DSCI CERTIFIED PRIVACY PROFESSIONAL (DCPP©)

TRAINING PROGRAM
 Schedule – Day 2
2

Time Topic Covered

Privacy Laws - Framework
9:30 - 11:30 Privacy Laws - GDPR, Singapore, US, Canada, Australia
Privacy Laws - India
11:30 - 11:45 Break
11:45 - 13:15 Trans-border Data Flows
13:15 - 14:00 Lunch
Beyond Information Privacy
14:00 - 15:30 Information Lifecycle
15:30 - 15:45 Tea Break
15:45 - 17:30 Privacy in Organizational Ecosystems
17:30 - 18:00 DCPP Exam : Structure & Tips

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
3 Privacy Laws
• Framework for Analyzing Privacy Laws
• Categories for Regulation
• Country Laws Analysis
• US Laws
• Australia
• Canada
• Singapore
• EU-GDPR
• India : Existing and Upcoming (PDPA)

Confidential (c) Arrka, 2020

 Basic Concepts
4

 Civil Law  Laws

 Criminal Law  Rules

 Civil & Criminal Penalties/  Regulations
Liabilities

 State vs Central (or ‘Federal’) Laws

 LEAs – Law Enforcement Agencies

 Judicial Systems
NOTE: Privacy Laws are always playing ‘catch-up’ with technology and other developments and trends

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Privacy - a ‘Fundamental Human Right’?
5

 India and EU have this approach

 Some Implications:
 governments and businesses restrict the Personal Data that is collected from individuals in the
first place
 Personal Data that is collected continues to be ‘owned’ by the individual and the entity collecting
the data is considered to have a ‘fiduciary relationship’ when it comes to the individual’s data

 NOT considering this as a fundamental right – for e.g.: In US

 Legislations do NOT strictly restrict what data can be collected in the first place.
 focus on
◼ limiting the means of collecting data,
◼ what can be done with the data once collected
◼ making information collectors accountable for the Personal Data they collect
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Privacy Laws - Governance
6

Should governance be left to markets & self-regulation – aided by law?

 Why this thought:
 Different approaches to legislation: EU’s horizontal to US’ sectoral

 Industry has adopted alternatives to formal regulations (like Codes of Practice, ISO standards,
Trust Seals)
 Many aspects of privacy have been introduced into other legislations or regulations (for e.g. – in
consumer protection laws)
 Therefore, should governance of privacy
 be an evolving ‘hybrid’ approach

 with participation from markets as they self-regulate,

 from industry-bodies as they develop best practices and codes of conduct for their members

 supported by laws and regulations

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Privacy Laws – Comprehensive vs. Sectoral
7

Comprehensive vs Sectoral laws

 Comprehensive legislation e.g.: EU GDPR, Singapore.
 The Indian IT act is also sector-agnostic

 Proposed Indian Personal Data Protection Act is also a comprehensive one

 Sectoral legislation e.g.: US

 has sectoral legislations for healthcare, financial services, video rental, etc

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Privacy Laws
8

Transborder data flows – should be restricted or governed?

 On one hand: Disparities in national legislations have the potential to actually hamper data flows in
some cases – giving rise to constraints in trade development.

 At the same time, countries have to protect the interests of its citizens and safeguard their right to
privacy
 particularly so where an average citizen does not comprehend what goes on ‘behind the scenes’
or its possible implications.

 how to achieve a balance between the two forces. Should such flows be governed at all in the first
place? If yes, in what manner?

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Privacy Laws
9

Should there be a strong regulatory infrastructure overall?

 Citizen groups and civil society often pitch for strong regulation to ensure that citizen’s privacy is
safeguarded.
 Strong regulations can prescribe specific measures for organizations to take – like appointing a
Data Protection Officer, requiring Data Controllers to register with a Data Protection Authority in
the country, getting approvals for specific actions, etc.

 Businesses, on the other hand, often complain that strong regulation

 stifles innovation and

 raises the costs of services which get passed on the same citizens.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Data Protection Regime: Core components (1/2)
10

Components Explanation
Fines Multifold increase, per breach fine, even to an extent of % of
income
Criminal Penalties Fines, Imprisonment for willful neglect or violation as part of
pattern
Technical & Organizational Measures High level v/s Stringent requirements, prescriptive controls,
insists on CPO/DPO
Data transfer Specific legal requirements, technical means, overseeing
mechanism, BCR, Safe harbor
Legal Relationship Relationship- Data Subject, Exporter (Controller), Importer
(Processor) , Supervisory authority

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Data Protection Regime: Core components (2/2)
11

Components Explanation
Regulatory Infrastructure Infrastructure- Privacy/Information Commissioner, FTC,
EU, DPAs

Liability - Data Controller (Data Exporter) x Liability towards data subject

Data Processor (Data Importer)

Data Breach notification Notification requirements, Europe is following US here,

Responsibility of service providers

Contract Guidelines & Monitoring Model contract guidelines, monitoring & controls e.g.
SCCs

Components Explanation

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Framework for Analysing Privacy Laws
12

Scope and Regulatory Regulatory Definition of

Exceptions
Applicability Infrastructure Mechanisms Personal Data

Dispute
Data Transfer Data Breach
Privacy Principles Resolution Liabilities
Instruments Notification
Mechanisms

Definition of
Rights of Data Organizational
Legal
Subjects Measures
Relationships

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Categories of Regulations
13

Generic vs Prescriptive

State vs National Level

Functional vs Entity

Self Regulation vs Co-

Regulation

Privacy Codes

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
14 Structure of a Privacy Regulation

Confidential (c) Arrka, 2020

 Standard Elements of a Privacy Regulation
15

A. Privacy Principles are rules that help ensure that Personal

Information is processed lawfully, fairly and in a transparent
manner in relation to the data subject

C. A. Privacy Principles
Controller/Processor
Obligations B. Data Subject Rights – Rights are provided to data
subjects to help them have more control over their PI

C. Controller/Processor obligations comprise a mix of People,

Process and Technology measures to help organization manage
B. Data Subject Rights Privacy

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Elements of a Privacy Regulation: Details
Each element of Privacy Regulation comprises Sub Elements. Arrka Privacy Assessment Framework assesses an
Organization against each sub element and provides recommendations to help achieve compliance
16
A. Privacy Principles B. Data Subject Rights C. Controller/Processor
Obligations

Lawfulness of
Processing
Breach Data Privacy Records of
Management Impact Processing
Security Purpose Assessment
Safeguards Limitation

+ +
Privacy Data protection Data Protection Cross Border
Principles by design and Officer Transfer
by default Appointment
Data Quality Data
(Accuracy) Minimization
Processor
Contract
Storage Management
limitation

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
Confidential (c) Arrka, 2018
17 EU GDPR

Confidential (c) Arrka, 2020

 GDPR - INTRODUCTION
18

In 2016, the EU adopted the General Data Protection Regulation (GDPR), one of its greatest
achievements in recent years. It replaces the 1995 Data Protection Directive which was adopted at a
time when the internet was in its infancy.

Enforcement date: Applicable to all companies including

non-EU companies that process
25 May 2018 Personal Data of EU residents.
Non-compliance will lead to heavy fines
2-4% of annual global turnover
Or
€ 10-20 million whichever is
HIGHER
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Applicability
19

 Applies to • An Indian travels to France for a 2 month

project and gives his personal info to a hotel in
 Any Entity – anywhere in the France
world • Applicable? – YES

 Dealing with • An Indian travels to France for a 2 month

project and accesses his Indian Bank account
 Personal Data via the Bank’s Mobile App
• Applicable to this transaction for the
Indian Bank? – YES
 Of
 EU Residents – not just citizens • A German travels to Mumbai for a holiday and
gives his personal details to a hotel he is staying
at in Mumbai.
• Applicable to the hotel in Mumbai? - NO

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 GDPR Scope
20

 Material Scope  Territorial Scope

 Applies to the processing of  Applies to any Establishment in the
Personal Data wholly or partly by EU
automated means.  Applies to entities not established
 This also includes manual in the EU but “targeting” EU
processing of Personal Data individuals by:
contained or intended to be ◼ Offering of good/services to
contained in a filing system. individuals in the EU, even free of
charge.
◼ Monitoring the behaviour of
individuals located in the EU

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Key Definitions
21

'Personal data' means any information relating to an identified or identifiable natural person ('data subject'); an
identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

'Controller' means the natural or legal person, public authority, agency

or other body which, alone or jointly with others, determines the 'Processor' means a natural or legal
purposes and means of the processing of Personal Data; where the person, public authority, agency or other
purposes and means of such processing are determined by Union or body which processes Personal Data on
Member State law, the controller or the specific criteria for its behalf of the controller
nomination may be provided for by Union or Member State law

'Processing' means any operation or set of operations which is performed on Personal Data or on sets of Personal
Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure or destruction

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Key Definitions
22

“Any information relating to an identified or identifiable natural person ('data subject')”

Identifiable natural person: “one who can be identified, directly or indirectly, in particular by reference
to an identifier such as a name, an identification number, location data, an online identifier or to one or
more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity
of that natural person

Special Categories of Data defined:

Online Identifiers: those that could be
- Personal Data revealing racial or ethnic origin,
provided by ‘devices, applications, tools and
political opinions, religious or philosophical beliefs,
protocols, such as internet protocol addresses,
or trade-union membership, genetic data, biometric
cookie identifiers or other identifiers such as
data, data concerning health or data concerning a
radio frequency identification tags.’
natural person's sex life or sexual orientation

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Overall Layout of the GDPR
23
PART A: Of Direct Relevance to a Company
1.General Provisions (Scope, applicability, definitions)
2. Principles
3. Rights
4. Controller & Processor
5. Transfer (out of the EU)
PART B: Governance & Regulatory related
6. Independent Supervisory Authorities
7. Cooperation & Consistency (between Supervisory Authorities)
8. Remedies, Liabilities & Penalties
9. Provisions relating to specific processing situations
10. Delegated Acts and Implementing Acts
11. Final Provisions

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Key Privacy Principles
24

Lawfulness, fairness and transparency Purpose Limitation

Notice Personal data shall be collected for:
Choice - specified,
Consent - explicit and
- legitimate purposes

And not further processed in a manner that is

incompatible with those purposes.

