Data Privacy & Personal Data Protection has become a key driver today in dialogues involving data. India is at the cusp of getting its own law in place - one of the last few countries in the world to do so. However, the reality on the ground is that few people really understand what Data Privacy is all about. It is often confused with Data Security. This session seeks to de-mystify Data Privacy, giving an overview of the domain and how it is different from Data Security.
(SACON) Shivangi Nadkarni & Sandeep Rao - An introduction to Data Privacy
1. SACONConfidential (c) Arrka, 2020
SACON International 2020
India | Bangalore | February 21 - 22 | Taj Yeshwantpur
An Introduction to Data Privacy
1
2. SACON 2020
An Introduction to Data Privacy
2
• What is Personal Data?
• An Overview of Privacy Principles & Rights
• Relationship between Information Security and Privacy
• How should an organization implement Privacy?
3. SACON 2020
When we talk Data Privacy, we talk Personal Data
Any data that can – directly or
indirectly - or in combination
with other data – make a person
‘identifiable’
What is Personal Data?
Device Identifiers
Online Identifiers
Social Media MarkersMetadata Data that has been
processed using
analytics that can
identify a person
Trackers & CookiesLocation Data
Above – the – surface (ATS) Personal data
Demographic/
Identity Data
Health/
Biometric/Genetic/
Gender Data
Political Affiliations/
Personal beliefs/
Criminal History/etc
Financial Data
Govt Ids
Any compromise of this category of
data can cause greater harm to the
person as compared to other types
of PD
Sensitive
Personal Data
(SPD)
Financial data, health data, official identifier,
sex life, sexual orientation, biometric data,
genetic data, transgender status, intersex
status, caste or tribe, religious or political
belief or affiliation*
Further sub-categories
Comprises:
Personal Data
(PD)
Below – the – surface (BTS) Personal data
4. SACON 2020
Personal Data In Context
Data
Personal Data
Sensitive
Personal Data
Data Privacy not
Applicable
Data Privacy
Applicable
5. SACON 2020
Data Privacy Applies to Personal Data Processing
Collection Recording Organisation Structuring
Storage Alteration Transmission Dissemination
Restriction Destruction Generation
6. SACON 2020
Roles in the Privacy Ecosystem
Data Subject/
Principal
She ‘OWNS’ her
Personal Data
Data Controller/
Fiduciary
The entity that, alone or jointly with others,
determines the Purposes for data processing (“Why”)
& Means of data processing
(“How”)
6
DATA PROCESSOR The entity that processes personal data:
On behalf of the Fiduciary
Under the instructions of the fiduciary
8. SACON 2020
Grounds for Processing Personal Data – The When
Consent
Function of State
Public Interest
Compliance with law or order of court/ tribunal
Prompt action in case emergencies
Purposes related to employment
*Reasonable Purposes of Data Fiduciary
• Processing for prevention &
detection of any unlawful activity
including fraud
• Whistle blowing
• M&A
• Network and information security
• Credit scoring
• Recovery of debt
• Processing of publicly available PD
*Reasonable Purpose Examples
9. SACON 2020
Principles Guiding Personal Data Processing – The How
Security Safeguards: Ensure Security Safeguards throughout the Lifecycle to protect against loss, unauthorised access, destruction, use,
modification, disclosure or other reasonably foreseeable risks.
User Rights: Provide Rights to user for Access, Correction, Processing Restrictions, etc.
Data Collection Data Usage Data Destruction
Consent: Obtain Informed, freely given
and unambiguous consent where
applicable
Collection Limitation: Collect adequate,
relevant based on Purpose
Use Limitation: Use and disclose
collected Personal Data only for pre-
defined purposes. Limit Access to only
relevant users.
Storage Limitation: Retain Personal
Data long enough to satisfy the
purpose of Collection. Define Retention
Periods
Notice/ Transparency: Organization should publish a Public Statement on the Type of Personal Data collected, used, who it is shared with and
how long it is retained
Accountability: Organization needs to implement Accountability measures to manage Privacy. Examples of these measures include Breach
Notification, Privacy By Design, inserting Privacy Clauses in 3rd Party Contracts, maintaining Records of Processing
13. SACON 202013
The need for a Framework..
Organization
Questions on
Privacy
Implementation
Where should
we start?
What kind of
Organization
structure and
capabilities do
we need?
What are the
Policies and
Processes that
need to be
implemented?
What are the
Technical,
Administrative
measures
needed?
How do we
monitor Privacy
on an ongoing
basis?
Privacy Implementation is a complex
exercise impacting more than 80% of
the organization
Most Privacy Requirements need
coordination between multiple
functions
Lack of Governance has seen failure of
many Privacy Programs
Lack of a structured Approach is a
common cause for failure
14. SACON 2020
Some
Privacy
Program
Frameworks
DPF
ISO
27701
BS
10012
14
Privacy Frameworks that provide a Structured Approach
BS 10012:2017 is the British
standard that sets out the
requirements for a Personal
Information Management
System and aligns with the
principles of the European
General Data Protection
Regulation (EU GDPR).
ISO 27701 is a privacy extension to
ISO 27001&02 and provides
additional guidance for the
protection of privacy, which is
potentially affected by the
processing of Personal Data.
The DSCI Privacy Framework (DPF) has
been developed to guide an
organization on developing &
implementing a Privacy Program
15. SACON 2020
9. PIS
7. IUA
3. PPP1. VPI
2. POR 4. RCI
5. PCM
6. MIM 8. PAT
15
A Sample Framework: DSCI Privacy Framework (DPF)
# Practice Areas
1 Visibility over Personal Information (VPI)
2 Privacy Org & Responsibilities (POR)
3 Privacy Policy and Processes (PPP)
4 Regulatory Compliance and Intelligence (RCI)
5 Privacy Contract Management (PCM)
6 Privacy Monitoring and Incident Mgt (MIM)
7 Information Usage & Access (IUA)
8 Privacy Awareness and Training (PAT)
9 Personal Information Security (PIS)
DSCI PRIVACY FRAMEWORK (DPF)
Confidential (c) Arrka, 2018