SlideShare a Scribd company logo

General Data Protection Regulation (GDPR) | Privacy Law in India |

Download as PPTX, PDF
Bivas Chatterjee
Bivas Chatterjee

This PPT deals with Privacy Law in India and GDPR. It also deals with GDPR compliance and result of non compliance for companies specially Indian companies dealing with European Citizen's personal data. It also deals with GDPR in connection with the use of Bitcoin, cloud, Artificial Intelligence, Big Data and IOT. So Enjoy reading and also be connected with my blog at cyberchatterjee.blogspot.com .

Law
1 of 54
THE GLOBAL ISSUE OF GDPR PRESENTED BY MR. BIVAS CHATTERJEE
DATA IS THE ‘AIR’OF THE MODERNLIFESTYLE
: DATA AND THE MODERN ERA : The different types of Personally Identifiable Information i.e. person’s name, picture, contact details, location data, race, sexual orientation, Social security number, location, online identifiers and genetic information and face orientation are all been collected by invisible data broker. There are invisible data brokers, who, without our knowledge collecting, packaging and selling our personal
Today with the more and more use of various algorithm the strain relationship of law and data analytics or Artificial Intelligence are becoming prominent. The intention of the privacy legislation is to put a tap on unauthorized collection, share management and use of one’s personal data.
: EXAMPLE : Recently, a family in USA alleged that their private conversations in their house was collected and spied by smart speakers of a AI enabled IOT devise and sent the conversations to the persons in the contact list.
GDPR G - GENERAL D - DATA P - PROTECTION R - REGULATIONS
Europe has its PRIVACY LAW or DIRECTIVES since 1990 and 1994 long before the GDPR came into effect. It was placed in April, 2016 by EU Parliament It came into effect on May 25th, 2018 It has 99 articles and over 200 Pages of long and complex regulations Companies who have no physical existence but collecting and processing the personal data of Europe are governed by these regulations. GDPR IS THE BIGGEST REVOLUTION IN THE DATA PROTECTION LAW OF THE WORLD
GDPR GDPR concerns on transfer of personal data outside Europe. Data subject’s consent must be clear, freely given, informed and specific and can be withdrawn without any consequence. The main function of GDPR is to protect the personal data of an individual assuring its proper security, governance, management and help in preventing personal data of the individual not being misused. In GDPR compliance, companies have to implement solutions and processes that enable it to protect, discover, classify and monitor data.
: TEXT WITH EEA RELEVANCE : 173) This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC of the European Parliament and of the Council, including the obligations on the controller and the rights of natural persons.
: GDPR ARTICLES : ARTICLE 1 : Subject-matter and objectives : 1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. 2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. 3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
ARTICLE 2 : GDPR 2. This Regulation does not apply to the processing of personal data: (a) in the course of an activity which falls outside the scope of Union law (b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU (c) by a natural person in the course of a purely personal or household activity (d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
ARTICLE 3 : TERRITORIAL SCOPE 1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
ARTICLE 4 : DEFINITIONS For the purposes of this Regulation : 1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law 12) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
ARTICLE 5 : PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA 1. Personal data shall be : a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’) c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’) d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’) f) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
ARTICLE 6 : LAWFULNESS OF PROCESSING 1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
ARTICLE 7 : CONDITIONS FOR CONSENT 1.Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data’
ARTICLE 9 : PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA 1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
ARTICLE 21 : RIGHT TO OBJECT 2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
ARTICLE 33 : NOTIFICATION OF A PERSONAL DATA BREACH TO THE SUPERVISORY AUTHORITY 1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. 2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
ARTICLE 34 : COMMUNICATION OF A PERSONAL DATA BREACH TO THE DATA SUBJECT 1.When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
ARTICLE 52 : INDEPENDENCE : 1. Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.
ARTICLE 82 : RIGHT TO COMPENSATION AND LIABILITY 1. Any person who has suffered material or non- material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
ARTICLE 83 : GENERAL CONDITIONS FOR IMPOSING ADMINISTRATIVE FINES 6. Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
GDPRHAS TWOSIGNIFICANT PLAYERS GDPR CONTROLLER Who ask for personal data and is duty bound to inform and take informed consent as to how they used one’s personal data. PROCESSOR Who can not mine the personal data violating the regulations. Both the Controller and Processors are responsible for data breach in organizations. Processor only process the data as per the direction of the Controller
: IMPACT :  GDPR is already have a global impact to consumer in case of Personally Identifiable Information .  The GDPR has expanded the very definitions of personal data.  The companies dealing with the personal data have to notify any breach of data or hacking of the data of the organization concerning the personal data of the citizen of all the countries within 72 hours.  People also says that GDPR is a Defacto World Regulations.  The penalty in GDPR is severe. Non-compliance of regulations will result in fine from 10 Million to 20 Million Euro or 2% to 4 % of annual global turn over,
BRIGHTER SIDE OF THE GDPR  Companies will get chance to reorganise its digital infrastructure and may earn confidence of global citizen.  The personal data of the citizens will be protected.  GDPR is preparation ground for the legislature and of the entire world for drafting and getting their data privacy law
: EFFECTS :  GDPR is a journey and not destination. As in fact it is an ongoing continues compliance. After the full compliance of GDPR, organisations have to show reasons to hold data and keep it safe. The companies have to approve your consent if they want to keep your information.  Every country other than the European countries are closely watching and following the after effect or aftermath of GDPR came into effect.  The GDPR compliance is very high for companies as well as it is not an one-time investment but a journey with ongoing process and hence continues expenditure to be incurred.  Given in the existing corporate structure of India the big question is whether the
: COMPLIANCE : The compliance cost of GDPR is very high for companies as it has to spent huge initial investment for a GDP compliant infrastructure within the company. In compliance of GDPR, a company should put stress on the following issues:  Type of personal data collected, store and used.  To see whether the workings of the company coming within the scope of GDPR.  The scope and definition of Data Processor and Data Controller in the company.  Company’s Data Breach Response Plan  Company’s high level responsibility for data security As per a 2018 reliable source report 60% companies of the world have to spent one million dollar on GDPR compliance.
: OBLIGATIONS :In compliance of GDPR the corporates have these following obligations. Obligations to -  implement privacy by design (relevant to Article 25 and 32 of GDPR)  perform data protections impact assessments (relevant to Article 35 of GDPR)  report data breaches (relevant to Article -33 and 34 of GDPR)  appoint Data Protection Officer (relevant to Article 37 of GDPR)  ask for consent for direct marketing  explain purpose of data collection from the consumer
