Digital Personal Data Protection (DPDP) Practical Approach For CISOs

Agenda
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
24-11-2023 2

What are the 3 types of privacy?
physical privacy (for instance, being frisked at airport security or giving a
bodily sample for medical reasons)
surveillance (where your identity can't be proved or information isn't
recorded)
information privacy (how your personal information is handled).
Privacy is the right to be let alone, or freedom from interference or intrusion. It can also mean the ability to seclude oneself
or information about oneself.
24-11-2023 3

What is data privacy?
24-11-2023 4

All organizations collect, process, store, and share customer, vendor, and employee
data - and this data often contains sensitive information that must be protected from
unauthorized access.
💠 The term 𝗣𝗲𝗿𝘀𝗼𝗻𝗮𝗹 𝗶𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻 (𝗣𝗜) encompasses any information about a
living individual, regardless of whether it allows them to be distinguished from
another individual. Ex- IP Address, Photographs etc.📷
💠The term 𝗣𝗲𝗿𝘀𝗼𝗻𝗮𝗹𝗹𝘆 𝗜𝗱𝗲𝗻𝘁𝗶𝗳𝗶𝗮𝗯𝗹𝗲 𝗜𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻 (𝗣𝗜𝗜) refers to information that
can be used to identify a person, such as their name, social security number, and
biometrics. This information is used to identify an individual, either alone or in
combination with other identifying information linked to the individual, for Example
their date of birth, place of birth etc.⚡
💠In addition to PII, 𝗦𝗲𝗻𝘀𝗶𝘁𝗶𝘃𝗲 𝗽𝗲𝗿𝘀𝗼𝗻𝗮𝗹 𝗶𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻 (𝗦𝗣𝗜) must also be handled
with greater care, as its exposure could result in considerable financial or personal
harm to the individual involved. 💥
💠A 𝗣𝗿𝗼𝘁𝗲𝗰𝘁𝗲𝗱 𝗵𝗲𝗮𝗹𝘁𝗵 𝗶𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻 (𝗣𝗛𝗜) is PII that has been linked to a health
record. This is one type of sensitive information that is governed by US regulation, the
Health Insurance Portability and Accountability Act (HIPAA). Healthcare providers,
health plans and insurers, healthcare clearinghouses, or businesses associated with
health care organizations are required to comply with the law. Ex- health plan
beneficiary numbers. 🚑
24-11-2023 5

Privacy laws
around the
globe
24-11-2023 7

India Ranked Third Worst For Data Privacy In Global Surveillance Index. Only Russia and China ranked
worse than India in terms of privacy and online surveillance, according to a study conducted by UK-
based research firm Compritech.
24-11-2023 9
Switzerland. Switzerland has guaranteed its citizens the right to privacy under its
constitution and enacted regulations. The Swiss Federal Data Protection Act (DPA)
prohibits personal data processing without the individual's consent the data relates to.

GDPR and DPDPA -
the similarities between
Data Protection Laws
10

Digital Personal Data Protection (DPDP) Practical Approach For CISOs

The Bill is largely inspired by the European Union’s General Data Protection Regulation,
24-11-2023 14

Understanding
the new
DPDPA 2023
24-11-2023 15

**The Digital Personal Data Protection Act*
1. This law is creating a new regime.
2. The era of misuse, the era of exploitation, the era of believing
that Indian citizens don’t have rights comes to an end with
this law.
3. It is an important marker to catalyze the innovation
ecosystem because it removes any ambiguity about what an
entity is supposed to do when privacy is declared as a
fundamental right.
4. The legislation specifically addresses citizens' privacy and
establishes guidelines on how individuals' data can be used
by private or government entities.
5. In case of a citizen's data breach, they simply need to visit
the website, provide the data protection board with details, and
the board will initiate an inquiry, imposing penalties on the
breaching platforms. We want the penalties to be punitive so that
it incentivizes platforms to be responsible.
24-11-2023 16