Accuracy Data Minimisation

- Personal data Shall be kept Accurate & Up-to- Personal data collected shall be
date - adequate,
-Where it is found to be inaccurate, it should be: - relevant and
Rectified or Erased without delay - limited to
what is necessary in relation to the purposes for
which they are processed

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Privacy Principles
25
Storage Limitation
- Data would be kept in a form which permits identification of data subjects no longer necessary for the
purposes.
- Data may be stored for longer periods for only:
• archiving purposes in the public interest,
• scientific or historical research purposes or
• statistical purposes,
subject to implementation of the appropriate technical and organisational measures to safeguard the
rights and freedoms of the data subject.

Integrity and Confidentiality

Appropriate security of Personal Data using technical or organisational measures while processing.

Accountability
The controller shall be responsible for and be able to demonstrate compliance with all the privacy
principles.
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Data Subjects have the right to..
26

..know what is ..request

..have
going to be copies of all ..have data
incorrect data
done with data being erased
corrected
their data processed

..not be
..object to
..restrict ..data subject to
data being
processing portability automated
processed
processing

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Data Controller must..
27

..be ..adopt data

..if not in EU, ..take care when
accountable, protection by ..keep records of
appoint a using Processors
demonstrate design and by processing
representative for processing
compliance default

..communicate
to the
..communicate ..appoint a Data
supervisory ..provide ..cooperate with
to data subjects Protection
authority if they appropriate the supervisory
about data Officer where
have a breach security authority
breaches specified
(within 72
hours)
..carry out data protection impact
.. determine responsibilities of each controller,
assessments and consult supervisory
if two or more controllers are involved
authority

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Data Breach Notification
28

Notification to Data
Subject
If this risk is ‘high’, then
the same has to be
Notification to notified to the affected
Supervisory Authority individual(s) as well.
(Within 72 hrs.)
• If a breach is expected to result in a risk to the rights and the freedom of an individual, the same has to be
reported to the Supervisory Authority.
• The assessment of whether a particular breach falls under the risk vs high risk category will have to be done on
a case-by-case basis.
• Different threshold levels applicable for notification to each of the above.
• If the nature of the breach is serious enough to require notification to the public at large, then the same must be
done without undue delay.
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Obligations of Processors
29

May use code of

Shall not engage
Shall be governed by a conduct and Shall appoint a
another processor
contract or other legal certification mechanism representative, if not in
without authorisation of
act to demonstrate the union
controller
sufficient guarantee

Maintain a record of Shall provide sufficient Shall designate a Data

processing activity guarantee Protection Officer (DPO)
If processor determines
purpose and means of
processing then it shall be
Shall implement considered as controller
Shall notify controller
appropriate Shall cooperate with
without undue delay of
organisational and Supervisory Authority
a Personal Data breach
technical measures

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Administrative Fines
30

PRINCIPLES

Violation

RIGHTS of DATA SUBJECTS

Up to €20M or 4%
global turnover

DATA TRANSFER

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Administrative fines
31

Controller Processor

Up to
Violation €10M or Violation
2% global
turnover
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Supervisory Authority
32

 Every EU Member state is required to have one or more public independent

authority – ‘Supervisory Authority ’.
 The role of the Supervisory Authority is to
Monitor, guide and ensure the adequate implementation of the GDPR in the
geography under their scope.

Undertake Awareness activities

Ensure privacy during trans-border data flows,

Address complaints, investigate data breaches, levy fines/sanctions and all

such activities required for regulation implementation and enforcement.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Statistics: Fines by Types of Violations
33

Violation Sum of Fines # of Fines % of Fines

4% Insufficient technical and organizational measures to ensure information
€ 332,717,927 51 72%
security
Insufficient legal basis for data processing € 110,015,147 86 24%
Non-compliance with general data processing principles € 16,131,370 31 4%
24% Insufficient fulfilment of data subjects rights € 792,787 20 0.2%
Insufficient fulfilment of information obligations € 554,065 14 0.1%
Insufficient fulfilment of data breach notification obligations € 158,425 6 0.03%
72%
Lack of appointment of data protection officer € 61,000 2 0.01%
Insufficient cooperation with supervisory authority € 18,511 6 0.004%
Insufficient data processing agreement € 14,380 2 0.003%
Total € 460,463,612 218

Source: C/M/S GDPR Enforcement Tracker

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 POP QUIZ #13 ?
34

Which one of these is not one of the privacy

principles as per GDPR?

1. Challenging compliance
2. Lawfulness, fair and transparency
3.Security
4. Accuracy

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 POP QUIZ #14 ?
35

Which one of these is not a right of Data Subject as

per GDPR?

1.Right to Anonymity
2.Right to be Informed
3.Right to Object
4.Right to Data Portability

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
36 US Laws

Confidential (c) Arrka, 2020

 US – Complex Regime
39

• Federal Trade Commission Financial Information Children's Privacy

Act • Gramm-Leach-Bliley Act (1999) • Children's Online Privacy
• Taxpayer Browsing Protection • Fair Credit Reporting Act (1970) Protection Act – 1998
Act (1997) (COPPA)
• Fair and Accurate Credit • Children's Internet
• Electronic Funds Privacy Act Transactions Act (2003) Protection Act of 2001
(EFTA) • Right to Financial Privacy Act (CIPA)
(1978) • Children's Online
Protection Act of 1998
(COPA)

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 HIPPA/HITECH
40

 Background:
 HIPAA (or the Health Insurance Portability and Accountability Act)
◼ passed in 1996
◼ to enable Electronic Healthcare Transactions.

 HITECH (The Health Information Technology for Economic and Clinical Health Act)
◼ enacted in Feb 2009
◼ to promote health information technology (HIT) and enable electronic exchange of health
information.
 Scope and Applicability
 Physicians, healthcare orgns and their business associates – including patient safety
organizations (PSOs), health information organizations (HIOs), subcontractors, e-
prescribing gateways, other persons that provide data transmission services or facilitate
access to health records, and vendors of personal health records
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 HIPPA/HITECH
41

 Definition of Personal Data (PD)

 PHI or Protected Health Information: an individual's medical record or payment history.

 Regulatory Infrastructure
 HIPAA is enforced by the US Dept of Health and Human Services (HHS).
 Rights of Data Subjects
 The various players in the healthcare system are not permitted to use or disclose PHI unless
specified by the individual.
 Liabilities
 HIPAA has both civil and criminal penalties including significant fines and imprisonment.
 HHS can proceed directly to imposition of civil monetary penalties.
 $100-500k per occurrence / Max annual penalty $1.5 Million

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 GLBA – Gramm Leach Bliley Act
42

 Background:
 Passed in 1999
 Official name is ‘The Financial Services Modernization Act’
 Scope and Applicability
 Applicable to Financial Institutions
 Three Rules Specific to Privacy:
◼ ‘Financial Privacy Rule’ - governs the collection and disclosure of customers’ personal financial
information by financial institutions as well as any other entity that receives this kind of
information
◼ ‘Safeguards Rule’ - requires the abovementioned entities to design, implement and maintain
safeguards for the protection of customer information
◼ ‘Pretexting Rule’ - ‘Pretexting’ = social engineering. Rule encourages organizations to
implement safeguards against pretexting
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 GLBA – Gramm Leach Bliley Act
43
 Definition of Personal Data (PD)
 ‘Non-public Personal Data’ – covers information provided by an individual, information gathered from
other sources and via transactions
 Privacy Principles
 Notice, Choice, Disclosure, Security
 Regulatory Infrastructure
 Under respective regulators for each type of entity.
 For e.g.: The US Securities & Exchange Commission (SEC), Commodities Futures Trading Commission,
Federal Banking Agencies, etc.
 Those entities that are not covered by any regulator come under the purview of the Federal Trade
Commission
 Liabilities
 Civil penalties -up to $100,000 per violation for an institution and up to $10,000 per violation for
individual directors & officers of the institution. Criminal penalties - imprisonment up to 5 years.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 California Consumer Privacy Act - Introduction
44

On June 28, 2018, Governor Brown signed Assembly Bill 375, now known as the California Consumer
Privacy Act of 2018

Applicable to all businesses that

Effective from: a) collect California resident’ Personal Data or on the
01 January 2020 behalf of which such information is collected;
b) determine the purposes and means of the
processing of consumers’ Personal Data
Depending on the violation occurred the c) does business in the State of California,
civil penalty may be up to: d) satisfies one or more of the defined criteria

$2,500 for each violation;

$7,500 for each intentional violation

Any violation of the CCPA is assessed and recovered

Confidential (c) Arrka,in2020
a civil action brought by the Attorney General.
LicensedCivil
to Maya
penalties can be issued meaning that the penalty isuser
Misra <[email protected]> on 07-04-2020. Single license
issued by only, copying and networking prohibited.
a court.
 California Consumer Privacy Act
45
The right of Californians to
“Personal Data” means information that identifies,
know what Personal Data is being collected
relates to, describes, is capable of being associated with,
about them.
or could reasonably be linked, directly or indirectly, with
a particular Californian resident or household.
know whether their Personal Data is sold or
disclosed and to whom.

say no to the sale of Personal Data.