: SECTORS TO COMPLY :  Companies which collect huge data for example telecom, insurance, health and personal data, banking or financial data.  Companies working on data analytics and artificial intelligence.  Companies having online web, App and mobile data services.  Blogs and Websites having log in page,  Companies dealing with personal data of an individual like email, phone number, date of birth, national identifiers,  Organizations dealing with online identifications like using cookies, IP address, GPS data, Religious and political view, sexual orientations,  Companies dealing with children information.  Online service providers who are processing the data of customer who deals with the EU Citizen data.
: HOW TO FACE THE CHALLENGE :  Every organization should care about GDPR to face and prepare for the Indian data privacy legislation (i.e. Personal Data privacy Bill if converted into ACT) about to come shortly.  Finding out whether the company or organizations is a data controller or data processor.  Scan the data transfer process between the company and the third party.  Need to detail the personal data which is collected in the system and determine whether the data be automatically deleted and can be ported.  Keeping Details of the consent obtained from the person who’s personal data is used.  To have a periodical review policy to see  Having a good information security, practice/standard to protect the personal data of an individual  good planning to cover the various GDPR compliances  Companies data controller and data processor have to frame a policy and philosophy to minimize the exposure of personal data they are using and only to stick to use for the consented/approved purpose  Companies should frame a design on a cyber security policy to minimize any data breach  Make or assign a dedicated individual or group of individuals who will focus on the compliance of GDPR  Scan within the organizations all the
CONSEQUENCES OF NON-COMPLIANCE Companies may loose –  its customers,  trusts in the broader market  May bear the cost of getting new customers  Bear the cost of huge fine  Will face cyber security issue and frequent data breach  May not avail the competitive advantage
: RELATIONSHIP : BETWEEN GDPR AND AI & DATA ANALYTICS The GDPR and its requirement has challenged greatly on the operation and use of Artificial Intelligence and Data Analytics in the following ways : As per GDPR there has to be a clear and unambiguous consent from the person whose personal data are being used. Algorithm of AI and Data Analytics has to be fair and should not result in bias and discrimination. The personal data should be used for Consented purpose. Clarity as to who will be Controllers and who will be Processors. Every individual whose personal data are used be allowed to access their personal data. Data are to be used and held for the consented specific purpose, not other than that. There cannot be any lack of accuracy resulting in discrimination. There cannot be any lack of Security measures, risk and accountability issue.
: EFFECTS OF GDPR IN INDIA : Laws are grounded in territory but this territoriality of law has not been strictly applicable further by the applications of GDPR in all the countries except European countries.  Europe is large and big market for IT as well as IT enabled industries specially BPO and Pharma sectors.  Large numbers of employees are engaged in providing out-sourced work in different entities of various European countries.  A company sitting outside Europe collecting and processing data have to comply the stringent GDPR.  In complying the GDPR the Indian companies will gear up and prepare
: EQUIVALENT PRIVACY LAW IN INDIA : Section 43A. COMPENSATION FOR FAILURE TO PROTECT DATA Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected. Section 72. PENALTY FOR BREACH OF CONFIDENTIALITY AND PRIVACY Save as otherwise provided in this Act or any other law for the time being in force, if any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. Section 72A. PUNISHMENT FOR DISCLOSURE OF INFORMATION IN BREACH OF LAWFUL CONTRACT Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both. THE INFORMATION TECHNOLOGY ACT, 2008 as AMENDED
BUT THE ABOVE PROVISIONS ARE NOT ADEQUATE IN LIGHT OF THIS COMPLEX SITUATION ESPECIALLY IN LIGHT OF USE OF PERSONALLY IDENTIFIABLE DATA OF THE CONSUMER BY THE CORPORATES PROCESSED THROUGH VARIOUS ALGORITHM OF ARTIFICIAL INTELLIGENCE AND DATA ANALYTICS. __________________________________________________________________________________________________________________________ #####____________________________________________________________________________________________________________________________
INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION) RULES, 2011 Section 2.(1)(i) "Personal information" means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. Section 3. Sensitive personal data or information.— Sensitive personal data or information of a person means such personal information which consists of information relating to;— (i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details (iii)physical, physiological and mental health condition (iv)sexual orientation (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.
OTHER RULES ARE : Section 4. Body corporate to provide policy for privacy and disclosure of information Section 5. Collection of information Section 6. Disclosure of information Section 7. Transfer of information Section 8. Reasonable Security Practices and Procedures
THE RIGHT TO PRIVACY IS A FUNDAMENTAL RIGHT AS WELL AS THE PRIVACY PROTECTION IS NOTHING BUT DATA PROTECTION IN TODAY’S WORLD THE RENOWNED JUDGEMENT OF THE HON’BLE SUPREME COURT OF INDIA IN RESPECT TO THE RIGHT TO PRIVACY IS DETAILED BELOW -
(2017) 10 SCC 1 JUSTICE K S PUTTASWAMY (RETD.), AND ANR. - VS – UNION OF INDIA AND ORS. • “ 77. The right of privacy is a fundamental right. It is a right which protects the inner sphere of the individual from interference from both State, and non-State actors and allows the individuals to make autonomous life choices. • 78. It was rightly expressed on behalf of the petitioners that the technology has made it possible to enter a citizen’s house without knocking at his/her door and this is equally possible both by the State and non-State actors. It is an individual’s choice as to who enters his house, how he lives and in what relationship. The privacy of the home must protect the family, marriage, procreation and sexual orientation which are all important aspects of dignity. • 79. If the individual permits someone to enter the house it does not mean that others can enter the house. The only check and balance is that it should not harm the other individual or affect his or her rights. This applies both to the physical form and to technology. In an era where there are wide, varied, social and cultural norms and more so in a country like ours which prides itself on its diversity, privacy is one of the most 44 important rights to be protected both against State and non-State actors and be recognized as a fundamental right. How it thereafter works out in its inter-play with other fundamental rights and when such restrictions would become necessary would depend on the factual matrix of each case. That it may give rise to more litigation can hardly be the reason not to recognize this important, natural, primordial right as a fundamental right. ”
“ 83. Let the right of privacy, an inherent right, be unequivocally a fundamental right embedded in part-III of the Constitution of India, but subject to the restrictions specified, relatable to that part. This is the call of today. ……………………….. ” “ 2. The reference is disposed of in the following terms: ………………….. (iii) The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution. ”
“ SRIKRISHNA COMMITTEE ” The committee was entrusted to come with a solution and we got the recent Personal Data Protection Bill, 2018 which has not converted into Act till date. In judgement of JUSTICE K S PUTTASWAMY (RETD.), AND ANR. - vs – UNION OF INDIA AND ORS. (2017) 10 SCC 1 we got a new term in our legal parlance and that is information privacy.
PERSONAL DATA PROTECTION BILL, 2018 WHEREAS the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy; WHEREAS the growth of the digital economy has meant the use of data as a critical means of communication between persons; WHEREAS it is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation; AND WHEREAS it is expedient to make provision: to protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organisational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorised and harmful processing, and to establish a Data Protection Authority for overseeing processing activities.