Objective of
DPDP
24-11-2023 17

Principle of
DPDP
24-11-2023 20

Seven Guiding Principles:
Consent, Lawfulness, and Transparency: Personal data
must be used with explicit consent, lawfully, and in a
transparent
manner.
Purpose Limitation: Data can only be used for the
specific purpose for which consent was obtained.
Data Minimization: Collection of only necessary
personal data to serve the designated purpose.
Data Accuracy: Ensuring data correctness and updates.
Storage Limitation: Storing data only for the required
period.
Reasonable Security Safeguards: Implementing
measures for data security.
Accountability: Holding entities responsible for data
breaches through adjudication and penalties.
24-11-2023 21

Structure of DPDP ACT
24-11-2023 22

Applicability of the Bill
The Bill is intended to apply to processing of
personal data within the territory of India by Indian
data fiduciaries and data processors.
Further, the Draft Bill is also intended to apply to
foreign data fiduciaries and data processors, where
personal data is processed by them in connection
with:
•any business carried on in India; or
•for systematic activity of offering goods or services
to data principals within the territory of India; or
•any activity which involves profiling of data
principals within India.
24-11-2023 26

Not Applicable/ Exempted
The Bill introduces an interesting prospect for startups in India. The
Central Government has the authority to identify and notify specific data
fiduciaries, including startups, that may be exempted from the Bill based
on the volume and nature of personal data they process. This opens up
avenues for building a culture for new age start ups in India. However,
necessary safeguards and guidelines for applicability of a start up needs to
be specified in the further iterations of the Bill.
24-11-2023 27

(i) non-digital data;
(ii) data processed for personal or domestic purposes; and
(iii) data made publicly available by a data principal or any other
person under a legal obligation.
24-11-2023 28

Rights of Data Principals
24-11-2023 34

Penalties for
non-compliance
24-11-2023 37

Source
https://www.cpomagazine.com/data-
protection/tiktok-receives-e345-million-
gdpr-fine-in-years-old-childrens-privacy-
case/?utm_source=dlvr.it&utm_medium=li
nkedin
24-11-2023 40

Compliance & Best Practices
8 Steps to DPDP Act
Compliance
1. Appoint a DPO
2. Create a Privacy Management Program
3. Conduct a Privacy Impact Assessment
4. Implement Data Protection Policies and
Procedures
5. Train Employees and Partners
6. Monitor and Review Compliance
7. Respond to Data Subject Requests
8. Report Data Breaches
5 Best Practices for Data
Protection
• Practice Data Minimization
• Securely Dispose of Data
• Encrypt Sensitive Data
• Implement Access Controls
• Regularly Update Security Measures

Way forward for
organizations
24-11-2023 43

Findings and Remarks
Example checks
Focus areas
Privacy Controls
#
List all PII data types, like customer records and employee
information.
Ensure all data is identified and categorized.
Data Inventory
1
Review consent forms and tally records for its accuracy.
Confirm consent is obtained for data processing
Consent Management
2
Check user access permissions to personal data of data
subjects
Verify who has access to sensitive data.
Data Access Control
3
Confirm encryption of all PII in transit, at rest and on backups
Ensure data is encrypted when transmitted and stored
Data Encryption
4
Ensure DSRs and ensure data erasure solutions exist
Review policies for data retention and deletion
Data Retention & Erasure Policy
5
Review the steps to notify affected individuals per compliance
Check if a plan exists to respond to data breaches
Data Breach Response Plan
6
Confirm vendors comply with privacy requirements
Assess third-party data PII handling agreements
Third-Party Vendor privacy compliance
7
Verify completion of annual privacy training
Ensure staff is trained on data privacy
Employee awareness & Training
8
Review website privacy policy and notice
Check if privacy notices are provided to data subjects.
Privacy Policy and Notices
9
Track response time and completeness for access requests
Confirm processes for data subject rights requests
Data Subject Rights
10
Ensure EU data is transferred in line with GDPR
Verify compliance with cross-border data transfer rules
Cross-Border Data Transfers
11
Review DPIAs for new product launches and business
processes
Ensure DPIAs are conducted for high-risk processing.
Data Privacy Impact Assessments
(DPIAs)
12
Track and review incident report plans and procedures
Confirm procedures for reporting privacy incidents.
Incident Reporting
13
Eliminate unnecessary data fields in forms
Ensure data collected is minimal and necessary.
Data Minimization
14
Confirm customer contact details are up-to-date
Verify accuracy and update processes for data
Data Accuracy
15
Review results of the latest security audit
Check for regular data security audits
Data Security Audits
16
Confirm privacy impact assessments for new features
Ensure privacy is considered in product development
Privacy by Design
17
Keep a log of PII data processing for audit purposes
Maintain records of data processing activities
Records of Processing Activities
18
Ensure parental or guardian consent for children
Verify compliance with child data protection laws
Children's Data Protection
19
Use a dashboard to track data subject requests
Create a dashboard to monitor privacy compliance
Privacy Compliance Dashboard
20
Document dates and attendees of training sessions
Maintain logs of privacy training sessions
Privacy Training Logs
21
Set annual l vendor audit dates and maintain records
Schedule regular audits of third-party vendors
Vendor Privacy Audit Schedule
22
Maintain a log with PIA details signed off by management
Keep a register of all Privacy Impact Assessments
Privacy Impact Assessment Register
23
Simulate a data breach scenario and evaluate the response
Conduct data breach response drills /tabletop
Data Breach Response Exercises
24
DATAPRIVACY:1-Pager self-audit checklist
24-11-2023 53

