24-11-2023 1

Agenda

1. Introduction to Data Privacy

- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties

3. A practical approach to DPDPA compliance

- Personal data Inventory
- DPIA
- Risk treatment
24-11-2023 2
Privacy is the right to be let alone, or freedom from interference or intrusion. It can also mean the ability to seclude oneself
or information about oneself.

What are the 3 types of privacy?

physical privacy (for instance, being frisked at airport security or giving a
bodily sample for medical reasons)
surveillance (where your identity can't be proved or information isn't
recorded)
information privacy (how your personal information is handled).

24-11-2023 3
What is data privacy?

24-11-2023 4
All organizations collect, process, store, and share customer, vendor, and employee
data - and this data often contains sensitive information that must be protected from
unauthorized access.

💠 The term 𝗣𝗲𝗿𝘀𝗼𝗻𝗮𝗹 𝗶𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻 (𝗣𝗜) encompasses any information about a

living individual, regardless of whether it allows them to be distinguished from
another individual. Ex- IP Address, Photographs etc.📷

💠The term 𝗣𝗲𝗿𝘀𝗼𝗻𝗮𝗹𝗹𝘆 𝗜𝗱𝗲𝗻𝘁𝗶𝗳𝗶𝗮𝗯𝗹𝗲 𝗜𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻 (𝗣𝗜𝗜) refers to information that

can be used to identify a person, such as their name, social security number, and
biometrics. This information is used to identify an individual, either alone or in
combination with other identifying information linked to the individual, for Example
their date of birth, place of birth etc.⚡

💠In addition to PII, 𝗦𝗲𝗻𝘀𝗶𝘁𝗶𝘃𝗲 𝗽𝗲𝗿𝘀𝗼𝗻𝗮𝗹 𝗶𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻 (𝗦𝗣𝗜) must also be handled
with greater care, as its exposure could result in considerable financial or personal
harm to the individual involved. 💥

💠A 𝗣𝗿𝗼𝘁𝗲𝗰𝘁𝗲𝗱 𝗵𝗲𝗮𝗹𝘁𝗵 𝗶𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻 (𝗣𝗛𝗜) is PII that has been linked to a health
record. This is one type of sensitive information that is governed by US regulation, the
Health Insurance Portability and Accountability Act (HIPAA). Healthcare providers,
health plans and insurers, healthcare clearinghouses, or businesses associated with
health care organizations are required to comply with the law. Ex- health plan
beneficiary numbers. 🚑
24-11-2023 5
24-11-2023 6
Privacy laws
around the
globe

24-11-2023 7
24-11-2023 8
India Ranked Third Worst For Data Privacy In Global Surveillance Index. Only Russia and China ranked
worse than India in terms of privacy and online surveillance, according to a study conducted by UK-
based research firm Compritech.
Switzerland. Switzerland has guaranteed its citizens the right to privacy under its
constitution and enacted regulations. The Swiss Federal Data Protection Act (DPA)
24-11-2023 prohibits personal data processing without the individual's consent the data relates to. 9
 GDPR and DPDPA -
the similarities between
Data Protection Laws

10
DPDP Journey

24-11-2023 13
The Bill is largely inspired by the European Union’s General Data Protection Regulation,

24-11-2023 14
Understanding
the new
DPDPA 2023

24-11-2023 15
 **The Digital Personal Data Protection Act*

1. This law is creating a new regime.

2. The era of misuse, the era of exploitation, the era of believing
that Indian citizens don’t have rights comes to an end with
this law.
3. It is an important marker to catalyze the innovation
ecosystem because it removes any ambiguity about what an
entity is supposed to do when privacy is declared as a
fundamental right.

4. The legislation specifically addresses citizens' privacy and

establishes guidelines on how individuals' data can be used
by private or government entities.

5. In case of a citizen's data breach, they simply need to visit

the website, provide the data protection board with details, and
the board will initiate an inquiry, imposing penalties on the
breaching platforms. We want the penalties to be punitive so that
it incentivizes platforms to be responsible.

24-11-2023 16
Objective of
DPDP

24-11-2023 17
24-11-2023 18
24-11-2023 19
 Principle of
DPDP

24-11-2023 20
 Seven Guiding Principles:
Consent, Lawfulness, and Transparency: Personal data
must be used with explicit consent, lawfully, and in a
transparent
manner.