As per Section 69. Penalties.— (1) Where the data fiduciary contravenes ……………….., it shall be liable to a penalty which may extend up to five crore rupees or two per cent of its total worldwide turnover of the preceding financial year, whichever is higher, as applicable. (2) Where a data fiduciary contravenes …………………, it shall be liable to a penalty which may extend up to fifteen crore rupees or four per cent of its total worldwide turnover of the preceding financial year, whichever is higher, as applicable. As per Section 70. Penalty for failure to comply with data principal requests under Chapter VI.— Where, any data fiduciary, without any reasonable explanation, fails to comply with any request made by a data principal under Chapter VI of this Act, such data fiduciary shall be liable to a penalty of five thousand rupees for each day during which such default continues, subject to a maximum of ten lakh rupees in case of significant data fiduciaries and five lakh rupees in other cases.
the compliance of Section 27 (Right to Be Forgotten) or connected sec will not be easy.  Relating to Section 40 (Restrictions on Cross-Border Transfer of Personal Data), not every data fiduciary has server or data centre located in India.  In the wake of large scale use of cloud and other virtual server or data centre, it will be difficult to comply the provision of Section 41 (Conditions for Cross-Border Transfer of Personal Data).  The provision of Section 65 (Action to be taken by Authority pursuant to an inquiry) is welcome……..as we need a base work or basic infra before embracing the stringent part of it.  The monetary punishment as per Section 69 (Penalties) may be harsher for small Indian entities.  For proper implementations of Chapter XI (PENALTIES AND REMEDIES), proper training, sensitization and orientation is must...need to mass awareness of data privacy culture, otherwise whatever progressive provisions it has, will not be of any use to the society.  As regards Section 94 (Power to investigate offences), the investigating power may be given to even sub inspector but he should have necessary technical knowledge...to be
DATA PORTABILITY AND RIGHT TO BE FORGOTTEN AND INTELLECTUAL PROPERTY RIGHT The important question is in case of data portability or handing over the data or erasing the data whether raw file will be used or the process data of the customer will be used. In case of the processed data there is always a question of intellectual property right that who has processed the data. ------------------------------------------------#######------------------------------------ ------------- ROLE OF DATA PROTECTION OFFICER (D.P.O.) Data protection officer has a very crucial role in an organization in case of compliance of GDPR. D.P.O. is liable for supervising companies’ data protection strategy and its implementation to see that the GDPR are fully complied. GDPR provides for mandatory appointment of DPO at every organizations which deals with processing and storing the personal data of the citizen of Europe.
SECTION 43A OF I.T. ACT “ THE FIRST SCHEDULE (See Section 111) AMENDMENT TO THE INFORMATION TECHNOLOGY ACT, 2000 (21 of 2000) Deletion of section 43A. — Section 43A of the Information Technology Act, 2000 (hereinafter referred to as the principal Act) shall be omitted. ” With the coming into effect of Personal Data Protection Bill, 2018 into Act as per the First Schedule, Section 43A of the Information technology Act, 2000 will be omitted. Hence this rule will loose its effect from then.
In India the biggest issue is not the LAW or the efficient LEGISLATION but the IMPLEMENTATION OF THE SAME. Would the spirit of Section 43, 43A and 72A and the Rules, 2011 been followed in implementing policies in corporates in case of dealing with the personal data ? THE ALARMING SITUATION IN COMPLYING WITH GDPR AS IN EXISTENCE TODAY WILL NOT ARISE.
 Blockchain can help to make the data secure but blockchain is immutable i.e. information in the Blockchain can not be changed and it is de- centralised WHILE GDPR is design for centralised organisations with controller and processor.  Again, GDPR wants right to be forgotten WHILE in blockchain the information and data can not be changed.  Again, a person participating in blockchain, in strict sense of GDPR are controller and blockchain itself a processor, Hence, there is big question that whether the GDPR is applicable for blockchain and if not then whether the regulation will going to change or the very concept of the blockchain will going to change. : GDPR AND BLOCKCHAIN :
: GDPR & INTERNET OF THINGS (I.O.T) : I.O.T has witnessed growth and it is estimated that by the year 2020 there will be 50 billion I.O.T connecting the internet. Among the various legal challenges the I.O.T will going to face, Data Protections and Security and the information privacy are the most prominent one. In case of I.O.T. using the connected devices there is a lack of control on the data and information and in many of the cases the users are not aware of the use of their data without their consents.  With the inceptions of GDPR the growth of I.O.T. is getting challenged. With the implementation of the GDPR concerning privacy in the internet, the applications and growth of I.O.T. must require a thorough information assessment as to the use of personal data of the user.  The GDPR will going to greatly affect the way the smart devices being manufactured and used and change the business module behind it.  The requirement of data portability and the right to be forgotten is hard to comply in case of application of Smart devices.  The smart device builders require to be more concern about the personal data of the user.  From design to manufacture and final disposal, in whole life cycle of a smart device the data privacy policy should be taken care of in order to comply the GDPR which will be more ethical also.  As per a 2016 survey about 2/3rd IOT devises does not meet the proper standard.
: CLOUDS & GDPR : In GDPR both CONTROLLER and PROCESSOR of personal data are liable hence Clouds are not exempted from GDPR enforcement. Cloud service companies even located outside the European Union need to comply GDPR if they deal with the data with the EU citizen. Data collected from customers should not be more than mention in the pre defined purpose. All data in the Cloud should be managed in line with GDPR. Even Companies who receive the Cloud service are also responsible for violation or infringement of data in the same way as the Cloud service provider and thus the clients of the Cloud service provider are also required to safeguard their data and see that the cloud provider comply the GDPR. If the data is not further required it should be removed from the Cloud.
: GDPR AND BIG DATA ANALYSIS :Since May, 2018 when GDPR came into being people started to apprehend that the progress of big data analytics will be slowed down but expert says that big data will survive any impact of data protection laws. On the other side GDPR and similar data privacy laws will create trust in the data analytics process, but in that case thorough privacy impact assessment of the existing data model is required for compliance of the GDPR. The process of big data analytics has to comply the GDPR when they are processing the personal data of the people of European Union. The people of the European Union have to be explained specifically and unambiguously the purpose of use of personal data when the consent is
Europe has more than 30 year’s exposure of the Privacy Law’s framework but India has only drafted the bill barring few sections in Information Technology Act. We are just making our trial through GDPR compliance for personal data compliance of the EU. We need to be GDPR ready to save our business as well as to make data privacy or information good practice culture, which will in return going to help our corporates in the long run. There is a debate that whether our Personal Data Protection Bill is a copy of the GDPR, but that is not the real issue. The issue is whether we are ready to comply with the regulation or our corporate who earns livelihood processing or dealing with EU citizen’s data will collapse, Whether India is ready ?
THANKS FOR PAYING ATTENTION TO MR. BIVAS CHATTERJEE SPECIAL P.P. CYBER CRIME AND ELECTRONICS EVIDENCE RELATED CASES GOVERNMENT OF WEST BENGAL BLOG : CYBER CHATTERJEE: CYBERCHATTERJEE.BLOGSPOT.COM Contact No. – 9830158159 E-mail ID – bivas.chatterjee@gmail.com Blog: https://cyberchatterjee.blogspot.com/

