Introducing 

Prezi AI.

Your new presentation assistant.

Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.

Loading…
Transcript

know all about Data Privacy

Tanin Chakraborty

Fellow of Information Privacy (FIP)

History

Introduction

Milestones

Universal Declaration of Human Rights

Trivia

- GDPR is a broader legislation that supervises any organization handling personally identifiable information (PII) of an EU citizen (from 2018)

- HIPAA is focused on healthcare organizations and how personal health information is used in the US (from1996)

Laws

Across

Privacy Laws Across the Globe

Currently

India Journey

- Supreme Court recognized "Right to Privacy" as a fundamental right (petition by Puttaswamy v. Union of India case, 2017)

- First in 2019 after rejection in parliament and than later in 2022, the Privacy Bill was presented for the public review after lot of debates, postponements and negotiations

- In the monsoon session of 2023, the bill was finally passed by both the houses

- Finally, 11th Aug 2023 - Digital Personal Data Protection Act of India (DPDP) sprinted out

- almost took 6 years from a out come of the above judment by Supreme Court back than to have a Privacy Bill

- India is the latest country to have a privacy act (around 137 out of 194 countries had put in place legislation to secure the protection of data and privacy)

example

ex# 2

ex# 1

- Tanin, as an employee

- Yubi & its Subsidaries, as a company

- ICICI, as a bank which process Yubi's salary

- LIC, as a third party insurance vendor

- Yubi, as a company

- HDFC, as a bank who is a client of Yubi

- Mr. X, an customer of the HDFC

- Amazon, as a service provider to Yubi

DPDP Act

DPDP Act 2023

Digital Personal Data Protection Act

A DAWN OF A NEW ERA FOR DATA PROTECTION IN INDIA

Applicability

- applies to the processing of digital personal data within India, whether collected online or offline and digitized later on

- also extends its applicability to data processing conducted outside India if it involves offering goods or services within India

- doesn't

- offline data

- Personal data processed by an individual for any personal or domestic purpose

- Personal data that is made or caused to be made publicly available

- under an obligation under any law

- if personal data is publicly available due to voluntary actions of the person such as opinions on social media, or due to disclosures made under applicable law.

Jargons

  • Data Principle
  • Data Fudiciary (DF)
  • Data Processor (DP)
  • Significant Data Fiduciary (SDF)
  • Data Subject Rights (DSR)
  • Data Protection Board of India
  • Parental Consent (<18 yrs is minor)
  • Demeed Consent
  • Consent Manager

Salient points

  • Consent must be free, specific, informed, unconditional, and unambiguous, and it is limited to the personal data necessary for the specified purpose
  • Controller (DF) will be obligated to maintain the accuracy of data, secure, inform breach, data purging
  • DF will be responsible to obtain the verifiable consent
  • User's right - (1) right to obtain information, (2) seek correction, (3) erasure, and (4) grievance redressal
  • Personal data may be processed only for a lawful purpose after obtaining the consent
  • Every personal data breach must be reported to the Data Protection Board of India
  • DP to evaluate the adequacy and relevancy of existing processing lifecycle, deployed security technologies, breach notification to DF and mitigation measures including business continuity plans, cyber and breach incident insurance coverages, the validity of existing standards and certifications and having an agreement to process the data (NDA/DPA)

Key Differences

  • Removes sensitive and critical personal data classification
  • Exemptions to data processing by the State/GOI on grounds such as national security may lead to data collection, processing & retention beyond what is necessary (might violate Privacy Right)
  • does not grant the right to data portability to the data principal
  • Data Principle will be punishable with a penalty for violation of duties
  • DPDP Act will take supersede during the conflict with other laws
  • SDF must appoint a Data Protection Officer who reports to the Board of the company, appoint an independent data auditor to audit compliance with the Act and conduct assessment

Cross Border Data Transfer

- unlike other privacy laws; India is yet to share the white listed countries where data adequacy is provided

- an equivalent level of protection for personal data is required to transfer data outside India*

- RBI recognize having or implementing international standards like - ISO 27001 controls

- RBI also emphasize on regular audits of the implemented controls/standards

*RBI restricts transfer of any financial data outside India

Exemptions in DPDP Act

- Central Government has the power to exempt certain Data Fiduciaries or a class of Data Fiduciaries, based on the volume and nature of personal data they process, from certain provisions of the Act

- Personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law

- processing of personal data is necessary for enforcing any legal right or claim

Central Government will establish the Data Protection Board of India to adjudicate on non-compliance with the provisions of the Bill

Implementations

- Phasewise (expected in 10 months from now)

- Even if you are a Privacy Compliant, still few extra responsibilities an organization will have to fulfil: like getting consent, data security, data principle rights, reporting breaches to the board

- Till than IT Act 2000

- SPDI Rules

- RTI Act

- Telecom Regulatory Authority of India Act

Fines

Fines under DPDP Act

Security Safe Guard

Data Principle

Assessment

Children Data

250 Cr

150 Cr

200 Cr

Rs 10,000

Details

Importance

Importance of Data Privacy

Regulatory

Financial and Criminal

Reputational

#1

#2

#3

Operational

#4

Key Challenges for FinTech

  • Data Standardization
  • Data Classification
  • Data Santization
  • Data Ownership
  • Consumer Consent
  • Addressing Local Compliance Requirements
  • Implementation of Data Security

What Next

Learnings

- know your rights

- check & enquire if your data has been processed for other reason than that you have subscribed for

- keep yourself updated & know how to report such issues

- ask questions on why you are asked to provide your certain personal data

- ask for data deletion post processing of your personal data (if not legally obliged to store it)

- if you are parent, make sure your child data is not processed without your consent

- make sure none of personal data is being processed without your consent

"be vigilant than being sorry"

Learn more about creating dynamic, engaging presentations with Prezi