Purpose Limitation: Data can only be used for the

specific purpose for which consent was obtained.

Data Minimization: Collection of only necessary

personal data to serve the designated purpose.

Data Accuracy: Ensuring data correctness and updates.

Storage Limitation: Storing data only for the required

period.

Reasonable Security Safeguards: Implementing

measures for data security.

Accountability: Holding entities responsible for data

breaches through adjudication and penalties.

24-11-2023 21
Structure of DPDP ACT

24-11-2023 22
24-11-2023 23
Applicability

24-11-2023 24
24-11-2023 25
Applicability of the Bill

The Bill is intended to apply to processing of

personal data within the territory of India by Indian
data fiduciaries and data processors.

Further, the Draft Bill is also intended to apply to

foreign data fiduciaries and data processors, where
personal data is processed by them in connection
with:

•any business carried on in India; or

•for systematic activity of offering goods or services

to data principals within the territory of India; or

•any activity which involves profiling of data

principals within India.

24-11-2023 26
Not Applicable/ Exempted

The Bill introduces an interesting prospect for startups in India. The

Central Government has the authority to identify and notify specific data
fiduciaries, including startups, that may be exempted from the Bill based
on the volume and nature of personal data they process. This opens up
avenues for building a culture for new age start ups in India. However,
necessary safeguards and guidelines for applicability of a start up needs to
be specified in the further iterations of the Bill.
24-11-2023 27
 (i) non-digital data;
(ii) data processed for personal or domestic purposes; and
(iii) data made publicly available by a data principal or any other
person under a legal obligation.
24-11-2023 28
24-11-2023 29
24-11-2023 30
Key Terms

24-11-2023 31
24-11-2023 32
 Roles

24-11-2023 33
 Rights of Data Principals

24-11-2023 34
24-11-2023 35
24-11-2023 36
Penalties for
non-compliance

24-11-2023 37
24-11-2023 38
24-11-2023 39
Source
https://www.cpomagazine.com/data-
protection/tiktok-receives-e345-million-
gdpr-fine-in-years-old-childrens-privacy-
case/?utm_source=dlvr.it&utm_medium=li
nkedin
24-11-2023 40
24-11-2023 41
Compliance & Best Practices
8 Steps to DPDP Act 5 Best Practices for Data
Compliance Protection
1. Appoint a DPO • Practice Data Minimization

2. Create a Privacy Management Program • Securely Dispose of Data

3. Conduct a Privacy Impact Assessment • Encrypt Sensitive Data

4. Implement Data Protection Policies and • Implement Access Controls
Procedures • Regularly Update Security Measures
5. Train Employees and Partners

6. Monitor and Review Compliance

7. Respond to Data Subject Requests

8. Report Data Breaches

Way forward for
organizations

24-11-2023 43
24-11-2023 44
24-11-2023 45
24-11-2023 46
24-11-2023 47
24-11-2023 48
24-11-2023 49
24-11-2023 50
24-11-2023 51
24-11-2023 52
 DATAPRIVACY:1-Pager self-audit checklist
# Privacy Controls Focus areas Example checks Findings and Remarks
1 Data Inventory Ensure all data is identified and categorized. List all PII data types, like customer records and employee
information.
2 Consent Management Confirm consent is obtained for data processing Review consent forms and tally records for its accuracy.

3 Data Access Control Verify who has access to sensitive data. Check user access permissions to personal data of data
subjects
4 Data Encryption Ensure data is encrypted when transmitted and stored Confirm encryption of all PII in transit, at rest and on backups

5 Data Retention & Erasure Policy Review policies for data retention and deletion Ensure DSRs and ensure data erasure solutions exist

6 Data Breach Response Plan Check if a plan exists to respond to data breaches Review the steps to notify affected individuals per compliance

7 Third-Party Vendor privacy compliance Assess third-party data PII handling agreements Confirm vendors comply with privacy requirements

8 Employee awareness & Training Ensure staff is trained on data privacy Verify completion of annual privacy training

9 Privacy Policy and Notices Check if privacy notices are provided to data subjects. Review website privacy policy and notice