NO Privacy/Data Processing
Principles access their Personal Data.

equal service and price, even if they exercise

their privacy rights.
However, the CCPA authorizes the California Attorney General toConfidential (c) Arrka,
issue guidance on 2020
the law. It would make sense for that guidance to describe
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
the CCPA data protection principles
 Annexure – [CCPA Scope]
46

Applicable to all businesses that

1) collect consumers’ Personal Data or on the behalf of which such information is collected
2) determine the purposes and means of the processing of consumers’ Personal Data
3) does business in the State of California,
4) satisfies one or more of the following thresholds:
a) with annual revenues of twenty-five million dollars or more

b) annually buys, receives sells, or shares the Personal Data of 50,000 or more consumers,
households, or devices, for commercial purposes
c) derives 50 percent or more of its annual revenues from selling consumers’ Personal Data

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
47 Australia

Confidential (c) Arrka, 2020

 Australia
48

 Background:
 Legislations both at the central (federal) and state level
 At the central level:
◼ the Privacy Amendment (Enhancing Privacy Protection) Act 2012
◼ passed in December 2012 and has been applicable from March 2014
◼ Contains the Australian Privacy Principles (APPs)

 Scope and Applicability

 Applicable to most government entities as well as some private sector organizations
 Small businesses with an annual turnover of less than A$ 3m are exempted, unless
◼ they provide any health related services or
◼ hold any health information (except that of employees), or
◼ disclose or collect any Personal Data in the course of a service they provide or
◼ is a contractor to the government Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Australia
49
 Definition of Personal Data (PD)
 Personal Data is information or opinion of an individual whose identity is apparent, or can reasonably
be ascertained, from the information or opinion
 Sensitive Personal Data is ‘information or opinion about an individual’s racial or ethnic origin, political
opinions, political association, religious beliefs, philosophical beliefs, professional or trade association,
trade union, sexual preferences or practices, health information or genetic information, biometric
information templates
 Privacy Principles
 Notice, Purpose, Access & Correction, Disclosure, Security & Accountability.
 Allowing the use of Pseudonyms: Where it is practical, an individual must be given the option of using a
pseudonym and thereby not disclose his or her real identity.
 Unsolicited Personal Data: If an entity receives any Personal Data via any unsolicited means, the Personal Data
needs to be destroyed.
 Direct Marketing: An individual must be given the option of opting out of any direct marketing from an entity
collecting her Personal Data. Further, the individual can also request that her Personal Data is not shared with third
parties who will use it for direct marketing.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Australia
50

 Regulatory Infrastructure
 The Office of the Australian Information Commissioner (IC) is the entity vested with the powers to
oversee the Act.
 Regulatory Mechanism
 The Act supports co-regulation
◼ A formal mechanism has been instituted for recognition of external dispute resolution schemes
(EDRs) who can handle privacy-specific complaints and issues of individuals.
◼ Till date the Telecom Industry Ombudsman, the Credit Ombudsman service and the Financial
Ombudsman service have been recognized and others are in the pipeline.
 The Act also recognizes any industry codes of practice around privacy – and formally terms them as
‘APP Codes’.
 Liabilities
 Fines up to A $220,000 for an individual and
 A $1.1 million for organisations for serious or repeated interferences with the privacy of individuals.
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
51 Canada

Confidential (c) Arrka, 2020

 Canada
52

 Background & Scope:

 Canada has two ‘horizontal’ privacy laws at the federal (central) level:
◼ The Privacy Act – passed in 1983.
◼ Applicable to the public sector & government institutions
◼ The PIPEDA (Personal Information Protection and Electronic Documents Act) – passed in the
late 1990s and applicable to the private sector
◼ In addition to the above, there are some sectoral legislations that address privacy at the state
or federal level.
 Privacy Principles:
 Privacy principles covered by PIPEDA are: Consent, Purpose specification, Use Limitation,
Collection Limitation, Disclosure, Retention, Data Quality, Access & Correction, Openness, &
Accountability.
 Additionally, it defines a principles called ‘Challenging Compliance’ - that requires organizations
to investigate every complaint received
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Canada
53

 Regulatory Infrastructure
 Under the Privacy Act, the Office of the Privacy Commissioner of Canada was established.
 Data Breach Notification
 The amendment requires organizations to notify data subjects of any compromise to their
Personal Data resulting in a ‘real risk of significant harm’ to the individuals.
 Organizations are also required to maintain records of all data breaches and same have to be
reported to the Privacy Commissioner as well.
◼ However, this requirement will come into force only when the federal government passes
associated regulations which are expected to provide greater clarity.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
54 Singapore

Confidential (c) Arrka, 2020

 Singapore
55

 Background & Scope:

 Singapore’s Personal Data Protection Act (PDPA) came into effect in January 2013.

 Definition of Personal Data:

 Personal data is defined as ‘data, whether true or not, about an individual who can be identified;
from that data; or from that data and other information to which the organisation has or is likely
to have access.’
 No separate definition for sensitive Personal Data

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Singapore
56

 Privacy Principles:
 The main principles covered in the PDPA are consent (express or deemed), purpose specification,
security, access & correction, etc
 Regulatory Infrastructure
 The Personal Data Protection Commission (PDPC) is established under the PDPA to oversee the
PDPA, and to investigate and enforce compliance with the PDPA.
 Liabilities:
 The PDPC, after investigation of a complaint, can take several measures like
◼ destroying any Personal Data collected in contravention to the PDPA
◼ levying a penalty up to S$ 1 Million.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 POP QUIZ #15 ?
57

Which one of these is one of the privacy principles as

per Australia?

1.Challenging compliance
2. Anonymity
3. DPIA
4. Record Processing

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 POP QUIZ #16 ?
58

Which one of these is the supervisory authority

established under Singapore Privacy Act?

1.Personal Data Protection Commission

2.Personal Data Protection Authority
3.Personal Data Privacy Commission
4.Personal Data Privacy Authority

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 POP QUIZ #17 ?
59

Which one of these is the right provided under

California Consumer Privacy Act (CCPA)?

1.Data portability
2.Equal service and price
3.Opt-out of automated decision making
4.Anonymity

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
60 India

Confidential (c) Arrka, 2020

 India Privacy Timeline
61
2000

2008

2012

2017

2018

2019
IT Act 2000 - An IT The Justice A. P. The Indian The committee A draft bill -
Act to provide (Amendment) Shah panel government set headed by India PDPA -
legal Act, 2008 –IT recommended up a Justice BN introduced in
recognition for Act 2000 an over-arching Committee of Shrikrishna Parliament
transactions amended to law to protect experts headed submitted its Gone to a Joint
carried out by include Data privacy and by Justice report on Data Parliamentary
means of Protection personal data Shrikrishna. Protection Committee
electronic data Security and in the private Their task was framework and (JPC)
interchange Privacy and public to provide Personal Data
and other spheres Ministry of Protection Bill
means of Electronics and to the
electronic IT (MEITY) with Government.
communication a draft of
; India’s first data
protection law.
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Legal Framework in India – IT (Amendment) Act,
62
2008: Security, Privacy, Cyber crimes
❑ IT Act 2000 - An Act to provide legal recognition for transactions carried out by means of electronic data
interchange and other means of electronic communication; effective from October 17, 2000

❑ IT (Amendment) Act, 2008 –IT Act 2000 amended to include (not limited to):
▪ Data Protection – Security & Privacy
▪ Cyber Security –Role of CERT-In, Nodal Agency for Critical Information Infrastructure Protection
▪ National Security – information retention, interception & monitoring
▪ Computer related offences to include cyber terrorism, identity theft, pornography, violation of
privacy, etc.
▪ Role of Intermediaries
▪ Encryption Policy
▪ Increase in penalties

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Data Protection under IT (Amendment) Act, 2008
63

❑ Sec 43A
❑ “Where a body corporate possessing, dealing or handling any Sensitive Personal Data or
information in a computer resource which it owns, controls or operates, is negligent in
implementing and maintaining reasonable security practices and procedures and thereby
causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay
damages by way of compensation to the person so affected.”-Effective from October 27, 2009

❑ Definition of ‘Reasonable Security Practices

❑ means security practices and procedures designed to protect such information from
unauthorized access, damage, use, modification, disclosure or impairment, as may be
specified in an agreement between the parties or as may be specified in any law for the time
being in force and in absence of such agreement or any law, such reasonable security practices
and procedures, as may be prescribed by the Central Government in consultation with such
professional bodies or associations as it may deem fit.”

