Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SACON) Shivangi Nadkarni & Sandeep Rao - An introduction to Data Privacy


Published on

Data Privacy & Personal Data Protection has become a key driver today in dialogues involving data. India is at the cusp of getting its own law in place - one of the last few countries in the world to do so. However, the reality on the ground is that few people really understand what Data Privacy is all about. It is often confused with Data Security. This session seeks to de-mystify Data Privacy, giving an overview of the domain and how it is different from Data Security.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

(SACON) Shivangi Nadkarni & Sandeep Rao - An introduction to Data Privacy

  1. 1. SACONConfidential (c) Arrka, 2020 SACON International 2020 India | Bangalore | February 21 - 22 | Taj Yeshwantpur An Introduction to Data Privacy 1
  2. 2. SACON 2020 An Introduction to Data Privacy 2 • What is Personal Data? • An Overview of Privacy Principles & Rights • Relationship between Information Security and Privacy • How should an organization implement Privacy?
  3. 3. SACON 2020 When we talk Data Privacy, we talk Personal Data Any data that can – directly or indirectly - or in combination with other data – make a person ‘identifiable’ What is Personal Data? Device Identifiers Online Identifiers Social Media MarkersMetadata Data that has been processed using analytics that can identify a person Trackers & CookiesLocation Data Above – the – surface (ATS) Personal data Demographic/ Identity Data Health/ Biometric/Genetic/ Gender Data Political Affiliations/ Personal beliefs/ Criminal History/etc Financial Data Govt Ids Any compromise of this category of data can cause greater harm to the person as compared to other types of PD Sensitive Personal Data (SPD) Financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation* Further sub-categories Comprises: Personal Data (PD) Below – the – surface (BTS) Personal data
  4. 4. SACON 2020 Personal Data In Context Data Personal Data Sensitive Personal Data Data Privacy not Applicable Data Privacy Applicable
  5. 5. SACON 2020 Data Privacy Applies to Personal Data Processing Collection Recording Organisation Structuring Storage Alteration Transmission Dissemination Restriction Destruction Generation
  6. 6. SACON 2020 Roles in the Privacy Ecosystem Data Subject/ Principal She ‘OWNS’ her Personal Data Data Controller/ Fiduciary The entity that, alone or jointly with others, determines the Purposes for data processing (“Why”) & Means of data processing (“How”) 6 DATA PROCESSOR The entity that processes personal data: On behalf of the Fiduciary Under the instructions of the fiduciary
  7. 7. SACON 2020 What are the Principles that guide Personal Data Processing? 7
  8. 8. SACON 2020 Grounds for Processing Personal Data – The When Consent Function of State Public Interest Compliance with law or order of court/ tribunal Prompt action in case emergencies Purposes related to employment *Reasonable Purposes of Data Fiduciary • Processing for prevention & detection of any unlawful activity including fraud • Whistle blowing • M&A • Network and information security • Credit scoring • Recovery of debt • Processing of publicly available PD *Reasonable Purpose Examples
  9. 9. SACON 2020 Principles Guiding Personal Data Processing – The How Security Safeguards: Ensure Security Safeguards throughout the Lifecycle to protect against loss, unauthorised access, destruction, use, modification, disclosure or other reasonably foreseeable risks. User Rights: Provide Rights to user for Access, Correction, Processing Restrictions, etc. Data Collection Data Usage Data Destruction Consent: Obtain Informed, freely given and unambiguous consent where applicable Collection Limitation: Collect adequate, relevant based on Purpose Use Limitation: Use and disclose collected Personal Data only for pre- defined purposes. Limit Access to only relevant users. Storage Limitation: Retain Personal Data long enough to satisfy the purpose of Collection. Define Retention Periods Notice/ Transparency: Organization should publish a Public Statement on the Type of Personal Data collected, used, who it is shared with and how long it is retained Accountability: Organization needs to implement Accountability measures to manage Privacy. Examples of these measures include Breach Notification, Privacy By Design, inserting Privacy Clauses in 3rd Party Contracts, maintaining Records of Processing
  10. 10. SACON 2020 Is Data Privacy the same as Information Security? 10
  11. 11. SACON 2020 Information Security Data Privacy 11 Relationship: Infosec & Privacy Security of Personal Data Covers Security of non-Personal Data Covers non-Security related Privacy Principles (i.e. Notice, Collection Limitation)
  12. 12. SACON 2020 How should an Organization implement Privacy? 12
  13. 13. SACON 202013 The need for a Framework.. Organization Questions on Privacy Implementation Where should we start? What kind of Organization structure and capabilities do we need? What are the Policies and Processes that need to be implemented? What are the Technical, Administrative measures needed? How do we monitor Privacy on an ongoing basis? Privacy Implementation is a complex exercise impacting more than 80% of the organization Most Privacy Requirements need coordination between multiple functions Lack of Governance has seen failure of many Privacy Programs Lack of a structured Approach is a common cause for failure
  14. 14. SACON 2020 Some Privacy Program Frameworks DPF ISO 27701 BS 10012 14 Privacy Frameworks that provide a Structured Approach BS 10012:2017 is the British standard that sets out the requirements for a Personal Information Management System and aligns with the principles of the European General Data Protection Regulation (EU GDPR). ISO 27701 is a privacy extension to ISO 27001&02 and provides additional guidance for the protection of privacy, which is potentially affected by the processing of Personal Data. The DSCI Privacy Framework (DPF) has been developed to guide an organization on developing & implementing a Privacy Program
  15. 15. SACON 2020 9. PIS 7. IUA 3. PPP1. VPI 2. POR 4. RCI 5. PCM 6. MIM 8. PAT 15 A Sample Framework: DSCI Privacy Framework (DPF) # Practice Areas 1 Visibility over Personal Information (VPI) 2 Privacy Org & Responsibilities (POR) 3 Privacy Policy and Processes (PPP) 4 Regulatory Compliance and Intelligence (RCI) 5 Privacy Contract Management (PCM) 6 Privacy Monitoring and Incident Mgt (MIM) 7 Information Usage & Access (IUA) 8 Privacy Awareness and Training (PAT) 9 Personal Information Security (PIS) DSCI PRIVACY FRAMEWORK (DPF) Confidential (c) Arrka, 2018
  16. 16. SACON 2020 Thank You Q & A