contract over consent due to its difficulty.
Establishing a Data Subject Request (DSR) policy to manage rights like access, erasure, and rectification.
The importance of data retention policies and the challenge of data deletion in organizations.
The role of Privacy Impact Assessments (PIA) for vendors to ensure data protection standards are met.
The concept of breach management policy, detailing procedures for response and communication in case of a breach.
Privacy by Design as a core aspect of data privacy, emphasizing the integration of privacy considerations from the early stages of business processes.
The role of a Data Protection Officer (DPO) in ensuring unbiased oversight and reporting to the highest authority within an organization.
The annual DPO report as a comprehensive overview of an organization's data privacy activities and compliance status.
Transcripts
[Music]
[Music]
um let me come to the next part then
I'll also again discuss in detail the
transfer impact assessment BC part so
it'll come in the next slide so that
time I'll give more brief about it
okay okay so now that you have done the
vendor side so let's now focus on the
training side okay so training so my
idea of training is to do it two ways
okay so one if you let's say take gdpr
what gdpr says that everybody in the
organization should be trained at least
once okay okay now what I will do I will
either make a if let's say I have a LMS
portal I will make a training video post
it people see it I capture the
recordings of the like who how many
people attended and so on so that I have
attendance because this is also one of
the artifact which we need to maintain
as a part of accountability standard
okay so this is one way let's say you
don't have a LMS portal so how we'll do
so at least you will have something like
teams or Zoom or something on that teams
also you can nowadays take attendance so
also I used to take it from the back end
team but now it's pretty straightforward
you can just take the so you try to
maintain this so you run two three
sessions in like one once a week twice a
week whatever and then those who are
free can Jo join in and make sure that
they have attended these are two way so
the idea here is to give them a basic
Insight that yes what is data privacy
what is a data controller processor what
are the what is records of processing
activity what is dpia and all those
things so that because the idea is that
these are the things which will be
coming towards them in some way or the
other probably in the near future when
the data privacy office thinks about
doing certain assessment or thinks about
doing certain analysis then these are
the activities so it's good that they
have knowledge about this and also for
us as a regulatory requirement it is
very necessary that everybody's trained
at least once so this is how
we okay now the next part which is in
the next slide is role Based training
okay so this is a general training then
second is a role Based training
how I approach rule-based training is I
conduct a let's say 1 hour or two hour
Workshop in which I make sure uh the
relevant business team sits let's take
the same example of HR okay so the HR
will HR team will come so there will be
two our Workshop where I'll tell them
that as a part of records of processing
activity what is uh the requirement I
have from you guys then what is a dpia
I'll try to give them a insight about
you know what is the process and how we
will help you to identify risk at the
same time we just want certain inputs
from you so the idea here is to make
people understand the concept who are
facing the business who or who are
facing the sensitive part of the
business so those who are handling lot
of personal data so HR being the one
sales team customer uh relationship team
so these are the people who generally
are face of the know data subject right
so for them we take these kind of
departments on priority and train them
in a role Based training so that they
they know that okay these are the kind
of Concepts uh we need to understand and
let me give you an example in
recruitment for
example what I had identified earlier in
recruitment um the company in one of the
company where I was working they were
keeping the resume for one year under
the pretext that um they will it might
be of help to them no it was not one
year it was around two two to 3 years
okay now what we argued that okay
even even certain person's uh you know
qualification or at least work
experience changes in two to three years
so at least try to keep it 6 months or
one year because the purpose the
underlying purpose only you are missing
out and whenever we also found out that
whenever they had a opening in the
organization they always used to post it
on LinkedIn nobody bothered visiting
that and so far because resume has lot
of personal information
we it's nightmare for us to manage kind
of data so that is where then you know
you in that um role Based training
session you try to identify that these
kind of processes which are happening
which probably I'm not saying that you
at the same time give the U know outcome
to them but at least you write it down
and do your thorough analysis and then
you can come come up with the outcome so
that is the idea of role Based training
so that you can even deliver and at the
same time take it from them that how
things are working around so that is the
logic so that was one example I wanted
to give real time so the way we have
isms trainings like you know mandatory
to have a security awareness and all
that same like when GDP requirement is
there to conduct the Privacy awareness
training right yes yes so yes it's a
non-compliance if you don't do that like
it's like it's a non-compliance so