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Data Protection under IT (Amendment) Act, 2008
64

Sensitive Personal Data Privacy Principles Reasonable Security Practices

Password, Financial info, Privacy Policy, Choice & • Security Program having
Physical, Physiological & Mental Consent, Collection & Use managerial, technical,
Reasonable Security
health condition, Medical Limitation, Retention, operational & physical controls
Practices
records & history, Biometric Access & Correction, commensurate with assets
Security, Disclosure and being protected
Address Discrepancies & • ISO 27001 or Codes of Practices
Grievances by industry associations
approved by the Government
(self-regulation)
Support & help to Adjudicating Officer: Power to direct compensation • Audit once a year by
citizens of up to Rs 5 Crore, Civil Court for more
independent auditor approved
compensation
Redress of by Government
Body corporate has responsibility to appoint a
grievances grievance officer

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Data Protection under IT (Amendment) Act, 2008
65

 Sec 72 - Breach of confidentiality and privacy.- Save as otherwise provided in this Act or
any other law for the time being in force, any person who, in pursuant of any of the powers
conferred under this Act, rules or regulations made there under, has secured access to any
electronic record, book, register, correspondence, information, document or other material
without the consent of the person concerned discloses such electronic record, book,
register, correspondence, information, document or other material to any other person
shall be punished with imprisonment for a term which may extend to two years, or with
fine which may extend to one lakh rupees, or with both

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Data Protection under IT (Amendment) Act, 2008
66

 Sec 72A – “Save as otherwise provided in this Act or any other law for the time being in
force, any person including an intermediary who, while providing services under the terms
of lawful contract, has secured access to any material containing Personal Data about
another person, with the intent to cause or knowing that he is likely to cause wrongful loss
or wrongful gain discloses, without the consent of the person concerned, or in breach of a
lawful contract, such material to any other person, shall be punished with imprisonment
for a term which may extend to three years, or with fine which may extend to five lakhs
rupees, or with both.”

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 POP QUIZ #18 ?
67

Which panel recommended an over-arching law to

protect privacy and personal data in the private and
public spheres?

1. Ajay Prakash Sawhney

2.Justice A. P. Shah
3.Justice BN Shrikrishna
4.Ravi Shankar Prasad

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 POP QUIZ #19 ?
68

Which of the following data element is not part of the

sensitive data as per IT Amendment Act (2008)?

1. Password
2. Caste & Tribe Details
3. Financial Information
4. Biometric Data

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
69 Personal Data Protection Bill 2019

Confidential (c) Arrka, 2020

 Personal Data: At the Core
70

Further sub-categories
Any data that can – directly
or indirectly - or in What is
combination with other Personal Data Sensitive
data – make a person (PD)? Critical Personal
‘identifiable’
Personal Data
Data (CPD)
(SPD)

What does this mean?

Any compromise of this category of That is critical to
Above – the – surface (ATS) Personal data data can cause greater harm to the Indian National
person as compared to other types Interest**
Demographic/ Financial Data Health/ Political Affiliations/ of PD
Identity Data Biometric/Genetic/ Personal beliefs/
Govt Ids Gender Data Criminal History/etc Can be processed
Comprises:
only in India
Financial data, health data, official
identifier, sex life, sexual orientation,
Device Identifiers Metadata Social Media Markers Data that has been
biometric data, genetic data, transgender
processed using
status, intersex status, caste or tribe,
analytics that can
Online Identifiers Location Data Trackers & Cookies religious or political belief or affiliation*
identify a person

Below – the – surface (BTS) Personal data

Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 PDP Bill 2019 - New Terminology Introduced
71
71

DATA SUBJECT Is now DATA PRINCIPAL

DATA CONTROLLER Is now DATA FIDUCIARY

DPA to decide who fits in here – which Two special categories constituted
would be based on volume & sensitivity - Who operates commercial
of PD processed, turnover of the data Who has the websites or online services
fiduciary, risk of harm resulting from Guardian
potential to Significant directed at children
processing undertaken, use of new cause greater
Data - Who processes large volumes
technologies, and any other factor that Data Fiduciary
harm Fiduciary of Personal Data of children
may cause harm
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Applicability
72

Territorial
• Processing of Personal Data
• collected, disclosed, shared within India Processing of Personal Data for
• by State, Company, Indian citizen or body of persons incorporated under Indian law
Extra-Territorial
• Processing of Personal Data for
• Systematic activity of offering goods or services to data principals within the territory of
India;
• in connection any business carried on in India
• any activity which involves profiling of data principals within the territory of India

Central Government may exempt from the applicability of this law the processing of personal data of data
principals who are not within the territory of India, pursuant to any contract
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Grounds for Processing Personal Data
73
Data Principal’s
Consent

Function of State

Compliance with law

or order of court/ tribunal
Grounds for Processing Personal Data
Prompt action in
case emergencies

Purposes related
to employment

Reasonable
Purpose of data
fiduciary
Confidential (c) Arrka, 2020
Sensitive
Licensed Personal
to Maya Misra Data can
<[email protected]> only be
on 07-04-2020. processed
Single using
user license only, copying and explicit consent.
networking prohibited.
 Data Principal Rights
74

Confirmation and Access Right to be Forgotten

Data Portability Correction and erasure

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Transparency and Accountability

75

Significant Data Fiduciaries

Guardian Data Fiduciaries

Data Protection officer

Data Protection Impact Assessment

Record Keeping

Grievance Redressal

Data Audits

Privacy by Design
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
75
Restrictions and Conditions Transfer of Personal Data Outside India

Personal Data
Processed
outside India

Sensitive Personal Data

(a) Explicit consent + Subject to standard
Must also
contractual clauses or intra-group continue to be
schemes; or stored in India
(b) Explicit consent + Central Govt in
consultation with DPA has permitted to a
particular country; or Passwords
excluded
(c) Explicit consent + DPA has allowed
transfer

Critical Personal Data

Exceptions
• Health Services
• Emergency Services
• Central Govt in consultation with DPA has permitted transfer to
approved country
Personal Data Protection Bill, 2019
Confidential (c) Arrka, 2020
77

Data Protection Authority of India

77

The bill establishes an

independent authority empowered
to oversee the enforcement of the
bill.

The adjudication process will be

looked after by the adjudication wing
of the Authority.
DPA
The authority is to performs wide
variety of functions and powers
including: issuing codes of practices,
setting criteria for data audits, issuing
directions, creating awareness, etc.
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Why should this law be taken Seriously?
78

STIFF Penalties Criminal Liabilities

5 yrs imprisonment 3 yrs imprisonment

15 Cr/ 4% of 5 Cr/ 2% of
/ 3 L Fine / 2 L Fine
Global Turnover Global Turnover

• Processing of PD/SPD/ • Not taking prompt & Intentional or - Intentional/ reckless

Children’s PD in violation appropriate action on a reckless collection collection /transfer/selling
of principles data breach /transfer/selling of of Personal Data
• No security safeguards • DPIA not done Sensitive Personal - Re-identification of de-
• Violation of cross border • Data Audit not done Data identified data
Data Transfer rules • DPO not appointed
• Did not register withConfidential
DPA (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
79 The Aadhaar Act

Confidential (c) Arrka, 2020

 The Aadhaar Act
80

 The Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016
 was published and gazetted on 25th March 2016

 Regulations under the Act

 came into force in Sept 2016

 The Act puts a legal framework around Aadhaar – the 12-digit unique identification number issued
to residents of India, and captures their biometric and demographic data.

 This can then be used by various entities – both from the government and private sector – to
identify residents and verify their credentials.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 The Aadhaar Ecosystem
81
Three categories of entities:
 The UIDAI (Unique Identification Authority of India)
 Responsible for carrying out the processes in relation to enrolment and authentication of Aadhaar
 The database of the identity & biometric information is known as the CIDR (Central Identities Data Repository)
 The ‘Requesting Entity’
 This is the entity that connects to the CIDR, for authentication and/or verification purposes.
 Two types of requesting entities
◼ The Authentication User Agency (AUA) – that uses the ‘Yes/No” facility provided by UIDAI
◼ The e-KYC User Agency (KUA) that in addition to being an AUA also uses the e-KYC authentication facility provided by
UIDAI.
 A user agency can be a government or a private sector entity.
 A user agency connects to the database via an entity known as the “Service Agency”
◼ whose primary purpose is to provide UIDAI-compliant network connectivity
 The individuals whose data resides on the CIDR

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Privacy Principles
82
 Notice
 The requesting entity as well as any other entity than the requesting entity is expected to
inform the individual, at the time of e-KYC authentication details about purpose of processing
 Consent
 A requesting entity is required to obtain the consent of an individual
◼ before collecting his identity information for the purposes of authentication
◼ A record or log of the consent is also required to be maintained in the format specified by
UIDAI.
 Disclosure
 No core biometric information, collected or created under this Act, shall be shared with
anyone for any reason whatsoever
 No identity information available with a requesting entity shall be disclosed further
◼ except with the prior consent of the individual to whom such information relates

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Privacy Principles
83

 Access & Correction

 The Authority may require Aadhaar number holders to update their demographic information
and biometric information, from time to time, to ensure continued accuracy of their information
in the CIDR
 The Authority shall maintain authentication records in such manner and for such period as may
be specified by regulations.
 Security & Safeguards
 The requesting entity has to implement strict restrictions & controls in their organization to
manage the security and confidentiality of the identity information they have access to or keep a
record of.
 No entity shall retain Aadhaar numbers or any document/ database containing Aadhaar numbers
beyond the time limit required to for meeting the purpose consented to by the individual.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
84 Trans-Border Data Flows
• History
• Common Themes and Approach
• European Union and Transborder Flows
• Instruments: Binding Corporate Rules and Standard Contractual Clauses
• EU-US Privacy Shield
• Transborder Data Flows : APEC
• Indian Perspective
• Transborder Data Flow and Cloud
Confidential (c) Arrka, 2020
 History of Trans Border Data Flow
85

