GDPR Awareness
GDPR Awareness
GDPR Awareness
Confidential
Agenda
• Introduction to GDPR
• GDPR Applicability
• Benefits of Data Privacy Framework
• Key terms of GDPR / Privacy
• Personal Data breaches samples
• What is PII & Key areas where PII may be present
• International Data Protection & Privacy Legislation
• Data Privacy Committee - Roles and Responsibility
• Key Areas to Address
• GDPR Policies , Procedures & Templates
• Privacy Breaches Notification
• Do’s and Don’t for protecting PII
• Protection of PII Data
• ISMS Polices to Remember again for PII Protection
Confidential
Introduction to GDPR
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation
adopted by the European Parliament.
The intent is to strengthen and unify data protection for all individuals within the European
Union (EU).
It also addresses the export of personal data outside the EU.
The primary objectives of the GDPR are to give citizens and residents back control of their
personal data and to simplify the regulatory environment for international business by unifying
the regulation within the EU.
From 25th May 2018 onwards, organization needs to be in full compliance with the new rules
of the GDPR.
Confidential
GDPR Applicability
•
Context Impact of Non-Compliance
Operating inside EU and have access to personal data of Penalty of maximum 4% of annual
EU citizens and entities worldwide turnover or
Offer offshore services to EU companies as service €20 million - for GDPR
provider or captive unit and in process access personal
information of EU citizens and entities Up to Rs. 5 Cr - Indian IT Act Section 43
Confidential
Key terms of GDPR / Privacy
Terms as used in GDPR Alternative term
Personal information management Privacy information management
system / Data Protection Framework system (PIMS)
Personal data Personally identifiable information (PII)
Data Subject PII principal / Data Principal
Data protection by design Privacy by design
Data protection by default Privacy by default
Data controller PII Controller / Data fiduciary
Data processor PII Processor
Confidential
Definitions of Key terms
Data Subject : Natural person to whom the personally identifiable information (PII) relates
Data Controller : Privacy stakeholder (or privacy stakeholders) that determines the purposes
and means for processing personally identifiable information (PII) other than natural persons who
use data for personal purposes
Data Processor : Privacy stakeholder that processes personally identifiable information (PII) on
behalf of and in accordance with the instructions of a PII controller
Privacy Risk : Effect of uncertainty on privacy
Data Privacy Impact Assessment (DPIA) : Privacy Impact Assessment is an overall process of
identifying, analyzing, evaluating, consulting, communicating and planning the treatment of
potential privacy impacts with regard to the processing of personally identifiable information,
framed within an organization's broader risk management framework
Confidential
Illustrations of Personal Data Breach
• Access by an unauthorized third party;
• Deliberate or accidental action (or inaction) by a Data controller or processor;
Confidential
Top Data Loss Breaches Reported
Yahoo - In August 2013 with Impact on 3 billion accounts
Alibaba - In November 2019 with Impact on 1.1 billion pieces of user
data
LinkedIn- In June 2021 with Impact on 700 million users
Sina Weibo- In March 2020 with Impact on 538 million accounts
Facebook- In April 2019 with Impact on 533 million users
Marriott International (Starwood)- In September 2018 with Impact
on 500 million customers
Adult Friend Finder- In October 2016 with Impact on 412.2 million
accounts
Court Ventures (Experian)- In October 2013 with Impact on 200
million personal records
Reference :www.csoonline.com
Confidential
Cost of Non-Compliance
900
800 764
700
600
500
400
300
225
200
100
50 35 27.8 22 20.4
0
Amazon WhatsApp Google H&M TIM British Airways Marriott
Confidential
What is PII and where does it reside?
Personally identifiable information (PII) : Any information that
(a) can be used to establish a link between the information and
the natural person to whom such information relates, or
(b) is or can be directly or indirectly linked to a natural person
Confidential
Few PII Examples
Customer\Vendor
Human Resource
Corp. Functions
human resources files • Financial profile information
• Any information collected • Vendor Details
during health services
• Tax Reports
• Biometric Info • Visitor Data • Social ID number /
• Date of birth • CCTV footages. Aadhaar / PAN
• Education details • Company and personal • Personal Email address
• Employment history mail id • Health records
• Photograph • Designation of the • Phone number
• Reference details personnel • Address
• Employee ID and details • Photo
• Mobile Number • Social Networking
profile
Confidential
International Data Protection & Privacy Legislation
North America
PIPEDA (Canada)
Europe
CCPA (California)
BDSG (Germany)
CalOPPA (California)
GDPR (EU region)
South America
Asia-Pacific
PDPA (Argentina)
PDP Bill (upcoming -India)
LGPD (Brazil)
Cyber Security Law (Myanmar)
Data Privacy Act 2012 (China)
Africa Privacy Act 1988 (Australia)
DPA (Kenya)
POPI (South Africa)
Confidential
Current Privacy Governance Structure
Data Protection Officer - Prashanth Adiyodi
Confidential
Roles and Responsibility
Data Privacy Committee
Role:
◦ Acts as a central representative body for Business and support functions to jointly discuss and resolve data
privacy issues.