Recommended

Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)Kirk Go
 
Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016John Greenwood
 
Data privacy act of 2012 presentation
Data privacy act of 2012 presentationData privacy act of 2012 presentation
Data privacy act of 2012 presentationKittelson & Carpo Consulting
 
Crash Course on Data Privacy (December 2012)
Crash Course on Data Privacy (December 2012)Crash Course on Data Privacy (December 2012)
Crash Course on Data Privacy (December 2012)Jason Haislmaier
 
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Jay Castillo
 
CEU DPA
CEU DPACEU DPA
CEU DPABERBERGRACEMARJORIE
 
Data Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperativesData Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperativesjo bitonio
 
Overview of the Egyptian Personal Data Protection Law
Overview of the Egyptian Personal Data Protection LawOverview of the Egyptian Personal Data Protection Law
Overview of the Egyptian Personal Data Protection LawFatmaAkram2
 

Recommended

Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)Kirk Go
 
Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016John Greenwood
 
Data privacy act of 2012 presentation
Data privacy act of 2012 presentationData privacy act of 2012 presentation
Data privacy act of 2012 presentationKittelson & Carpo Consulting
 
Crash Course on Data Privacy (December 2012)
Crash Course on Data Privacy (December 2012)Crash Course on Data Privacy (December 2012)
Crash Course on Data Privacy (December 2012)Jason Haislmaier
 
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Jay Castillo
 
CEU DPA
CEU DPACEU DPA
CEU DPABERBERGRACEMARJORIE
 
Data Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperativesData Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperativesjo bitonio
 
Overview of the Egyptian Personal Data Protection Law
Overview of the Egyptian Personal Data Protection LawOverview of the Egyptian Personal Data Protection Law
Overview of the Egyptian Personal Data Protection LawFatmaAkram2
 
Data Privacy Act in the Philippines
Data Privacy Act in the PhilippinesData Privacy Act in the Philippines
Data Privacy Act in the PhilippinesShirley Ingles-Cruz
 
Data Privacy - Security of Personal Information
Data Privacy - Security of Personal InformationData Privacy - Security of Personal Information
Data Privacy - Security of Personal InformationJDP Consulting
 
Data privacy act
Data privacy actData privacy act
Data privacy actansherina erika dejan
 
Data Privacy- Security of Sensitive Personal Information
Data Privacy- Security of Sensitive Personal InformationData Privacy- Security of Sensitive Personal Information
Data Privacy- Security of Sensitive Personal InformationJDP Consulting
 
FOI Executive Order (Freedom of Information)
FOI Executive Order (Freedom of Information) FOI Executive Order (Freedom of Information)
FOI Executive Order (Freedom of Information) Philippine Press Institute
 
Basic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersBasic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersJDP Consulting
 
Cyber Security from MN Government perspective
Cyber Security from MN Government perspectiveCyber Security from MN Government perspective
Cyber Security from MN Government perspectiveAnn Treacy
 
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy RegulationThe U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy RegulationCognizant
 
Data Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data SubjectData Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data SubjectJDP Consulting
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT LegalCyber Watching
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Werksmans Attorneys
 
Data Privacy - Penalties for Non-Compliance
Data Privacy - Penalties for Non-ComplianceData Privacy - Penalties for Non-Compliance
Data Privacy - Penalties for Non-ComplianceJDP Consulting
 
Judgment of the Court_ the right to be forgotten
Judgment of the Court_ the right to be forgottenJudgment of the Court_ the right to be forgotten
Judgment of the Court_ the right to be forgottenMonica Lupașcu
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislationUlf Mattsson
 
Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Werksmans Attorneys
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy Amiit Keshav Naik
 
Identitymanagment
IdentitymanagmentIdentitymanagment
Identitymanagmentioannis iglezakis
 
Werksmans presentations on popi
Werksmans presentations on popiWerksmans presentations on popi
Werksmans presentations on popiWerksmans Attorneys
 
Clyrofor popia readiness webinar
Clyrofor popia readiness webinarClyrofor popia readiness webinar
Clyrofor popia readiness webinarLesedi Mnisi
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityEmerson Bryan
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfJakeAldrinDegala1
 

More Related Content

What's hot

Data Privacy Act in the Philippines
Data Privacy Act in the PhilippinesData Privacy Act in the Philippines
Data Privacy Act in the PhilippinesShirley Ingles-Cruz
 
Data Privacy - Security of Personal Information
Data Privacy - Security of Personal InformationData Privacy - Security of Personal Information
Data Privacy - Security of Personal InformationJDP Consulting
 
Data Privacy- Security of Sensitive Personal Information
Data Privacy- Security of Sensitive Personal InformationData Privacy- Security of Sensitive Personal Information
Data Privacy- Security of Sensitive Personal InformationJDP Consulting
 
Basic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersBasic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersJDP Consulting
 
Cyber Security from MN Government perspective
Cyber Security from MN Government perspectiveCyber Security from MN Government perspective
Cyber Security from MN Government perspectiveAnn Treacy
 
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy RegulationThe U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy RegulationCognizant
 
Data Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data SubjectData Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data SubjectJDP Consulting
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT LegalCyber Watching
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Werksmans Attorneys
 
Data Privacy - Penalties for Non-Compliance
Data Privacy - Penalties for Non-ComplianceData Privacy - Penalties for Non-Compliance
Data Privacy - Penalties for Non-ComplianceJDP Consulting
 
Judgment of the Court_ the right to be forgotten
Judgment of the Court_ the right to be forgottenJudgment of the Court_ the right to be forgotten
Judgment of the Court_ the right to be forgottenMonica Lupașcu
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislationUlf Mattsson
 
Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Werksmans Attorneys
 
Clyrofor popia readiness webinar
Clyrofor popia readiness webinarClyrofor popia readiness webinar
Clyrofor popia readiness webinarLesedi Mnisi
 

What's hot (20)

Data Privacy Act in the Philippines
Data Privacy Act in the PhilippinesData Privacy Act in the Philippines
Data Privacy Act in the Philippines
 
Data Privacy - Security of Personal Information
Data Privacy - Security of Personal InformationData Privacy - Security of Personal Information
Data Privacy - Security of Personal Information
 
Data privacy act
Data privacy actData privacy act
Data privacy act
 
Data Privacy- Security of Sensitive Personal Information
Data Privacy- Security of Sensitive Personal InformationData Privacy- Security of Sensitive Personal Information
Data Privacy- Security of Sensitive Personal Information
 
FOI Executive Order (Freedom of Information)
FOI Executive Order (Freedom of Information) FOI Executive Order (Freedom of Information)
FOI Executive Order (Freedom of Information)
 
Basic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersBasic Data Privacy for Non Lawyers
Basic Data Privacy for Non Lawyers
 
Cyber Security from MN Government perspective
Cyber Security from MN Government perspectiveCyber Security from MN Government perspective
Cyber Security from MN Government perspective
 
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy RegulationThe U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
 
Data Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data SubjectData Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data Subject
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...
 
Data Privacy - Penalties for Non-Compliance
Data Privacy - Penalties for Non-ComplianceData Privacy - Penalties for Non-Compliance
Data Privacy - Penalties for Non-Compliance
 
Judgment of the Court_ the right to be forgotten
Judgment of the Court_ the right to be forgottenJudgment of the Court_ the right to be forgotten
Judgment of the Court_ the right to be forgotten
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issues
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislation
 
Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
 
Identitymanagment
IdentitymanagmentIdentitymanagment
Identitymanagment
 
Werksmans presentations on popi
Werksmans presentations on popiWerksmans presentations on popi
Werksmans presentations on popi
 
Clyrofor popia readiness webinar
Clyrofor popia readiness webinarClyrofor popia readiness webinar
Clyrofor popia readiness webinar
 

Similar to General Data Protection Regulation (GDPR) | Privacy Law in India |

Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityEmerson Bryan
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfJakeAldrinDegala1
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
General Data Protection Regulations (GDPR) Summary
General Data Protection Regulations (GDPR) Summary General Data Protection Regulations (GDPR) Summary
General Data Protection Regulations (GDPR) Summary Compliance3
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxPERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxssuser36d167
 
GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!Fintan Swanton
 
General Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRGeneral Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRNupur Samaddar
 
Biometric Personal Data, Legal and Technological Utilization Issues
Biometric Personal Data, Legal and Technological Utilization IssuesBiometric Personal Data, Legal and Technological Utilization Issues
Biometric Personal Data, Legal and Technological Utilization IssuesGiannisBasa
 