1980(OECD)
In close with Council of
Europe, but guidelines
1981(Council of Europe
were not binding
Convention for
Protection of
Late 1970(Council of Individuals)
Europe and European
Included regulations on
Parliament)
transborder data flows
Early 1970(Expert
Discussing on how to and allowed some
Group in Council of
remove these trade restrictions on
Europe)
barriers while transborder, where data
Identified transnational preserving data needs to be transferred
character of protection to lower protection
computerization and country
need for international
regulatory
harmonization
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 History of Trans Border Data Flow contd..
86

2007(APEC)
Come out with its own
Framework Pathfinder, to
1990(UN General Assembly) enable transborder data flow

Adopted guidelines concerning

computerized data files ,
1985(OECD) however this was voluntary, no
real impact found
Another declaration on
transborder data flows (dealt
with data flows within
transnational corporations,
trade barriers)

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Common Underlying Theme
87

 The need of the hour is supporting and enabling global movement of

data

Privacy Principles are

Figuring out ways and not eroded, especially Considering the
means to ensure that principles pertaining to Consent of the data
rules and frameworks security, fair usage, subject in a trans-
are not perceived to be accountability and the border data flow
restrictive rights of the data scenario
subject

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Approaches to Trans Border Data Flows
88

#2 Trans-border Data flows

#1 Trans border data flows
with limited rules and
that are regulated
regulations

#3 Special International / #4 Un-regulated trans-border

Multilateral & Bilateral data data flows
transfer arrangements

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 European Union & Transborder Data Flows
89

Any transfer of Personal Data to a third country or to an international organisation

shall take place only on the basis of
 Adequacy decision

 Appropriate Safeguards

 Binding Corporate Rules

 Standard Contractual Clauses

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Exceptions
90

Consent

Performance of a Contract

Fulfilling a Contract where third party is involved

Public Interest

Vital Interests

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 European Union & Transborder Data Flows
91

 EU: Concept of ‘Adequacy’

 A country that meets certain criteria is considered adequate from a privacy point of view

◼ With such countries, there are no specific restrictions on transfer of PD data of EU

Citizens
 Currently, countries considered ‘adequate) are: Andorra, Argentina, Australia, Canada
(commercial organisations), Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man,
Jersey, New Zealand, and Uruguay.
◼ Japan has recently been added to this list
 For transfer to other countries, other specific mechanisms available
◼ Special mechanism for transfer to the US: Privacy Shield

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Data Transfer to regions that are not ‘Adequate’
92

 Binding Corporate Rules-

 Applicability: For data transfer outside the EU between different entities from the same
group of companies.

 Standard Contractual Clauses-

 Applicability: For an organization in the EU that transfers data to an organization that is
not part of EEA, US or deemed adequate by EU.
 There are specific clauses that need to be included in the contract between the data
controller and the data processor before data processing can be initiated.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Binding Corporate Rules
93

BCR’s are expected to contain:

BCRs are internal rules in
-Privacy principles applicable
organizations and ensure:
-Tools used to ensure effectiveness –
-That protection of the Personal
for e.g.: training programs, audit
Data outside of the EEA is at the
mechanisms & timetables, systems
same level as it is within the EEA
instituted for handling complaints etc.
-That obligations of the organization
-An element proving that the BCR are
are clearly spelt out
binding

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Standard Contractual Clauses
94

Model Clauses’/ Standard Contractual

Clauses (or SCCs) are clauses that a Data
Controller is required to incorporate into
its contracts with a recipient organization
when sending out Personal Data of its data
subjects
The EU has issued SCCs for two categories
of transfers:
-For transfer of Personal Data to other
Data Controllers outside the EEA
-For transfer of Personal Data to Data
Processors outside the EEA
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 EU-US Privacy Shield
95

 The EU-U.S. Privacy Shield Framework: designed by the U.S. Department of

Commerce and the European Commission
 Objective: To provide companies on both sides of the Atlantic with a mechanism to
comply with data protection requirements when transferring Personal Data from
the European Union in support of transatlantic commerce.
 On July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield
Framework adequate to enable data transfers under EU law.
 Enforcement of Privacy Shield: By the US Federal Trade Commission (FTC) & Dept of
Transportation (DOT) – for organizations that fall under their respective purviews
 A similar independent Privacy Shield framework exists between for Swiss-U.S.
Personal Data transfer.
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 How does Privacy Shield Work?
96

 Organizations have to comply with the seven privacy principles and the eleven
supplemental principles outlined in the framework

 Process of Self-Certification by the organization to the Dept of Commerce (DOC).

 Self-certification has to be done annually

 DOC maintains a list of organizations that have self-certified + those that were previously
certified but no longer are

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Privacy Principles under Privacy Shield
97

 Notice
 Choice & Consent
 Express affirmative consent required for Sensitive PD

 Accountability for onward transfer (to 3Ps)

 3P’s categorised into those acting as controllers and as agents

 Security
 Data Integrity & Purpose Limitation
 Data Integrity is defined as data being reliable for its intended use by being accurate,
complete and current
 Access & correction
 Recourse, enforcement & liability
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 The APEC Cross Border Privacy Rules System (CBPR)
98

APEC Data Privacy Pathfinder The result of the Pathfinder project was the
initiative was launched in 2007. APEC Cross Border Privacy Rules (CBPR) system.
The CBPR system was endorsed by APEC member
Objectives of the Pathfinder economies in November 2011 and consequently
initiative: were to develop a simple became a reality.
and transparent system that could The CBPR system has a defined set of baseline
be used by organizations for program requirements pertaining to PD that
protection of Personal Data (PD) needs to cross borders based on the nine APEC
moving across APEC countries. privacy principles.

The resultant framework was to be applicable to only organizations to transfer PD across APEC
borders – it was not meant for governments or individuals
Domestic laws & regulations would continue to govern PD collection and management within
individual APEC countries
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 CBPR: The Ecosystem
99

 To facilitate cross border PD movement and its management & oversight, the CBPR system
has instituted the following concepts & entities:

CBPR Joint Oversight

Accountability Agents Panel (JOP)

Cross Border Privacy

Enforcement
Arrangement (CPEA)

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 CBPR Elements
100

 At its core, the CBPR system has the following elements:

SELF ASSESSMENT ENFORCEMENT

COMPLIANCE REVIEW RECOGNITION

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Progress So Far
101

 As of September 2018, 23 Organisations have been certified under the CBPR

 Incidentally, India is not a member of APEC.

 APEC currently has 21 members most of which have a coastline along the Pacific Ocean.

 India has what is known as an ‘observer’ status which allows India to participate in key
proceedings at the APEC.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 POP QUIZ #20 ?
102

Which of the below country is not a member of APEC?

1. Japan

2. United States of America

3. India

4. Hong Kong

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
103 Beyond Information Privacy
• Other Types of Privacy
• Communication Privacy – Surveillance
• Ongoing Discussions on Privacy
• Metadata and Surveillance

• Privacy and Human Body

Confidential (c) Arrka, 2020

 Introduction
104

 Privacy Is not just Information Privacy.

 It can be:

Privacy in
Bodily Privacy Territorial Privacy
Communication

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Communication Privacy
105

 Refers to Privacy of communication between individuals or groups of

individuals.
 The violation of this is when
 some uninvited individuals snoop on the conversation or the communication.
 When there is mass surveillance under the pretext of national security, criminal
investigation, law enforcement, public safety etc.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 When Surveillance is carried out without Privacy
106
Safeguards
Role of
Private

? Sector Concerns
about
Potential
Without Abuse
Privacy
Safeguard
Fear of a
Scale of
Totalitarian
Data
Lack of State
Clarity in
Objectiv
es
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Forms of Surveillance
107

Wiretapp
ing Compute
Social r or
Media Network
Analysis Surveillan
ce

Malicious Tracking
Surveillance
Software via Wi-Fi

Location
Data
Web
based
Tracking Tracking Surveillan
by ce
Compani
es

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Ongoing Discussions on Privacy
108

Metadata and
Privacy and Anonymity
Surveillance

Privacy and Security

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Metadata and Surveillance
109

 Surveillance, interception or information access looks at two things:

 Content: This is the actual content of a communication
 Meta-Data: Metadata if data about the communication.

▪ It is the information that is generated by the devices and the service providers
used by individuals for communication.
▪ For e.g., in case of telephone or mobile calls, this would be information like the
number called, time and duration of call, location information etc.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Metadata and Surveillance-scenario
110

 Consider this scenario:

 An individual’s mobile phone is constantly with him/ her.
 The phone, at the minimal, gives out its location data.

 So during the course of a day, with just the location data, it is possible to track all
the geographical locations the individual has been to.
 If some of these locations come up on a routine basis (for eg, the individual’s
home & office), by analysing the time of the day, it would be easy to figure out
where exactly the individual lives and works.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Privacy and Anonymity
111

 Anonymity is when one or one’s actions are visible but may not be necessarily
identified with the person.
 For eg:
 When you walk on the road and no one recognises you, you are anonymous.