depends on which jurisdiction you fall
into if you fall into the these
stringent ones like gdpr then yes it's a
non- compliance but if you are into
Middle East and probably it's not that
much of a know intensity right now but
in some places like Saudi Arabia
definitely in UAE it's still upcoming so
UA will grow as as soon as possible so
that is the case but my idea would be
that yes make sure that at least one
basic round of training happens so that
nobody question questions the data
privacy office
understood
okay after that uh the records of
processing activity that you make on the
basis of that you make a pi inventory
list now what is the idea of this
list
so when your organization is there there
will be certain personal information it
will be using say 20 50 100 when I was
working with TCS they had more than um
120 attributes personal attributes they
were using okay so they were taking
really good care of it because they had
an idea of how these things were
structured okay now this Pi inventory
list how it helps because you have this
Pi inventory list you can categorize
what is a personal data what is a
sensitive personal data now why these
two distinction is important so when it
comes to regulation in regulation there
is a
specific distinction between these two
processing of the data so what the
regulation tells is that if there is
some data identified as sensitive data
then you need to take extra care of it
like there should have they should have
a good Technical and organizational
measures when we say Technical and
organizational measures basically these
are all isms standards only so you have
no good encryptions uh you have data
masking in place then you have good
access control privilege access
management all these things comes under
that so why it is important because the
idea of sensitive data is um the
regulation says that it's that data that
if it gets exposed let's say
accidentally then it might cause a
considerable harm to a person so for
example if my um let's say criminal
record gets you know release out in
public I might not be very comfortable
with people will frown upon me because
of the mistakes that I have might have
done earlier or whatever it can be
whatever or it can be a false case but
it's still a criminal record because
generally in HR uh when you are joining
they do the background check and in that
we have submit the police verification
report to in some organizations for
example in that cases we need to be very
careful so for such cases so for such
places what I'll do I'll make sure that
the data either it's deleted once the
background check is done for example or
if there is a positive background check
in it let's say there was some criminal
record if you are storing it only one or
two person will have access to it and if
you have to open that account probably
you'll have to take approval from infos
team and ID team and then only you get
to accept so these kind of controls I
put in place so this is where the
identification of sensitive
and personal data comes into play where
out of 100 it can be a possibility that
10 are sensitive data then how which
first of all your um idea will be that
which all the processes let's say in my
200 processes I have so in the 200
process it can happen that 20 process
are using sensitive personal data then
my
uh program plan I will device in such a
way that when I am doing a privacy
impact assessment let's say then I will
make sure that this 20 comes first
rather than the rest because these are
more high risk kind of environment so
this is where a pi inventory list comes
handy and it's not like it's a separate
thing probably when you are doing a
records of processing activity itself
during that time only you can side by
side maintain the inventory list so that
is the idea
okay okay so this was on the first um
going ahead
then we have maintaining data inventory
basically yes maintaining is nothing but
whatever you have you have to you know
keep it updated every year so it's not
like a onetime kind of an activity so
you'll realize that most of the
activities that we do here are more
repetitive so every year or every two
years you have to uh see because for
example risk analysis you have to do it
every year uh records of processing
activity probably you will have to
update it but in order to update you
need to reach out to everyone right
because you don't reach out you will not
know what is new in the business true
so similarly uh this also you need to
maintain at a regular interval to see
maybe you can have it every two years
also that's fine but make a habit that
do it in a cyclic way after that we come
to the uh cons
policy so consent management okay so
consent
management again a very difficult um I
would say process to implement like the
name suggest people are very you know
Keen that oh consent is yeah we will
take consent from the data subject then
that's it but that is not how it works
because you see the you understand the
background of it you are taking consent
and uh you are processing the data so
the idea is that you are so well wored
with your business process that you know
each thing in and out of the business
process why because if tomorrow a
business or the data subject revokes the
consent removes their consent then that
flow should happen within your business
process so majorly that is the challenge
that how that should flow within the
business process one good way to do it
that you H have a uh consent management
tool in place which will solve most of
your queries here but uh like I said
data privacy is a very new thing so not
people don't have budget for these kind
of project but is
mandatory uh yeah in India it's
mandatory now so let's see how that will
roll out because we haven't seen yet the