Responsibilities:
◦ Review and approve data privacy policies and procedures.
◦ Approve significant changes in exposure of information assets to major threats.
◦ Review, monitor and resolve data privacy breaches.
◦ Review and approve all changes and exceptions to data privacy policy.
◦ Review proposal for major changes to augment data privacy.
◦ Continued compliance with data privacy objectives and local law compliances.
Confidential
Roles and Responsibility
Data Protection Officer (DPO)
Role:
◦ DPO plays key role in implementing Data protection policies and maintaining privacy of personal
Information.
Responsibilities:
◦ The DPO is responsible to ensure the implementation of the data privacy regulations in an independent
manner.
◦ To keep an inventory of all processing operations involving personal data carried out by the institution.
◦ Delegate executive responsibility for ensuring privacy of information to Data protection champions.
◦ Ensure organizations and its customer’s privacy is always maintained.
◦ Handling and reporting of incidents related to breach of privacy.
Confidential
Roles and Responsibility
Data Protection Champions (DPC)
Role:
◦ Acts as a representative to guide and handle data processing activities of data processed within their units
(projects or functions) and comply with data protection policies.
Responsibilities:
◦ The DPC is responsible to ensure the implementation of the data privacy policies and processes.
◦ Informing and guiding associates within their functions/ projects on organization’s data privacy
requirements.
◦ Provide an up-to-date inventory of all processing operations involving personal data carried out to the DPO.
◦ To monitor and enforce data protection compliance.
◦ Serving as the point of contact between the project/ function and DPO.
◦ Report performance and compliance status to DPO.
◦ Highlighting or escalating any suspicious activities related to privacy or data security breach.
◦ Reporting of incidents related to data breach to DPO.
Confidential
Key Areas to Address
Awareness
Personal Data Registers
Privacy Policies to explain Organization’s Privacy Protection Framework & Practices
Privacy by Design and Privacy by Default
Privacy Notices (nature, purpose, use and sharing of any PII collected)
Individuals’ rights on Privacy of PII
Legality of processing PII
Access Request
Consent from Users (PII Principals/Data Subject)
Data Privacy Impact assessment
PII protection measures
Data Protection Officer and Governance Structure
Breach Notification Process
Ongoing maintenance
Confidential
GDPR Policies & Procedures
Consent Management Policy
Personal Data Breach Handling Policy
Personal Data Protection Policy
Personal Data Retention Policy
Confidential
Templates
Data Privacy Notices
Personal Data Access Request Form
Data Processing Addendum
Intercompany Data Transfer Agreement
Privacy Consent Revocation Form
Confidential
Breaches Notification
Report any known or suspected breach of personal data to Data Protection Officer or email to
[email protected]
Data Protection Officer shall investigate any reported privacy breach
As a data controller,
The Data Protection Officer shall notify relevant legal and regulatory authorities of the respective region*
The affected data subject(s) without unreasonable delay.
As a data processor, Data Protection Officer shall notify client’s representative*
Follow Security Incident Management process for reporting and investigating the breach as internal
investigation.
Track and close the Breach reported.
Confidential
Do’s and Don’t for protecting PII
Educate each person on What Is PII, How it can be identified, Why Should It Be Protected.
Classify PII in terms of sensitivity. Refer Organization information classification Policy.
Use principal of least privilege while granting access.
Ensure use of mobile devices does not lead to a compromise of PII.
Be Aware & Knowledgeable of Phishing Scams
Avoid Uploading Sensitive Documents to the Cloud.
Manage & Clear Cookies in Your Web Browser
Use Strong Passwords, Multi-Factor Authentication.
Encrypt data at rest, in-use, motion. because data can be intercepted by threat actors at any stage.
Safely Dispose or Destroy Old Media with Personal Data.
Should restrict the creation of hardcopy material including PII to the minimum.
If physical media is used for PII transfer, ensure that the data can only be accessed at the point of
destination and not in transit.
Confidential
Protection of PII Data
Secure & privacy by design in Development application processing PII .
Guidance on PII protection and the implementation of the privacy principles.
Privacy and PII protection requirements in the design phase.
PII protection checkpoints within project milestones.
By default, minimize processing of PII. Maintain PII inventory of an application.
The system that processes that PII should be designed in a way to facilitate this deletion requirement.
Confidential
Questions and Answers
Confidential
Your Extended Office for Cyber Security!
Presidio Information Risk Management
Confidential