Development & GDPR (v2)
Development & GDPR (v2)Development & GDPR (v2)
Development & GDPR (v2)Andrea Tino
 
Development & GDPR
Development & GDPRDevelopment & GDPR
Development & GDPRAndrea Tino
 
Medical device data protection and security
Medical device data protection and security Medical device data protection and security
Medical device data protection and security Erik Vollebregt
 
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...Dr. Oliver Massmann
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfDaviesParker
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Happiest Minds Technologies
 
GDPR and Analytics
GDPR and AnalyticsGDPR and Analytics
GDPR and Analyticsbrunomase
 
Data protection regulation
Data protection regulationData protection regulation
Data protection regulationGreg Ezeilo
 

Similar to General Data Protection Regulation (GDPR) | Privacy Law in India | (20)

Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business community
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
 
GDPR, Data Privacy.
GDPR, Data Privacy.GDPR, Data Privacy.
GDPR, Data Privacy.
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
 
General Data Protection Regulations (GDPR) Summary
General Data Protection Regulations (GDPR) Summary General Data Protection Regulations (GDPR) Summary
General Data Protection Regulations (GDPR) Summary
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxPERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
 
GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!
 
General Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRGeneral Data Protection Regulation or GDPR
General Data Protection Regulation or GDPR
 
Biometric Personal Data, Legal and Technological Utilization Issues
Biometric Personal Data, Legal and Technological Utilization IssuesBiometric Personal Data, Legal and Technological Utilization Issues
Biometric Personal Data, Legal and Technological Utilization Issues
 
Development & GDPR (v2)
Development & GDPR (v2)Development & GDPR (v2)
Development & GDPR (v2)
 
#CyberSafeLambeth
#CyberSafeLambeth#CyberSafeLambeth
#CyberSafeLambeth
 
GDPR and Copyright Law
GDPR and Copyright LawGDPR and Copyright Law
GDPR and Copyright Law
 
Development & GDPR
Development & GDPRDevelopment & GDPR
Development & GDPR
 
Medical device data protection and security
Medical device data protection and security Medical device data protection and security
Medical device data protection and security
 
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdf
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)
 
Cie 2 cyber law
Cie 2 cyber lawCie 2 cyber law
Cie 2 cyber law
 
GDPR and Analytics
GDPR and AnalyticsGDPR and Analytics
GDPR and Analytics
 
Data protection regulation
Data protection regulationData protection regulation
Data protection regulation
 

More from Bivas Chatterjee

Cryptocurrency News India : Is Cryptocurrency Legal In INDIA ? SUPREME COURT ...
Cryptocurrency News India : Is Cryptocurrency Legal In INDIA ? SUPREME COURT ...Cryptocurrency News India : Is Cryptocurrency Legal In INDIA ? SUPREME COURT ...
Cryptocurrency News India : Is Cryptocurrency Legal In INDIA ? SUPREME COURT ...Bivas Chatterjee
 
Scheduled Caste and Scheduled Tribe (Prevention of Atrocities) Act, 1989 | SC...
Scheduled Caste and Scheduled Tribe (Prevention of Atrocities) Act, 1989 | SC...Scheduled Caste and Scheduled Tribe (Prevention of Atrocities) Act, 1989 | SC...
Scheduled Caste and Scheduled Tribe (Prevention of Atrocities) Act, 1989 | SC...Bivas Chatterjee
 
Cyber law in Hindi | How to Prevent Cyber Crime in Hindi |
Cyber law in Hindi | How to Prevent Cyber Crime in Hindi | Cyber law in Hindi | How to Prevent Cyber Crime in Hindi |
Cyber law in Hindi | How to Prevent Cyber Crime in Hindi | Bivas Chatterjee
 
What happens to our virtual account or digital asset or data after our death ?
What happens to our virtual account or digital asset or data after our death ?What happens to our virtual account or digital asset or data after our death ?
What happens to our virtual account or digital asset or data after our death ?Bivas Chatterjee
 
Cyber crime journal by central detective training school
Cyber crime journal by central detective training schoolCyber crime journal by central detective training school
Cyber crime journal by central detective training schoolBivas Chatterjee
 

More from Bivas Chatterjee (6)

Cryptocurrency News India : Is Cryptocurrency Legal In INDIA ? SUPREME COURT ...
Cryptocurrency News India : Is Cryptocurrency Legal In INDIA ? SUPREME COURT ...Cryptocurrency News India : Is Cryptocurrency Legal In INDIA ? SUPREME COURT ...
Cryptocurrency News India : Is Cryptocurrency Legal In INDIA ? SUPREME COURT ...
 
Scheduled Caste and Scheduled Tribe (Prevention of Atrocities) Act, 1989 | SC...
Scheduled Caste and Scheduled Tribe (Prevention of Atrocities) Act, 1989 | SC...Scheduled Caste and Scheduled Tribe (Prevention of Atrocities) Act, 1989 | SC...
Scheduled Caste and Scheduled Tribe (Prevention of Atrocities) Act, 1989 | SC...
 
Cyber law in Hindi | How to Prevent Cyber Crime in Hindi |
Cyber law in Hindi | How to Prevent Cyber Crime in Hindi | Cyber law in Hindi | How to Prevent Cyber Crime in Hindi |
Cyber law in Hindi | How to Prevent Cyber Crime in Hindi |
 
What happens to our virtual account or digital asset or data after our death ?
What happens to our virtual account or digital asset or data after our death ?What happens to our virtual account or digital asset or data after our death ?
What happens to our virtual account or digital asset or data after our death ?
 
ugc
ugcugc
ugc
 
Cyber crime journal by central detective training school
Cyber crime journal by central detective training schoolCyber crime journal by central detective training school
Cyber crime journal by central detective training school
 

Recently uploaded

如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书Fir L
 
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书Fs Las
 
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTSVIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTSDr. Oliver Massmann
 
Test Identification Parade & Dying Declaration.pptx
Test Identification Parade & Dying Declaration.pptxTest Identification Parade & Dying Declaration.pptx
Test Identification Parade & Dying Declaration.pptxsrikarna235
 
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书FS LS
 
Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...
Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...
Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...Dr. Oliver Massmann
 
Law360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics GuidanceLaw360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics GuidanceMichael Cicero
 
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝soniya singh
 
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.pptFINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.pptjudeplata
 
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书1k98h0e1
 
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书SD DS
 
定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一
定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一
定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一st Las
 
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptxAn Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptxKUHANARASARATNAM1
 
如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书 如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书Fir sss
 
Trial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 seditionTrial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 seditionNilamPadekar1
 
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书SD DS
 
如何办理纽约州立大学石溪分校毕业证学位证书
如何办理纽约州立大学石溪分校毕业证学位证书 如何办理纽约州立大学石溪分校毕业证学位证书
如何办理纽约州立大学石溪分校毕业证学位证书Fir sss
 
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptx
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptxConstitutional Values & Fundamental Principles of the ConstitutionPPT.pptx
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptxsrikarna235
 
如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书Fir L
 

Recently uploaded (20)

如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
 
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
 
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTSVIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
 
Test Identification Parade & Dying Declaration.pptx
Test Identification Parade & Dying Declaration.pptxTest Identification Parade & Dying Declaration.pptx
Test Identification Parade & Dying Declaration.pptx
 
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
 
Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...
Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...
Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...
 