implications so people will have to I
think start now the consent management
tool guys will have a good time I
believe with you know selling this
particular product so the idea is to
manage consent so tool is one part but
let's say you doing it manually now how
would you do it manually so
consider if you don't have our records
of processing activity or the data flow
thing it will be very difficult for you
right managing con because my it can
happen that HR HR is collecting all the
personal information from HR it is going
to finance department it can happen that
from finance department it is going to
operations department and not directly
from HR this is like on the sub level so
in that case it becomes very important
for me to know what is the source
and if I have this understanding of data
flow between uh within the organization
then I can even manually say that okay
that particular person has revoked the
consent so either within s days you stop
processing the data but again I
personally find it very difficult and
even I have realized that not many
organization the legal based concept
that we were discussing earlier not many
organization you use this consent as a
legal basis probably they will rely on
legitimate interest or they will rely on
performance of contract so these are the
two major ones which are used followed
by legal
obligation okay so um that is where
consent becomes very very difficult so
policy making is still easy but this
process set up the consent creation
process this is very very difficult
process so probably that is why people
keep it as a phase two or a phase three
because first phase it's always about
making sure that you have policies in
place and you have records of processing
activity if these two align with each
other then the rest things follow
easily okay then we have data subject
request policy now data subject request
is also one of a technical term you can
say so what is a data subject request so
each regulation across the globe they
have given
certain uh rights to the data subject
okay so for example right to be informed
right to have access to that data right
to delete my data right to Erasure right
to rectification and there are many
more so there are these seven eight
rights which are common which are common
in let's say all the regulation like
right to inform right to access right to
eraser these are common ones basically
there are some different on for example
gdpr has right to data
portability sorry so in right to data
portability so things will be pretty
different so it will be it means that
you have to Port the data from my
organization so for example if I'm an
insurance company if a data subject
comes tomorrow that kindly share my data
to that particular insurance company
it's my obligation to do that so that is
in gdpr so I think in India it's not
there is nowhere nothing mentioned on
right to data portability as of now okay
so yeah we were discussing on data
subject
request so lot of jurisdiction have lot
of these rights so you identify then if
basis on your jurisdiction you identify
that okay these are the my policies uh
so no so these are my jurisdiction so
what are the rights and then basis on
the rights you make a data subject
request policy so what is this policy
DSR policy is nothing but how you will
be managing the entire process of data
subject request now once data subject
comes to you what will you what will be
your step so you should know right you
should have a clear background idea
about it how would you do
it so first thing let's say you set up a
interface through which the data subject
request will come to you either it can
be via web either it can be via call
center it can be via email or it can be
through direct phone call so that um
this is so you identify as per your
business what is your key requirement
after that uh they let's say raise data
subject raises a request then your step
should be to validate whether the person
who's calling me is really my you know
is really present in my system or they
are calling on someone's behalf so that
particular setup so for that probably
you might have to take certain unique
identifier from them your system it can
be possible that email address is your
unique identifier because name can be
common but email address cannot be so
email so likewise you ask them that what
is okay then for that so and so for uh
request we need your so you valid
validate once you
validate there should be a setup in your
business process so that you know where
to go for example if I was asked to
remove um know my roke my consent on
marketing or I don't want to receive
marketing emails for example then I
should know internally that which are
the departments in which the my
particular data subjects data is Flowing
so it can either be marketing team and
it can be sales team so once I remove it
from I informed them both that kindly
remove
then I can go back to the data subject
and tell that okay from 7even Days
onwards you will not receive that
confirmation so this entire data subject
request is a big process so that is why
a policy is requ required so that these
kind of processes can be built around it
now it becomes difficult again to
manually make it work but it's not as
difficult as consent
management I have built it like in one
of the organizations from ground up the
entire DSR process and it worked well
because we had a very comprehensive
records of processing activity so that
is why it worked well okay so that is on
the DSL side then again data retention
um I have kept it separately why
because you'll realize that in a once
you start this program data deletion is
a major challenge not many organization
uh delet know data they if you ask them