10 Data Subject Rights Confirm processes for data subject rights requests Track response time and completeness for access requests

11 Cross-Border Data Transfers Verify compliance with cross-border data transfer rules Ensure EU data is transferred in line with GDPR
12 Data Privacy Impact Assessments Ensure DPIAs are conducted for high-risk processing. Review DPIAs for new product launches and business
(DPIAs) processes
13 Incident Reporting Confirm procedures for reporting privacy incidents. Track and review incident report plans and procedures

14 Data Minimization Ensure data collected is minimal and necessary. Eliminate unnecessary data fields in forms

15 Data Accuracy Verify accuracy and update processes for data Confirm customer contact details are up-to-date

16 Data Security Audits Check for regular data security audits Review results of the latest security audit

17 Privacy by Design Ensure privacy is considered in product development Confirm privacy impact assessments for new features

18 Records of Processing Activities Maintain records of data processing activities Keep a log of PII data processing for audit purposes

19 Children's Data Protection Verify compliance with child data protection laws Ensure parental or guardian consent for children

20 Privacy Compliance Dashboard Create a dashboard to monitor privacy compliance Use a dashboard to track data subject requests

21 Privacy Training Logs Maintain logs of privacy training sessions Document dates and attendees of training sessions

22 Vendor Privacy Audit Schedule Schedule regular audits of third-party vendors Set annual l vendor audit dates and maintain records

23 Privacy Impact Assessment Register Keep a register of all Privacy Impact Assessments Maintain a log with PIA details signed off by management

24 Data Breach Response Exercises Conduct data breach response drills /tabletop Simulate a data breach scenario and evaluate the response
24-11-2023 53
24-11-2023 54
 Organization Responsibility:
1. Consent: Organizations must obtain consent from individuals before processing their personal data. Consent
must be freely given, specific, informed, and unambiguous. Organizations must also provide individuals with
clear and concise information about how their personal data will be processed.
2. Lawful Purposes: Organizations may only process personal data for lawful purposes. These purposes include:
3. Providing goods or services to individuals
4. Complying with a legal obligation
5. Protecting the vital interests of an individual
6. Pursuing legitimate interests of the organization
7. Security: Organizations must take appropriate technical and organizational measures to protect personal data
from
8. unauthorized access, use, disclosure, alteration, or destruction.
9. Deletion: Organizations must delete personal data when it is no longer needed for the purpose for which it was
10. collected. Organizations may also delete personal data if an individual requests it.
11. Minor/Child Persona Data: The Act takes a proactive stance in protecting children's personal data. It allows the
12. processing of children's data only with parental consent and restricts harmful data practices like tracking,
behavioural
13. monitoring, and targeted advertising that could jeopardize their well-being.
14. Data Breaches: Organizations must report data breaches to the DPA within 72 hours of becoming aware of the
breach.
15. Data24-11-2023
breaches must also be reported to individuals whose personal data has been compromised. 55
Why Do Businesses Need To Comply With The Digital Personal Data Protection (DPDP) Law?

Data Privacy Protection:

Legal Obligation:
Avoiding Fines and Penalties:

How Can Businesses Comply With The Digital Personal Data Protection (DPDP) Law?

Some of the key steps that businesses need to take to comply with the Digital Personal Data Protectio
Law are:

1. Identify the personal data that they collect and process.

2. Obtain consent from individuals before collecting or processing their personal data.

3. Keep personal data secure.

4. Delete personal data when it is no longer needed.

5. Respond
24-11-2023 to individual requests for access, correction, or erasure of their personal data. 56
Conclusion

Protect Your Privacy Build Trust

The DPDP Act is also an opportunity for organizations

The DPDP Act is a powerful tool to safeguard to build trust, credibility, and competitive advantage by
your personal data and defend your privacy. It demonstrating their commitment to data protection and
requires organizations to be transparent, privacy. By following best practices and going beyond
accountable, and respectful of your rights. compliance, they can gain the trust and loyalty of their
Stay informed, stay vigilant, and stay in customers and partners.
control of your data.
11/24/2023 58
24-11-2023 59
GFL Internal document