 If you make a posting on a public website –if you have masked your IP address –
the posting is public but you can remain anonymous.
 However, when you post a photograph with a friend on a social networking site and
tag the friend, in effect, the friend loses her anonymity.
 Anonymity nurtures freedom on one hand
 On the other hand, it is a tool for criminals and perpetrators as well.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Privacy and Security
112

 The general impression often created is that privacy and security cannot co-
exist
 and privacy should be sacrificed to ensure national security.
 However, in reality, the two have to be balanced and remain in tandem.
 Discussions today:
 State surveillance programs that are designed to protect citizens and ensure their
security should be launched with adequate controls and checks & balances.
 The checks and balances are required to ensure that innocent citizens are not targeted
by these programs and their privacy thereby violated.
 Further, if such violation does take place, the citizen can avail of proper recourse
measures.
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Privacy and Human Body
113

 Two major developments over the last couple of decades that affect privacy of an
individual concern the human body –
 DNA
 Biometric Identifiers

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Privacy and Human Body
114

 DNA profiles are built based on bodily samples. The associated ecosystem to support and
enable this involves collection, use, analysis and storage of bodily samples.
 Used widely in tracking and identifying offenders and criminals.
 In order to enable this, many countries have built up large centralised databases
containing DNA profiles of individuals .
 DNA

 Biometric Identifiers

 Healthcare sector also uses this for treatment of abnormalities, disorders, research etc.

 CrPC amendment in 2005- Allowed collection of medical details of accused on arrest if it

was required to provide evidence.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Privacy and Biometrics
115

Collecting a citizen’s biometric information takes place at a number of instances:

-When one applies for a passport
-When one registers on the UIDAI Database for an Aadhaar card (in India)
-When one visits a foreign country – at the time of entry into the country
-Even in attendance management systems in private sector organizations

If an individual’s biometric data is Regulations:

compromised, the individual is left with -UIDAI
virtually no recourse (one cannot get a - Rules Under Section 43A of Information
fresh set of fingerprints!) Technology (Amended)Act,2008

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
116 Information Lifecycle
• Phases
• Aspects of Information Lifecycle Management
• Policy
• Operation and Infrastructure

• Value of Data
• Lifecycle Data Protection Management

Confidential (c) Arrka, 2020

 Phases of an Information Lifecycle
117
Handling info that • Available in the public domain
• Is less frequently accessed ‘Creation’ mechanisms
Creation • Created in-house
• Has met its assigned usage &
retention periods
and • Collected on behalf of the Orgn.
Collection • Received from an outside source
Entails
• Ensuring others cannot obtain Collection’ mechanisms
access • Manually filling paper forms
• Collected Online
• Protecting privacy & Use and
confidentiality Disposition
Distribution Distribution:
• Within the organization
Techniques for Disposition of
• To 3Ps
‘digital’ data: Data Clearing or
• Govt agencies, Statutory Bodies
erasure, Data Purging, Data
and Law Enforcement
Destruction, Encryption
Maintenance Usage:
Includes Filing, Retention, Retrieval, • Info is: Categorised, Refined,
Updates, Transformation to other Processed, Converted to other
formats formats
• Can be used for: Small periods OR
Extended periods

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Aspects of Information Lifecycle Management: Policy
118

 ILM policy consists of

 direction and
 guidelines

for different phase of the information lifecycle.

 Policies
 directed by business goals and objectives.
 generally tie into the framework of overall IT governance and management.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Aspects of Information Lifecycle Management:
Operation and Infrastructure
119

 Operational Aspects
 address issues
 develop processes and procedures

related to data backup, data retention & disaster recovery

 Infrastructure aspects
 overall architecture of data processing and storage.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Value of Information
120

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Lifecycle Data Protection Management
121

Who is using the information? When and how are they accessing the
Information?

What are they doing with that

information?

What is the security of its storage and

How is the information being used? archival?

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Operations likely to present risks - Examples
122

Processing of Personal Data

Processing of special categories of Processing of Personal Data for
relating to a large number of
Personal Data, location data or data the provision of health care or
data subjects during any
on children or employees medical research
significant consecutive period

Where a Personal Data breach

Core activities of the controller/ Where Personal Data are made
would likely adversely affect
processor consisting of processing accessible to a number of
the protection of the Personal
operations which require regular persons which cannot
Data, the privacy, the rights or
and systematic monitoring of data reasonably be expected to be
the legitimate interests of the
subjects limited
data subject

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 POP QUIZ #21 ?
123

The different phases of information life cycle are:

1. Creation, Usage and Distribution, Retention and Disposal

2. Creation and Collection, Maintenance, Deletion and Retention

3. Creation and Collection, Use and Distribution, Maintenance, Disposition

4. Generate, Use, Dispose

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
124 Privacy in Organizational Ecosystems
A. Privacy Frameworks: Need and Requirements from a
Framework
B. Study of Privacy Frameworks: DPF, BS 10012, ISO 29100

Confidential (c) Arrka, 2020

 Privacy Compliance
A Structured Framework is needed to meet regulatory requirements and ensure compliance
125

 The drivers for ensuring compliance:

 Legal and Regulatory requirements in all the geographies in which the
organization operates in
 Standards and frameworks related to privacy and data protection that the
organization may decide to comply with
 Specific client requirements

 Specific mechanisms need to be instituted to ensure compliance and address non-

compliance in a timely manner
 E.g.: KPI’s, internal and external privacy audits, end customer feedback

 E.g.: Incident management and breach reporting

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Why is a Privacy Framework Needed?
A Structured Framework helps in translating philosophical & legal discussions into organizational practices
126

Where should an organization start What is privacy governance? What

for privacy? should it deliver?

How should an organization judge How would an organization ensure it

where it stands for privacy? invests proportionately for privacy?

What should qualify to be part How would an organization drive its

of privacy initiative? Privacy units & functions for privacy?
Framework
What are the components of What it entails to ensure privacy in
privacy program? complex business realities?

What key capabilities an organization What it takes to make transactions

should acquire for privacy? sensitive to privacy?

How would an organization bring What kind of technical, tactical &

predictability in privacy affairs? operational measures required for privacy?
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 A Robust Privacy Framework needs to address the aspect
of Privacy Governance & Accountability
127

 Privacy Governance mechanism of an organisation needs to ensure that an appropriate

framework is used to build and deploy a privacy program in an organization.
 Organisations having access to PD need to take on the responsibility of protecting
individuals from the risks of the usage of their data. Hence Accountability as a principle has
become critical and has evolved into an accepted approach towards privacy.
Organisation commitment to
Mechanisms to put privacy policies into effect,
accountability and adoption of internal
including tools, training and education
policies consistent with external criteria

Systems for internal, ongoing oversight and assurance

reviews and external verification

Transparency and mechanisms for Means of remediation and external

individual participation enforcement

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
128 Privacy in Organizational Ecosystems
A. Privacy Frameworks: Need and Requirements from a Framework
B. Study of Privacy Frameworks: DPF, BS 10012, ISO 27701,NIST
Privacy Framework

Confidential (c) Arrka, 2020

 Privacy Program Frameworks
129

DPF

ISO27701 APEC

Some
Privacy
BS 10012
Program GAPP
Frameworks
NIST
Privacy OECD
Framework

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 1. DSCI Privacy Framework (DPF)
130

DSCI PRIVACY FRAMEWORK (DPF)

Personal # Practice Areas

Information 1 Visibility over Personal Information (VPI)
Security
9. PIS 2 Privacy Org & Responsibilities (POR)
3 Privacy Policy and Processes (PPP)

Information Usage 4 Regulatory Compliance and Intelligence (RCI)

7. IUA & Access, 5 Privacy Contract Management (PCM)
6. MIM 8. PAT Monitoring &
6 Privacy Monitoring and Incident Mgt (MIM)
Training
7 Information Usage & Access (IUA)

Privacy 8 Privacy Awareness and Training (PAT)

2. POR 4. RCI
Strategy & 9 Personal Information Security (PIS)
1. VPI 3. PPP 5. PCM Process
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.

Confidential (c) Arrka, 2018

 1. DSCI Privacy Framework (DPF)
131
DSCI PRIVACY FRAMEWORK (DPF)

Personal This layer derives strength from an organization’s

Information security initiatives. However, it demands a focus on
Security data security.
9. PIS
This layer ensures that adequate level of awareness exists
in an organization. A significant level of measures is
Information deployed to limit the information usage and access.
7. IUA Usage & Access, Moreover, a mechanism is deployed for privacy
6. MIM 8. PAT Monitoring & monitoring and managing incidents that may compromise
Training privacy.

Privacy Strategy and Processes: This layer aids in

2. POR 4. RCI Privacy establishing the strategic and tactical elements for
Strategy & privacy. Strategic elements involve defining Policy and
1. VPI 3. PPP 5. PCM Process setting up intelligence on global Privacy changes.
Tactical pieces involve setting up a Privacy org and
defining a Personal Data Inventory
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.

Confidential (c) Arrka, 2018

 VPI-Objectives
1.1 Visibility Over Personal Information (VPI)
132

01 Check the Awareness & Understanding to Enable the organization to become aware of
the Personal Data Elements, Categories, Storage, Formats , Access levels and usage

02 Assess the Current State Assessment to Enable the organization to map this against
its privacy program objectives.

03 Enables an organization to get a complete map of its business & operating

environment from privacy perspective.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
POR-Assessment Guidance
1.2 Privacy Org & Responsibilities (POR)
133

01 Define Privacy Related Tasks, Activities & Operations and identify

the efforts and skills needed to execute the Tasks

02 Establish the Privacy Function, Structure, Roles and governance

mechanisms

03 Define engagement and outreach with the larger organization and

outside and inter-function collaboration

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 1.3 Privacy Policy and Processes (PPP)
134

01 Articulate Privacy Objectives, Develop Privacy Policy, defining Personal Data and
Organizational role and Provide Direction to implementing Privacy Initiatives

02 Build supporting processes to ensure policy objectives are achieved effectively and
consistently

03
Keep track of organization specific business and technology developments to ensure
policy is updated and remains relevant and new privacy risks are effectively addressed

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 PIS-Objectives
1.4 Regulatory Compliance and Intelligence (RCI)
135

Tracking of Legislations to ensure that the organization has a mechanism and

related capabilities to keep track of laws and regulations around privacy.