they said that we have data from
inception okay so that is the case so
that is why this data retention policy
uh is important important now many
people in data retention policy also
argues that data retention is the
maximum time I need to keep or minimum
time I need to keep the data but the
regulation doesn't say that you delete
the data after retention okay what they
say that kindly retain the data for 10
years but the
idea in some regulation the explicity is
not there the exclusiveness is not there
that delete the data but at the same
time if you refer so my argument to that
is if you refer the principles of those
any uh jurisdiction or any regulation
they will say that only use the data as
long as necessary so if your retention
is done and if the principle is saying
then how can you argue that it has to be
kept you know for the latest stage so
that is generally how I try to know see
it so this was this was with when I was
working with one of the Consulting for I
had this um experience so that is why
I'm sharing it and and and you know
there is always a um documentation
process which is common across them but
they use a different names for the for
the sake of their interal business
process so how you handle that
particular issue then because see if you
take example of having this policies or
you having the setup consent forms and
all that different different companies
basically using their different
different terms MH so how you overcome
that in that case so uh
standardize see either you decide as a
privacy office that these are the
nomenclatures I'll be using or you go
ISO standard which is 27701 so probably
in that in the iso toolkit there are lot
of toolkits available these days so
whatever the documentation so you go
with that so my idea is that I keep it
simple whatever is the content is the
name basically if it's a retention it's
a retention so I don't know think about
that what should come first and last I
try to keep it as minimalistic as
possible and that is how all my
documents are well structured well
documented everything so that is one way
to look at it and I think I don't know
toolkit if infos train gives the toolkit
or not but uh there are contents which
are available online which you can refer
okay that is the case the personally I I
like one was I think it was from it
governance. I think it was a good
toolkit at least the names I'm not
saying I have used the togit but the
naming wise it was very good so the
names of the policy that you want it's
there you can refer that if you
want
okay all right so then training of role
based we discuss setting up of consent
collection we discuss then comes privacy
impact assessment for vendors so earlier
privacy impact assessment we did for
internal business processes where let's
say sensitive data was used or where we
realized that there was high risk to the
data subject now similarly we also do
wender impact assessment so when let's
say when you're on boarding uh you do a
basic information security check so at
the same time you even do the Privacy
check you either align with the both the
team or you can have it separate but my
suggestion would be align because nobody
likes to fill a two assessment it's the
boring because I get so many assessment
myself to fill as a vendor so that's why
and uh secondly U there will be lot of
existing vendors which will be there so
probably if you are starting something
program this program as a new program
then you have to do one round of check
on those people as well so that is where
you will do impact assessment so the
idea is pretty simple that you see what
kind of controls what they have agreed
in the contracts try to see whether they
are able to prove that via either
artifact so for example if they are able
to present the data privacy policy they
are able to present the confidentiality
agreement signed between them or those
who will be using the personal data so
on and so forth so there are these seven
eight ways or artifacts which you even
see it will be good enough to make a
judgment that okay particular vendor is
good enough and we can share the data
without any
so that is where the internal data
protection comes into
play then we have reach management
policy reach management again a very big
Concept in itself uh the idea here is um
we shouldn't run around when there is a
bridge there should be a proper idea in
place there should be a proper setup
which you have already deviced for
example fire fire fire yeah exactly what
kind of template you will be using to
the regulations then you should know
that if a breach happens
then the intensity of the breach so you
decide so for example 0 to 100 if let's
say 0 to 100 records of bre uh then only
inform The Regulators don't inform the
data subject if more than thousand are
B inform the data subject as well so so
on so this will be again depending upon
your organization business with
jurisdiction and that that way there is
no standard one way to go with this the
standard one way is just report in 72
hours the brid should be reported to
Regulators in 72 hours and 72 calendar
days not working days that is very
important and so this is where um the
idea of having a setup so you should
have a breach response team in place so
for example information security will be
contacted first uh the Senior Management
will be contacted will be notified about
it then the let's say it happened in
certain business process let's say HR or
marketing so marketing head or market so
we should know that these are the people
key people who will be uh involved in
this then we also decide that what will
be the kind of procedure probably it
will be cut off the system from the
entire rest of the know organization
till the time we identify whether this