Law360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics GuidanceLaw360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
 
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
 
Russian Call Girls Service Gomti Nagar \ 9548273370 Indian Call Girls Service...
Russian Call Girls Service Gomti Nagar \ 9548273370 Indian Call Girls Service...Russian Call Girls Service Gomti Nagar \ 9548273370 Indian Call Girls Service...
Russian Call Girls Service Gomti Nagar \ 9548273370 Indian Call Girls Service...
 
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.pptFINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
 
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
 
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
 
定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一
定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一
定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一
 
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptxAn Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
 
如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书 如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书
 
Trial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 seditionTrial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 sedition
 
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书
 
如何办理纽约州立大学石溪分校毕业证学位证书
如何办理纽约州立大学石溪分校毕业证学位证书 如何办理纽约州立大学石溪分校毕业证学位证书
如何办理纽约州立大学石溪分校毕业证学位证书
 
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptx
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptxConstitutional Values & Fundamental Principles of the ConstitutionPPT.pptx
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptx
 
如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书
 

General Data Protection Regulation (GDPR) | Privacy Law in India |

  • 1. THE GLOBAL ISSUE OF GDPR PRESENTED BY MR. BIVAS CHATTERJEE
  • 2. DATA IS THE ‘AIR’OF THE MODERNLIFESTYLE
  • 3. : DATA AND THE MODERN ERA : The different types of Personally Identifiable Information i.e. person’s name, picture, contact details, location data, race, sexual orientation, Social security number, location, online identifiers and genetic information and face orientation are all been collected by invisible data broker. There are invisible data brokers, who, without our knowledge collecting, packaging and selling our personal
  • 4. Today with the more and more use of various algorithm the strain relationship of law and data analytics or Artificial Intelligence are becoming prominent. The intention of the privacy legislation is to put a tap on unauthorized collection, share management and use of one’s personal data.
  • 5. : EXAMPLE : Recently, a family in USA alleged that their private conversations in their house was collected and spied by smart speakers of a AI enabled IOT devise and sent the conversations to the persons in the contact list.
  • 6. GDPR G - GENERAL D - DATA P - PROTECTION R - REGULATIONS
  • 7. Europe has its PRIVACY LAW or DIRECTIVES since 1990 and 1994 long before the GDPR came into effect. It was placed in April, 2016 by EU Parliament It came into effect on May 25th, 2018 It has 99 articles and over 200 Pages of long and complex regulations Companies who have no physical existence but collecting and processing the personal data of Europe are governed by these regulations. GDPR IS THE BIGGEST REVOLUTION IN THE DATA PROTECTION LAW OF THE WORLD
  • 8. GDPR GDPR concerns on transfer of personal data outside Europe. Data subject’s consent must be clear, freely given, informed and specific and can be withdrawn without any consequence. The main function of GDPR is to protect the personal data of an individual assuring its proper security, governance, management and help in preventing personal data of the individual not being misused. In GDPR compliance, companies have to implement solutions and processes that enable it to protect, discover, classify and monitor data.
  • 9. : TEXT WITH EEA RELEVANCE : 173) This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC of the European Parliament and of the Council, including the obligations on the controller and the rights of natural persons.
  • 10. : GDPR ARTICLES : ARTICLE 1 : Subject-matter and objectives : 1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. 2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. 3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
  • 11. ARTICLE 2 : GDPR 2. This Regulation does not apply to the processing of personal data: (a) in the course of an activity which falls outside the scope of Union law (b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU (c) by a natural person in the course of a purely personal or household activity (d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
  • 12. ARTICLE 3 : TERRITORIAL SCOPE 1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
  • 13. ARTICLE 4 : DEFINITIONS For the purposes of this Regulation : 1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law 12) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  • 14. ARTICLE 5 : PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA 1. Personal data shall be : a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’) c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’) d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’) f) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
  • 15. ARTICLE 6 : LAWFULNESS OF PROCESSING 1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • 16. ARTICLE 7 : CONDITIONS FOR CONSENT 1.Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data’
  • 17. ARTICLE 9 : PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA 1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
  • 18. ARTICLE 21 : RIGHT TO OBJECT 2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
  • 19. ARTICLE 33 : NOTIFICATION OF A PERSONAL DATA BREACH TO THE SUPERVISORY AUTHORITY 1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. 2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
  • 20. ARTICLE 34 : COMMUNICATION OF A PERSONAL DATA BREACH TO THE DATA SUBJECT 1.When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
  • 21. ARTICLE 52 : INDEPENDENCE : 1. Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.
  • 22. ARTICLE 82 : RIGHT TO COMPENSATION AND LIABILITY 1. Any person who has suffered material or non- material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
  • 23. ARTICLE 83 : GENERAL CONDITIONS FOR IMPOSING ADMINISTRATIVE FINES 6. Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
  • 24. GDPRHAS TWOSIGNIFICANT PLAYERS GDPR CONTROLLER Who ask for personal data and is duty bound to inform and take informed consent as to how they used one’s personal data. PROCESSOR Who can not mine the personal data violating the regulations. Both the Controller and Processors are responsible for data breach in organizations. Processor only process the data as per the direction of the Controller
  • 25. : IMPACT :  GDPR is already have a global impact to consumer in case of Personally Identifiable Information .  The GDPR has expanded the very definitions of personal data.  The companies dealing with the personal data have to notify any breach of data or hacking of the data of the organization concerning the personal data of the citizen of all the countries within 72 hours.  People also says that GDPR is a Defacto World Regulations.  The penalty in GDPR is severe. Non-compliance of regulations will result in fine from 10 Million to 20 Million Euro or 2% to 4 % of annual global turn over,
  • 26. BRIGHTER SIDE OF THE GDPR  Companies will get chance to reorganise its digital infrastructure and may earn confidence of global citizen.  The personal data of the citizens will be protected.  GDPR is preparation ground for the legislature and of the entire world for drafting and getting their data privacy law
  • 27. : EFFECTS :  GDPR is a journey and not destination. As in fact it is an ongoing continues compliance. After the full compliance of GDPR, organisations have to show reasons to hold data and keep it safe. The companies have to approve your consent if they want to keep your information.  Every country other than the European countries are closely watching and following the after effect or aftermath of GDPR came into effect.  The GDPR compliance is very high for companies as well as it is not an one-time investment but a journey with ongoing process and hence continues expenditure to be incurred.  Given in the existing corporate structure of India the big question is whether the
  • 28. : COMPLIANCE : The compliance cost of GDPR is very high for companies as it has to spent huge initial investment for a GDP compliant infrastructure within the company. In compliance of GDPR, a company should put stress on the following issues:  Type of personal data collected, store and used.  To see whether the workings of the company coming within the scope of GDPR.  The scope and definition of Data Processor and Data Controller in the company.  Company’s Data Breach Response Plan  Company’s high level responsibility for data security As per a 2018 reliable source report 60% companies of the world have to spent one million dollar on GDPR compliance.