02 Determination of applicability, clarity in the Interpretation &

comprehension of Implications.

03 Management and integration of regulatory compliance intelligence for the

purpose of privacy

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 PCM-Objectives
1.5 Privacy Contract Management (PCM)
136

01
Establishing a process for incorporating privacy requirements into
contracts.

02
Understanding obligations, impacts & compliance requirements
arising out of contracts signed.
03
Management and execution of contracts for the purpose of privacy
and addressing privacy related issues

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 1.6 Privacy Monitoring & Incident Management (MIM)
137

Preparedness in setting up privacy monitoring and incident

management

Ensure capabilities, processes business rules and technology to:

Detect, Contain, Remediate & Communicate privacy incidents.

Execution of devised MIM plan and high level of cooperation and

collaboration within internal and with external stakeholders.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 1.7 Information Usage & Access (IUA)
138

01
Establish organizational understanding of Personal Data access and
usage across different functions, processes or relationships

02
To establish necessary policies to limit the Access, and Usage of
Personal Data; and to ensure their lawful & fair handling
03
To establish technical and tactical measures to limit access and usage
of PD and monitor it on a regular basis to identify non-compliances.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 1.8 Privacy Awareness and Training (PAT)
139

01 To create awareness & understanding amongst employees, stakeholders and external third
parties about privacy.

02 Communicate relevant organizational business context and explain the privacy policies,
principles, processes and other measures adopted by the organization as part of its privacy
program.

03
To train employees on how to ensure compliance and handle data breaches.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 PIS-Objectives
1.9 Personal Information Security (PIS)
140

01 To build the organization’s sensitivity towards security of Personal

Data

02
To establish components of a data security program and integrate
them with organization’s security & risk management processes

03
To help define the scope and coverage of data security program to
ensure security of Personal Data

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 2. BS 10012
141
Overview
• British standard that sets out the requirements for a Personal Information Management System
• aligns with the principles of the European General Data Protection Regulation (EU GDPR).
Contents
• outlines the core requirements organizations need to consider when collecting, storing, processing, retaining
or disposing of personal records related to individuals.
Alignment to GDPR
• Comprises of Key Privacy Principles , Data Subject Rights and Organizational Accountability Measures
• It also details out Privacy specific processes like Personal Data Inventory Mapping and details the
responsibilities of various Privacy Related roles
• GDPR and BS 10012 controls have a direct mapping and the mapping is part of the BS 10012 documentation
Structural Similarity to ISO 27K Family
• Overlaying the Privacy specific requirements that are covered, are the Management related components
which talk about how to go about setting up a Personal Information Management System
• BS 10012 follows a similar structure to ISO 27K when it comes to Management Related Controls around
Understanding Organization Context, Leadership, Support Requirements, Performance Monitoring and
Improvement.
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 4. ISO 27701 Overview: Privacy Extension for ISO 27001
142

Context Applicability Benefits Mapping Certifiability

• ISO 27701 is a privacy • Applicable to all types • Provides Best Practice • ISO 27701 is the first • ISO 27701 is intended
extension to ISO and sizes of and effective ways of ISO standard to to be a certifiable
27001&02 and organizations, managing Privacy reference to external extension to ISO27001
provides additional including public and processes written in a frameworks or certification.
guidance for the private companies, practical and usable publications not Organizations planning
protection of privacy, government entities manner. actually developed by to seek an ISO 27701
which is potentially and not-for-profit • As the overlap of ISO. This standard certification will also
affected by the organizations Privacy and Security provides mapping to need to have an ISO
processing of Personal processing Personal regulations increases, GDPR 27001 certification.
Data. Data there is a clear benefit • It provides mapping to • Despite the GDPR
• The standard outlines • Applies to for these two teams to other ISO Standards being in effect for
a framework for organizations playing collaborate, related to Privacy : ISO more than a year, to
organizations to different roles in the communicate more 29100 (Privacy date, there has been
manage privacy Personal Data effectively, and use Framework), ISO no certification
controls so that risk to Processing Ecosystem: common tools. ISO 27018(Cloud Privacy), standard for it. This
individual privacy Controllers, Joint 27701 provides this ISO 29151(Code of standard can be a
rights is reduced . Controllers, Processors platform practice for Personal viable option to
and Sub-Processors Protection) demonstrate
compliance to GDPR
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 ISO 27701 Structure: The Core Content is spread across 4
Clauses
143
143

PIMS specific requirement as related to ISO 27001 PIMS specific guidance as related to ISO 27002
• The clauses and sub-clauses in this section are the same as the mandatory • The clauses and sub-clauses in this section are the same as the mandatory
controls under ISO 27001. controls under ISO 27002 (and Annexure Controls under ISO 27001)
• PIMS-specific requirements have been added wherever applicable at a Clause • PIMS-specific control statements and guidance have been added wherever
& Sub-Clause level applicable at a Clause & Sub-Clause level
• As the Mandatory controls are mainly generic & “management” related, • This section is highly insightful as it provides answers to what Privacy
most areas do not have any additional PIMS specific requirement. related extensions need to be made to specific Security Controls.
• E.g. Risk Management clause recommends addition of the privacy risk • E.g. The Information Classification clause now recommends addition of Personal
assessment process to identify risks related to the processing of Personal Data, Data as part of the Classification Schema as an organization needs to track
within the scope of the PIMS. where PD is stored and where it flows

Additional Guidance for PD Controllers Additional Guidance for PD Processors

• This section covers Privacy specific Controls and Implementation Guidance for • This section covers Privacy specific Controls and Implementation Guidance for
organizations who qualify as Personal Data Controllers or Joint Controllers. organizations who qualify as Personal Data Processors or Sub-Processors
• Section covers the areas which would be part of any Privacy Regulation • This area is very helpful, especially from an Indian context, as a large part
• Privacy Principles for processing Personal Data (E.g. Notice, Accuracy) of our IT/ITES industry falls into the Processor bucket
• Lawful basis of Personal Data Processing (e.g. Consent, Legitimate Interest) • This section covers Privacy processes from the perspective of a Processor
• Individual Rights (e.g. Right of Rectification) • Lawful Basis of processing Personal Data (e.g. Client Agreements)
• Privacy specific processes (e.g. Privacy by Design & Impact Assessment) • Privacy Principles (e.g. Purpose Limitation as per Client instructions)
• Personal Data Sharing & Transfers (e.g. Cross Border Transfer of Data) • Privacy specific processes to help Controllers (E.g. Breach notification)
• Privacy By Design has been covered in detail and in a practical manner • Personal Data Sharing & Transfers (e.g. Sub-Processor appointment)
• This section is User Friendly as it segregates Processor specific controls
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
Confidential (c) Arrka, 2019
 What makes ISO 27701 such an Attractive Standard?
144

Completeness in Structural Similarity to Privacy Enhancements to

coverage of ISO 27001 provides Security Controls have
requirements wrt. familiarity and will aid been listed in detail
Privacy Regulations Adoption

Certifiable Standard to Structural Uniqueness in Concept of Privacy By

demonstrate compliance separating Privacy Design has been
and assurance to requirements based on covered in a detailed
customers on regulations Organization Type and practical manner
like the GDPR (Controller/Processor)

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 NIST Privacy Framework
145
 The NIST Privacy Framework is designed to function as an Enterprise Risk Management Tool (Privacy Framework) and to help organizations consider
 How their systems, products, and services affect individuals; and
 How to integrate privacy practices into their organizational processes that result in effective solutions to mitigate these impacts and protect
individuals’ privacy
 It is structurally aligned to the NIST Cybersecurity Framework and the taxonomy that it provides is not country, region or sector specific
 Structural Difference with Privacy Regulations/Standards: Unlike a typical Privacy regulation or standard which structures itself along the lines of
Principles, Rights and Obligations, the NIST Framework follows a Risk Management Framework structure

NIST comprises 3 key sections

1. Core: The Core is the most important section and is a set of privacy protection
activities and desired outcomes. It can be considered a mix of Privacy Principles
and organizational obligations.
1. It is structured along the lines of a Risk Mgt framework and consists of five
concurrent and continuous functions—Identify, Protect, Control, Inform, and
Respond.
2. Together these functions provide a high-level, strategic view of the life cycle
of an organization’s management of privacy risk.
2. Profile: A Profile represents the privacy outcomes the organization aims to achieve.
Org can assess all functions using the activities in CORE to define Current Profile
and also develop a Target Privacy Posture / Profile and identify activities needed
to achieve target
3. Implementation Tiers: This section provides a Privacy Maturity Framework which
an organization see where it stands and where it wants to reach depending on its
circumstances. The 4 maturity tiers are: Partial, Risk Informed, Repeatable Confidential
& (c) Arrka, 2020
Adaptable Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
Source: NIST Privacy Framework_V1.0
 NIST Privacy Framework – Core Structure
146
• Functions organize basic privacy activities at their highest level.