bre is internal external or what it is
so um I think from information security
perspective also this is very important
that breach so infosec and data privacy
team generally work together in this
particular thing one key thing to note
here is you maintain a privacy risk
register just to make sure that you know
that what kind of breaches are happening
it doesn't necessarily have to be that
if something for example somebody have
put in the wrong password so the so sock
team will still give you an alert so
that does doesn't mean a breach so it
means gen genu so it's upon data privacy
officer to decide after looking at an
incident whether it's a breach and if
it's a breach whether it needs to be
informed to The Regulators or not okay
if record if one unauthorized access is
there we will not record this to the
regulator of course because that's
because that's waste of time similarly
if there are more than 1,000 records
getting you know exposed out in the
public so on then we need to in
that's the case the reason why I space
because in in one of the services where
I was involved in breach management and
all that so there is no policy there's
just a process and this origin is also
so initially what happened when you're
talking about uh information security
incidents and all there was no
established process we had so so from
that perspective I believe this is a
very good point that you have
raised yeah that's that's what people
you know generally Miss
out but this is very important because I
also learned from
experience that we need to be pretty
much ready before it happens it's very
difficult H okay then coming to the last
part of it privacy by Design as many
also like to call it good to have rather
than have but in if you go work in
regulations like gdpr and all data
privacy by Design is also one of the key
aspect so what is the idea here so idea
here is that when you are starting a
business process or anything related to
personal data you have to think about
protection of personal data as a first
phase and not as a last phase so let's
say you are doing
sdlc okay software development life
cycle so you know right then first is
requirement phase then design phase then
Implement then deploy and production so
they are saying that don't think about
privacy in the production phase when you
everything so think about privacy in the
requirement phase itself as early as
possible as early as possible that is
the idea so if you know as early as
possible that okay these are the things
which I need to have
then you will also think on those lines
that okay when let's say while
collecting while writing a code for
example you you will say what like when
I was working in TCS we have observed
this what people used to do the
application team who used to develop
select star and take all the data from
the table under the context that these
data might be usable in the
future but if you see our principle of
data minimization what it asks it asks
that collect only what is necessary so
this is where privacy by Design comes
very handy and we can evaluate these
kind of incidences which is happening
within the business process so this is
where then you design the template
accordingly so for application team it
will be different for businesses it will
be different for management it will be
different and so on so I mean it's a
lecture in itself so I'll not go into
detail here but just the idea is that
privacy by Design is very important and
we have to think about data privacy from
the beginning pH okay so these are the
core models which are there as a part of
uh any data privacy program you pick up
or any regulation you pick up these are
the things that that they will ask you
to do and that is what we do generally
in the Privacy program and after that
you just make sure that every month or
every quarter you have a a dashboard of
report stating that you let's say
reviewed 100 contracts in this quarter
or you did or you trained 500 people
this s so that dashboard basis on your
organization needs requirement Juris you
make and have it and then probably it is
good that you make that internal audit
done by yourself or either you hire uh I
wouldn't say hire hiring would be an
external audit but still make sure that
if you are a DPO either ask somebody
from infos team to do that particular
assessment so that there is a non-biased
audit and you'll get a better result for
it one one point I want to add here is
there is a right there is a lot of BS
word right now DP and ceso is working
together DP and ceso has a single role I
was surprised is it possible because we
need because I've seen lot of Link
profile mention de and global data
privacy officer and ciso so I was
wondering it's it's not a conflict of
interest the way we have audit audit
audit
activity I thought I will ask you this
yes so see the idea of DPO now if you
take GDP the idea of DPO is it reports
to the highest Authority in the
organization like same like inter board
of directors or C cxos that is the idea
why this is the idea it was the idea
because they didn't want any influence
at a mid manager level okay why this mid
manager level influence was not required
because while choosing let's say a
particular vendor
they will choose someone who will have
let's say influence of pricing or
probably they might have certain outcome
out of it because it it is less on their
budget though they are not taking care
of privacy it is less on that's why the
role had been designed in such a way
that the highest Authority the DP will
be reporting to only them so if you take
for example now
ciso is basically responsible let's say
in making sure what vendor they take for
let's say xdr MDR whatever you call it
uh then if they have to even hire for