  • 29. : OBLIGATIONS :In compliance of GDPR the corporates have these following obligations. Obligations to -  implement privacy by design (relevant to Article 25 and 32 of GDPR)  perform data protections impact assessments (relevant to Article 35 of GDPR)  report data breaches (relevant to Article -33 and 34 of GDPR)  appoint Data Protection Officer (relevant to Article 37 of GDPR)  ask for consent for direct marketing  explain purpose of data collection from the consumer
  • 30. : SECTORS TO COMPLY :  Companies which collect huge data for example telecom, insurance, health and personal data, banking or financial data.  Companies working on data analytics and artificial intelligence.  Companies having online web, App and mobile data services.  Blogs and Websites having log in page,  Companies dealing with personal data of an individual like email, phone number, date of birth, national identifiers,  Organizations dealing with online identifications like using cookies, IP address, GPS data, Religious and political view, sexual orientations,  Companies dealing with children information.  Online service providers who are processing the data of customer who deals with the EU Citizen data.
  • 31. : HOW TO FACE THE CHALLENGE :  Every organization should care about GDPR to face and prepare for the Indian data privacy legislation (i.e. Personal Data privacy Bill if converted into ACT) about to come shortly.  Finding out whether the company or organizations is a data controller or data processor.  Scan the data transfer process between the company and the third party.  Need to detail the personal data which is collected in the system and determine whether the data be automatically deleted and can be ported.  Keeping Details of the consent obtained from the person who’s personal data is used.  To have a periodical review policy to see  Having a good information security, practice/standard to protect the personal data of an individual  good planning to cover the various GDPR compliances  Companies data controller and data processor have to frame a policy and philosophy to minimize the exposure of personal data they are using and only to stick to use for the consented/approved purpose  Companies should frame a design on a cyber security policy to minimize any data breach  Make or assign a dedicated individual or group of individuals who will focus on the compliance of GDPR  Scan within the organizations all the
  • 32. CONSEQUENCES OF NON-COMPLIANCE Companies may loose –  its customers,  trusts in the broader market  May bear the cost of getting new customers  Bear the cost of huge fine  Will face cyber security issue and frequent data breach  May not avail the competitive advantage
  • 33. : RELATIONSHIP : BETWEEN GDPR AND AI & DATA ANALYTICS The GDPR and its requirement has challenged greatly on the operation and use of Artificial Intelligence and Data Analytics in the following ways : As per GDPR there has to be a clear and unambiguous consent from the person whose personal data are being used. Algorithm of AI and Data Analytics has to be fair and should not result in bias and discrimination. The personal data should be used for Consented purpose. Clarity as to who will be Controllers and who will be Processors. Every individual whose personal data are used be allowed to access their personal data. Data are to be used and held for the consented specific purpose, not other than that. There cannot be any lack of accuracy resulting in discrimination. There cannot be any lack of Security measures, risk and accountability issue.
  • 34. : EFFECTS OF GDPR IN INDIA : Laws are grounded in territory but this territoriality of law has not been strictly applicable further by the applications of GDPR in all the countries except European countries.  Europe is large and big market for IT as well as IT enabled industries specially BPO and Pharma sectors.  Large numbers of employees are engaged in providing out-sourced work in different entities of various European countries.  A company sitting outside Europe collecting and processing data have to comply the stringent GDPR.  In complying the GDPR the Indian companies will gear up and prepare
  • 35. : EQUIVALENT PRIVACY LAW IN INDIA : Section 43A. COMPENSATION FOR FAILURE TO PROTECT DATA Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected. Section 72. PENALTY FOR BREACH OF CONFIDENTIALITY AND PRIVACY Save as otherwise provided in this Act or any other law for the time being in force, if any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. Section 72A. PUNISHMENT FOR DISCLOSURE OF INFORMATION IN BREACH OF LAWFUL CONTRACT Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both. THE INFORMATION TECHNOLOGY ACT, 2008 as AMENDED
  • 36. BUT THE ABOVE PROVISIONS ARE NOT ADEQUATE IN LIGHT OF THIS COMPLEX SITUATION ESPECIALLY IN LIGHT OF USE OF PERSONALLY IDENTIFIABLE DATA OF THE CONSUMER BY THE CORPORATES PROCESSED THROUGH VARIOUS ALGORITHM OF ARTIFICIAL INTELLIGENCE AND DATA ANALYTICS. __________________________________________________________________________________________________________________________ #####____________________________________________________________________________________________________________________________
  • 37. INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION) RULES, 2011 Section 2.(1)(i) "Personal information" means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. Section 3. Sensitive personal data or information.— Sensitive personal data or information of a person means such personal information which consists of information relating to;— (i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details (iii)physical, physiological and mental health condition (iv)sexual orientation (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.
  • 38. OTHER RULES ARE : Section 4. Body corporate to provide policy for privacy and disclosure of information Section 5. Collection of information Section 6. Disclosure of information Section 7. Transfer of information Section 8. Reasonable Security Practices and Procedures
  • 39. THE RIGHT TO PRIVACY IS A FUNDAMENTAL RIGHT AS WELL AS THE PRIVACY PROTECTION IS NOTHING BUT DATA PROTECTION IN TODAY’S WORLD THE RENOWNED JUDGEMENT OF THE HON’BLE SUPREME COURT OF INDIA IN RESPECT TO THE RIGHT TO PRIVACY IS DETAILED BELOW -
  • 40. (2017) 10 SCC 1 JUSTICE K S PUTTASWAMY (RETD.), AND ANR. - VS – UNION OF INDIA AND ORS. • “ 77. The right of privacy is a fundamental right. It is a right which protects the inner sphere of the individual from interference from both State, and non-State actors and allows the individuals to make autonomous life choices. • 78. It was rightly expressed on behalf of the petitioners that the technology has made it possible to enter a citizen’s house without knocking at his/her door and this is equally possible both by the State and non-State actors. It is an individual’s choice as to who enters his house, how he lives and in what relationship. The privacy of the home must protect the family, marriage, procreation and sexual orientation which are all important aspects of dignity. • 79. If the individual permits someone to enter the house it does not mean that others can enter the house. The only check and balance is that it should not harm the other individual or affect his or her rights. This applies both to the physical form and to technology. In an era where there are wide, varied, social and cultural norms and more so in a country like ours which prides itself on its diversity, privacy is one of the most 44 important rights to be protected both against State and non-State actors and be recognized as a fundamental right. How it thereafter works out in its inter-play with other fundamental rights and when such restrictions would become necessary would depend on the factual matrix of each case. That it may give rise to more litigation can hardly be the reason not to recognize this important, natural, primordial right as a fundamental right. ”
  • 41. “ 83. Let the right of privacy, an inherent right, be unequivocally a fundamental right embedded in part-III of the Constitution of India, but subject to the restrictions specified, relatable to that part. This is the call of today. ……………………….. ” “ 2. The reference is disposed of in the following terms: ………………….. (iii) The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution. ”
  • 42. “ SRIKRISHNA COMMITTEE ” The committee was entrusted to come with a solution and we got the recent Personal Data Protection Bill, 2018 which has not converted into Act till date. In judgement of JUSTICE K S PUTTASWAMY (RETD.), AND ANR. - vs – UNION OF INDIA AND ORS. (2017) 10 SCC 1 we got a new term in our legal parlance and that is information privacy.