• Categories are the subdivisions of a function into groups of privacy outcomes closely tied to programmatic needs and
particular activities. Examples include “Protected Processing,” “Inventory and Mapping,” and “Risk Assessment.

• Subcategories (Controls) further divide a category into specific outcomes of technical and/or management activities.
They provide a set of results that, while not exhaustive, help support achievement of the outcomes in each category.
Examples include
• “Systems/products/services that process data, or with which individuals are interacting, are inventoried”.
Data are processed to limit the identification of individuals
Function Description
Identify Develop the organizational understanding to manage privacy risk for individuals arising from data processing. Foundational for effective
implementation of Privacy Framework
Govern Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities
that are informed by privacy risk. Foundation from an organization level
Control Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy
risks. Function considers data processing management from the standpoint of both organizations and individuals.
Communicate Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how
data are processed and associated privacy risks. Function recognizes that both organizations and individuals may need to know how data are processed in
order to manage privacy risk effectively.
Protect Develop and implement appropriate data processing safeguards. Function covers data protection to prevent cybersecurity-related privacy events

Source: NIST Privacy Framework Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 NIST Privacy Framework – Core Structure
147

Function Categories Function Categories

Identify Inventory and Mapping
Communicate Communication Policies, Processes, and Procedures
Business Environment
Risk Assessment Data Processing Awareness

Data Processing Ecosystem Risk Management Protect Data Protection Policies, Processes, and Procedures
Govern Governance Policies, Processes, and Procedures
Identity Management, Authentication, and Access
Risk Management Strategy Control
Awareness and Training
Monitoring and Review Data Security
Control Data Processing Policies, Processes, and Procedures Maintenance
Data Processing Management
Protective Technology
Disassociated Processing

Source: NIST Privacy Framework Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 NIST Privacy Framework – Profile & Tiers
148
Profile • Organizations may not need to achieve every outcome or activity reflected in the Core.
• Profiles are a selection of specific Functions, Categories, and Subcategories from the Core that an
organization has prioritized to help it manage privacy risk. These may be org or sector dependent
and based on the business requirements, risk tolerance, privacy values, and resources of the
organization.
• Profiles can be used to describe the current & desired target state of specific privacy activities.
• Current State Profile and Future State Profile could be maintained and the gaps between current
and future could be filled by various activities defined in the core.

• Tiers support organizational decision-making about how to manage privacy risk by considering the
Implementation Tiers nature of the privacy risks engendered by an organization’s systems, products, or services and the
sufficiency of the processes and resources an organization has in place to manage such risks.
• The 4 maturity tiers are: Partial, Risk Informed, Repeatable & Adaptable. Tiers represent
progression, however, need not always want to be at the highest Tier
• When selecting Tiers, an organization should consider its Target Profile(s) and how achievement
may be supported or hampered by
• A. Current Privacy risk management practices
• B. Degree of integration of privacy risk into its enterprise risk management portfolio
C. Data processing ecosystem relationships
•
Confidential (c) Arrka, 2020
• D. Workforce
Licensed to Maya Misra <[email protected]> composition
on 07-04-2020. anduser
Single training program.
license only, copying and networking prohibited.
Source: NIST Privacy Framework_V1.0
 Some Other Relevant Standards
149
ISO 27018: 2014
 Published on Aug 1st 2014, builds on the ISO 27002 standard.
 Applicable where public cloud computing service providers (for e.g.: Amazon Web Services (AWS)) act as
processors of PD. However, the standard does not cover the data controllers themselves.
 The standard addresses PD protection controls as a part of the implementation of an ISMS (Information Security
Management System) for cloud computing.
ISO 29101:2013
 This is a standard for developing a privacy architecture framework. Specifically, it deals with systems that process
PD with a focus on ICT systems that interact with Data Subjects.
ISO 29190: 2015
 This is a privacy capability assessment model. It gives a guidance to organizations on how to assess their
capabilities in managing privacy-specific processes.
ISO 29134
 This standard is currently under development. This is being designed specifically for privacy impact assessments.
ISO 27701
 A privacy extension to ISO 27001&02 and provides additional guidance for the protection of privacy, which is
potentially affected by the processing of Personal Data.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
150 Key Privacy Trends Globally

Confidential (c) Arrka, 2020

 Privacy Program Governance
151
 GDPR Compliance: Still a Struggle After All These Years

Confidential (c) Arrka, 2020

Source: IAPP – EY Governance Report Annual Governance Report 2019
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Difficulty Level of GDPR Provisions
152
Fulfilling core GDPR obligations is perceived as easier for companies over the past year. Right to be Forgotten is the
most difficult GDPR Obligation

Confidential (c) Arrka, 2020

Source: IAPP – EY Governance Report Annual Governance Report 2019
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Privacy Organization
153

Half of privacy teams are located in the legal

department

Roughly 3 out of 4 firms have a data

protection officer

Confidential (c) Arrka, 2020

Source: IAPP – EY Governance Report Annual Governance Report 2019
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Privacy Team: Roles & Responsibilities
For nearly 4 out of 10 privacy pros, 100% of their job is doing privacy-related work.
154

The privacy team’s main duties include dealing When asked to choose the team’s most critical
with privacy policies and companywide training responsibilities, most pros say it is compliance

Confidential (c) Arrka, 2020

Source: IAPP – EY Governance Report Annual Governance Report 2019
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Privacy Incidents
155

Twice as many firms subject to GDPR have Only 2% of firms that have reported a breach
reported a data breach in 2019 as compared to last to a supervisory authority have been fined
year
38%

16%

% Orgs reporting Data Breach

2018 2019

Confidential (c) Arrka, 2020

Source: IAPP – EY Governance Report Annual Governance Report 2019
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
156 DCPP Exam: Tips

Confidential (c) Arrka, 2020

 DCPP Exam Tips – Overall Exam Structure
157

 DCPP© examinations are conducted online, in Pearson Vue test centers.

 Exam only has objective questions.
 There are a total of 75 questions distributed in 3 sections as mentioned below:
 Section 1 – Privacy Fundamentals: 22 questions

 Section 2 – Privacy Principles and Regulations: 32 questions

 Section 3 – Privacy Technologies and Organization Ecosystem: 21 questions

 Total exam time for answering all the questions is 150 minutes.
 There is no separate sectional time limit. Candidates are advised to distribute time accordingly.
 There are both single choice as well multiple choice questions in the exam.
 Please note that in case of multiple choice questions, only two options would be correct.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 DCPP Exam Tips – Overall Exam Structure
158

 You can determine whether the question is single choice or multiple choice by the language of the
question and answer box (Radio button for single choice and Check Box for multiple choice).
 There are some case study based questions, which are also objective type questions with one or two
options as correct answers.
 Exam is a mix of questions with varied difficulty levels – easy, medium and difficult.
 Differential marking scheme is used, which means that different questions with varied difficulty
levels have been allocated different marks.
 Candidates will not be informed about the difficulty level of any question in the exam, hence
candidates would not know which question will fetch them how many marks.
 No negative marks - Neither answering a question wrongly nor skipping any question will fetch
negative marks.

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 DCPP Exam Tips – Overall Exam Structure
159

 Candidate can traverse back and forth all the questions in a section.
 Once a section gets over, candidates cannot jump from current section to answer questions of the
previous sections in the middle of the exam.
 But, a review screen is provided at the end of the exam after the last question of last section has
been attempted. From the review screen, candidate can jump to any question in any of the sections.
 Kindly note that ending the review screen ends the examination – candidates will not be able to
answer any more questions and all responses will be recorded.
 Candidates can decide the ordering of the section. Before candidates begin answering the
questions, a screen will be shown and candidates would be required to select the desired sequence
of sections
 Candidates will be given 3 minutes to provide their choice of sequence selection. In case, no choice
is provided in the given time limit, the exam will start with default sequence of sections (1-2-3) .
Once order is selected at the starting, it cannot be changed during the course of examination.
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
160 Training Feedback
Did the training meet the expectations stated at the start of the
training?

Confidential (c) Arrka, 2020

 Pop Quiz – Answer Key
161
POP QUIZ! # Answer Key

1 4. Both the folders (Folder 1 & 2) have Personal Data

2 2. Insta Pharma is the data controller that uses Phoenix Tec as data processor to collect and process data of data subjects

3 1. Legal Obligation
2. Vital Interest
3. Performance of a Contract
4. Consent of the Data Subject
4 1. The customer was not given the choice to opt-in for insurance
2. The customer was not notified that the travel insurance was from ABC’s partner company
5 2. Only 2

6 3. Religion
5. Make of the Car Owned
7 1. RM should have informed the husband and taken his consent prior to sharing the account statement with wife.

8 2. Send the requested information to customer’s registered e-mail and inform the customer of the channel

9 2. Cookies

10 1. A form of cookies
2. Stored in different location than browser cookies
Confidential (c) Arrka, 2020
Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.
 Pop Quiz – Answer Key
162
POP QUIZ! # Answer Key

11 4. Encryption

12 2. Offline Privacy Enhancing Tools

13 1. Challenging compliance

14 1.Right to Anonymity

15 2. Anonymity

16 1.Personal Data Protection Commission

17 2.Equal service and price

18 2.Justice A. P. Shah

19 2. Caste & Tribe Details

20 3. India

21 3. Creation and Collection, Use and Distribution, Maintenance, Disposition

Confidential (c) Arrka, 2020

Licensed to Maya Misra <[email protected]> on 07-04-2020. Single user license only, copying and networking prohibited.