penetration
testing vulnerability assessment they
will they will have their say in
selecting the vendor now that same
particular uh person cannot think on a
nonbiased way from data privacy angle
because they are the uh decision makers
so that is why the decision makers be it
any role not just C so are not generally
um taken into this dual role there are
many arguments over it that c does the
same thing and all but the decision
making power is what people generally
Miss if some role has a decision Mak
because DPO doesn't have a decision
making power exactly D only has the role
to see whether all the things are
happening as it should be okay even if
you have to hire or have a data privacy
tool it's the procurement team who
decides that what tool will come you you
give your proposal to them it's not you
who will decide that oh come to me so
that is the idea and that is why ceso
and DPO for me at least I don't see as a
thing or a role which is you know goes
hand in hand that's the case that's
great so when you done with this audit
and all that so what what is a final
report what do we have such kind of a
final report which say okay we are gdpr
compliance or we are so something like
that we call yes yes so we call it as a
DPO report generally now that DPO report
what it consists of it consists of um
the thing that first of all the
framework it will consist of your
framework it will consist of the um
obligations which were part of the
jurisdiction so let's say out of all the
four regulations might 15 were my major
obligations big chunks I that against
that I'll SP my status that okay this
are this is my status good bad or what
is that green number yellow green number
and so that one that I'll have after
that um I will then go into details that
I trained so so employees I uh managed
so and so like let's say 100 data
subject request I managed more than 100
vendors I review more than 500 contracts
I um you know eliminated or at least uh
erased or the data subject Bridge sorry
the bridge bridge so basically I worked
around the bridge 10 Bridges I worked in
a year so this is a kind of report which
gets generated on a yearly basis so this
report then goes to the management that
what the Privacy team has been doing so
far in the year that is the idea that
was a very good point because I was I
was wondering you know uh what can be
the holistic report we have and that and
that's a great point you have covered
thank you thank you so much so so on on
on this live session you know guys do
let us know shall I disturb again Mr
panach for the another privacy session
and I'm sure Pang B will be
available the best thing about this guys
is always available for the community
and giving back to the community with
the topics drills and all that and and
before we up this you know so we do we
have a review of gdpr like do we do do
we have any provision of review of these
controls and
everything review as in you need to see
what controls are there example like we
have a pcss review we have isms reviews
and all that right so do we have any
kind of a session timeline to review the
gdpr controls if actively working or not
something
or um so that review part probably when
you do the internal audit or internal
Rie is call it during that time only we
check that okay whether these control
whether these roas are working these DSS
are working understood
understood any last poter uh Pang before
we wind up this session any last pointer
you want to convey to the people who are
looking at gdpr
perspective yes uh so don't worry if
even if you are not from a legal
background because it's not a legal
background which is required just make
sure that you have a good understanding
of the regulation my suggestion be to
just go online read certain articles and
know the regulation and basis on that
try to device a program plan and like I
said try to have the spots as measurable
as possible because the the more tiny uh
you know articulation of points you will
have the more better your program will
look like so the last one I would like
to say so thanks thanks thanks FAS thank
you so much by and uh can I can I share
your LinkedIn profile in the YouTube
description box if someone want to reach
out to you for any kind of activities
yeah sure so team do let us know what is
the next topic we can discuss on data
privacy with Mr pankaj uh now I I from
this particular session I got one one
topic to be discussed in the next series
if page is available uh myth and fact
about data
privacy okay let's cover that see people
say know like on on a gunpoint you know
the we convince the people so for me the
guno is this record session definitely
you will not say no
that yeah yeah definitely but thanks
thanks M thank you so much so this is
all from ouri team and uh um if you're
new to the channel do subscribe to the
channel and click on the Bell icon to
make sure you should not miss the future
videos with the similar topics and Pang
by thank you so much for this detail
inside session I you know there were
some pointers you know which I found
very useful so I'm making a point for
that because for me also you know
getting so inside because I'm also in VC
Services sometimes so there some
question which I asked you it was asked
by my customer so I thought you know let
me ask I will use this
opportunity for it's a great
learning yeah yeah definitely definitely
but thanks M by thank you so much
浏览更多相关视频
Data Inventories and Data Maps: The Cornerstone to GDPR Compliance
How to Build a GDPR Implementation Plan
Your Personal Data Inventory Top Tips & Brexit Impact 161220
Data inventarization according to GDPR
How to Implement GDPR Part 1 :Roadmap for Implementation
GDPR Compliance Journey - 14 Process Documentation
5.0 / 5 (0 votes)