  • 43. PERSONAL DATA PROTECTION BILL, 2018 WHEREAS the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy; WHEREAS the growth of the digital economy has meant the use of data as a critical means of communication between persons; WHEREAS it is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation; AND WHEREAS it is expedient to make provision: to protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organisational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorised and harmful processing, and to establish a Data Protection Authority for overseeing processing activities.
  • 44. As per Section 69. Penalties.— (1) Where the data fiduciary contravenes ……………….., it shall be liable to a penalty which may extend up to five crore rupees or two per cent of its total worldwide turnover of the preceding financial year, whichever is higher, as applicable. (2) Where a data fiduciary contravenes …………………, it shall be liable to a penalty which may extend up to fifteen crore rupees or four per cent of its total worldwide turnover of the preceding financial year, whichever is higher, as applicable. As per Section 70. Penalty for failure to comply with data principal requests under Chapter VI.— Where, any data fiduciary, without any reasonable explanation, fails to comply with any request made by a data principal under Chapter VI of this Act, such data fiduciary shall be liable to a penalty of five thousand rupees for each day during which such default continues, subject to a maximum of ten lakh rupees in case of significant data fiduciaries and five lakh rupees in other cases.
  • 45. the compliance of Section 27 (Right to Be Forgotten) or connected sec will not be easy.  Relating to Section 40 (Restrictions on Cross-Border Transfer of Personal Data), not every data fiduciary has server or data centre located in India.  In the wake of large scale use of cloud and other virtual server or data centre, it will be difficult to comply the provision of Section 41 (Conditions for Cross-Border Transfer of Personal Data).  The provision of Section 65 (Action to be taken by Authority pursuant to an inquiry) is welcome……..as we need a base work or basic infra before embracing the stringent part of it.  The monetary punishment as per Section 69 (Penalties) may be harsher for small Indian entities.  For proper implementations of Chapter XI (PENALTIES AND REMEDIES), proper training, sensitization and orientation is must...need to mass awareness of data privacy culture, otherwise whatever progressive provisions it has, will not be of any use to the society.  As regards Section 94 (Power to investigate offences), the investigating power may be given to even sub inspector but he should have necessary technical knowledge...to be
  • 46. DATA PORTABILITY AND RIGHT TO BE FORGOTTEN AND INTELLECTUAL PROPERTY RIGHT The important question is in case of data portability or handing over the data or erasing the data whether raw file will be used or the process data of the customer will be used. In case of the processed data there is always a question of intellectual property right that who has processed the data. ------------------------------------------------#######------------------------------------ ------------- ROLE OF DATA PROTECTION OFFICER (D.P.O.) Data protection officer has a very crucial role in an organization in case of compliance of GDPR. D.P.O. is liable for supervising companies’ data protection strategy and its implementation to see that the GDPR are fully complied. GDPR provides for mandatory appointment of DPO at every organizations which deals with processing and storing the personal data of the citizen of Europe.
  • 47. SECTION 43A OF I.T. ACT “ THE FIRST SCHEDULE (See Section 111) AMENDMENT TO THE INFORMATION TECHNOLOGY ACT, 2000 (21 of 2000) Deletion of section 43A. — Section 43A of the Information Technology Act, 2000 (hereinafter referred to as the principal Act) shall be omitted. ” With the coming into effect of Personal Data Protection Bill, 2018 into Act as per the First Schedule, Section 43A of the Information technology Act, 2000 will be omitted. Hence this rule will loose its effect from then.
  • 48. In India the biggest issue is not the LAW or the efficient LEGISLATION but the IMPLEMENTATION OF THE SAME. Would the spirit of Section 43, 43A and 72A and the Rules, 2011 been followed in implementing policies in corporates in case of dealing with the personal data ? THE ALARMING SITUATION IN COMPLYING WITH GDPR AS IN EXISTENCE TODAY WILL NOT ARISE.
  • 49.  Blockchain can help to make the data secure but blockchain is immutable i.e. information in the Blockchain can not be changed and it is de- centralised WHILE GDPR is design for centralised organisations with controller and processor.  Again, GDPR wants right to be forgotten WHILE in blockchain the information and data can not be changed.  Again, a person participating in blockchain, in strict sense of GDPR are controller and blockchain itself a processor, Hence, there is big question that whether the GDPR is applicable for blockchain and if not then whether the regulation will going to change or the very concept of the blockchain will going to change. : GDPR AND BLOCKCHAIN :
  • 50. : GDPR & INTERNET OF THINGS (I.O.T) : I.O.T has witnessed growth and it is estimated that by the year 2020 there will be 50 billion I.O.T connecting the internet. Among the various legal challenges the I.O.T will going to face, Data Protections and Security and the information privacy are the most prominent one. In case of I.O.T. using the connected devices there is a lack of control on the data and information and in many of the cases the users are not aware of the use of their data without their consents.  With the inceptions of GDPR the growth of I.O.T. is getting challenged. With the implementation of the GDPR concerning privacy in the internet, the applications and growth of I.O.T. must require a thorough information assessment as to the use of personal data of the user.  The GDPR will going to greatly affect the way the smart devices being manufactured and used and change the business module behind it.  The requirement of data portability and the right to be forgotten is hard to comply in case of application of Smart devices.  The smart device builders require to be more concern about the personal data of the user.  From design to manufacture and final disposal, in whole life cycle of a smart device the data privacy policy should be taken care of in order to comply the GDPR which will be more ethical also.  As per a 2016 survey about 2/3rd IOT devises does not meet the proper standard.
  • 51. : CLOUDS & GDPR : In GDPR both CONTROLLER and PROCESSOR of personal data are liable hence Clouds are not exempted from GDPR enforcement. Cloud service companies even located outside the European Union need to comply GDPR if they deal with the data with the EU citizen. Data collected from customers should not be more than mention in the pre defined purpose. All data in the Cloud should be managed in line with GDPR. Even Companies who receive the Cloud service are also responsible for violation or infringement of data in the same way as the Cloud service provider and thus the clients of the Cloud service provider are also required to safeguard their data and see that the cloud provider comply the GDPR. If the data is not further required it should be removed from the Cloud.
  • 52. : GDPR AND BIG DATA ANALYSIS :Since May, 2018 when GDPR came into being people started to apprehend that the progress of big data analytics will be slowed down but expert says that big data will survive any impact of data protection laws. On the other side GDPR and similar data privacy laws will create trust in the data analytics process, but in that case thorough privacy impact assessment of the existing data model is required for compliance of the GDPR. The process of big data analytics has to comply the GDPR when they are processing the personal data of the people of European Union. The people of the European Union have to be explained specifically and unambiguously the purpose of use of personal data when the consent is
  • 53. Europe has more than 30 year’s exposure of the Privacy Law’s framework but India has only drafted the bill barring few sections in Information Technology Act. We are just making our trial through GDPR compliance for personal data compliance of the EU. We need to be GDPR ready to save our business as well as to make data privacy or information good practice culture, which will in return going to help our corporates in the long run. There is a debate that whether our Personal Data Protection Bill is a copy of the GDPR, but that is not the real issue. The issue is whether we are ready to comply with the regulation or our corporate who earns livelihood processing or dealing with EU citizen’s data will collapse, Whether India is ready ?
  • 54. THANKS FOR PAYING ATTENTION TO MR. BIVAS CHATTERJEE SPECIAL P.P. CYBER CRIME AND ELECTRONICS EVIDENCE RELATED CASES GOVERNMENT OF WEST BENGAL BLOG : CYBER CHATTERJEE: CYBERCHATTERJEE.BLOGSPOT.COM Contact No. – 9830158159 E-mail ID – bivas.chatterjee@gmail.com Blog: https://cyberchatterjee.blogspot.com/