1. Consent: Organizations must obtain consent from individuals before processing their personal data. Consent
must be freely given, specific, informed, and unambiguous. Organizations must also provide individuals with
clear and concise information about how their personal data will be processed.
2. Lawful Purposes: Organizations may only process personal data for lawful purposes. These purposes include:
3. Providing goods or services to individuals
4. Complying with a legal obligation
5. Protecting the vital interests of an individual
6. Pursuing legitimate interests of the organization
7. Security: Organizations must take appropriate technical and organizational measures to protect personal data
from
8. unauthorized access, use, disclosure, alteration, or destruction.
9. Deletion: Organizations must delete personal data when it is no longer needed for the purpose for which it was
10. collected. Organizations may also delete personal data if an individual requests it.
11. Minor/Child Persona Data: The Act takes a proactive stance in protecting children's personal data. It allows the
12. processing of children's data only with parental consent and restricts harmful data practices like tracking,
behavioural
13. monitoring, and targeted advertising that could jeopardize their well-being.
14. Data Breaches: Organizations must report data breaches to the DPA within 72 hours of becoming aware of the
breach.
15. Data breaches must also be reported to individuals whose personal data has been compromised.
Organization Responsibility:
24-11-2023 55

How Can Businesses Comply With The Digital Personal Data Protection (DPDP) Law?
Some of the key steps that businesses need to take to comply with the Digital Personal Data Protectio
Law are:
1. Identify the personal data that they collect and process.
2. Obtain consent from individuals before collecting or processing their personal data.
3. Keep personal data secure.
4. Delete personal data when it is no longer needed.
5. Respond to individual requests for access, correction, or erasure of their personal data.
Why Do Businesses Need To Comply With The Digital Personal Data Protection (DPDP) Law?
Data Privacy Protection:
Legal Obligation:
Avoiding Fines and Penalties:
24-11-2023 56

Conclusion
Protect Your Privacy
The DPDP Act is a powerful tool to safeguard
your personal data and defend your privacy. It
requires organizations to be transparent,
accountable, and respectful of your rights.
Stay informed, stay vigilant, and stay in
control of your data.
Build Trust
The DPDP Act is also an opportunity for organizations
to build trust, credibility, and competitive advantage by
demonstrating their commitment to data protection and
privacy. By following best practices and going beyond
compliance, they can gain the trust and loyalty of their
customers and partners.

GFL Internal document
24-11-2023 59

Digital Personal Data Protection (DPDP) Practical Approach For CISOs

More Related Content

What's hot (20)

Similar to Digital Personal Data Protection (DPDP) Practical Approach For CISOs (20)

More from Priyanka Aash (20)

Recently uploaded (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs