CyberQ Personal Data Protection Hand-out V6.0.pdf
MathewPVarghese1
29 views
28 slides
Mar 10, 2025
Slide 1 of 28
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
About This Presentation
Adoption of Data Protection
Slide Content
GoIDPDP Act -2023
Does it concern me ?
What is it anyway !
How do I take care !
Answers From : CyberQConsultingPvt. Ltd; New Delhi
Does it concern me ?
What is it anyway !
How do I take care !
Answers From : CyberQConsultingPvt. Ltd; New Delhi
ACT 2023
The Digital Personal Data Protection Act, 2023
Published on 11 Aug 2023
To become Applicable,
When notified so, by the Government.
Allowing for Preparation & Transition.
The Digital Personal Data Protection Act, 2023
Published on 11 Aug 2023
To become Applicable,
When notified so, by the Government.
Allowing for Preparation & Transition.
➢ DPDP : Digital Personal Data Protection
➢ PIMS : Privacy Information Management System
Discussion Points:
•What is Personal Data ?
•How is it related to Privacy ?
•Are we processing Personal Data ?
•What is the Protection needed for Personal Data ?
•What are we expected to do for Personal Data Protection ?
•How can I get an Assurance that I am compliant to DPDPA-2023 ?
Topics of Conversation
➢ PIMS : Privacy Information Management System
Discussion Points:
•What is Personal Data ?
•How is it related to Privacy ?
•Are we processing Personal Data ?
•What is the Protection needed for Personal Data ?
•What are we expected to do for Personal Data Protection ?
•How can I get an Assurance that I am compliant to DPDPA-2023 ?
Topics of Conversation
Personal Data*
t) “Personal Data” means any data about an individual who is
identifiable by or in relation to such data;
✓Identifiable : The individual can be identified from the Data.
✓Attributable : Any Data about the identified individual.
* As defined at Section 2 (t) in DPDPA-2023;
** Also called as PII, in Industry.
n)“Digital Personal Data” means Personal Data in digital form;
Scanned ‘Paper Records’ also become Digital Personal Data.
h)“Data” means a representation of information, facts, concepts,
opinions or instructions in a manner suitable for communication,
interpretation or processing by human beings or by automated
means;
t) “Personal Data” means any data about an individual who is
identifiable by or in relation to such data;
✓Identifiable : The individual can be identified from the Data.
✓Attributable : Any Data about the identified individual.
* As defined at Section 2 (t) in DPDPA-2023;
** Also called as PII, in Industry.
n)“Digital Personal Data” means Personal Data in digital form;
Scanned ‘Paper Records’ also become Digital Personal Data.
h)“Data” means a representation of information, facts, concepts,
opinions or instructions in a manner suitable for communication,
interpretation or processing by human beings or by automated
means;
Data Principal*
j)“Data Principal” means the individual to whom the personal
data relates and where such individual is—
(i) a child, includes the parents or lawful guardian of such a child;
(ii) a person with disability, includes her lawful guardian, acting on
her behalf.
* As defined at Section 2 (j) in DPDPA-2023;
** Also called as PII Principal, in Industry.
Examples : An existing User / Buyer (Person, not the Company), or a prospective /
potential User / Buyer (Person, not the Company) of the Property is a Data Principal.
j)“Data Principal” means the individual to whom the personal
data relates and where such individual is—
(i) a child, includes the parents or lawful guardian of such a child;
(ii) a person with disability, includes her lawful guardian, acting on
her behalf.
* As defined at Section 2 (j) in DPDPA-2023;
** Also called as PII Principal, in Industry.
Examples : An existing User / Buyer (Person, not the Company), or a prospective /
potential User / Buyer (Person, not the Company) of the Property is a Data Principal.
Data Fiduciary *
i)“Data Fiduciary” means any person who alone or in
conjunction with other persons determines the purpose and
means of processing of personal data;
* As defined at Section 2 (i) in DPDPA-2023;
** Also called as Data Controller, in Industry.
*** Significant Data Fiduciary, will be notified by the Government in due course.
Examples : The Property Developer (Person, or Company), or a
Re-Seller (Person, or Company), positioning the Property to the Data Principal.
i)“Data Fiduciary” means any person who alone or in
conjunction with other persons determines the purpose and
means of processing of personal data;
* As defined at Section 2 (i) in DPDPA-2023;
** Also called as Data Controller, in Industry.
*** Significant Data Fiduciary, will be notified by the Government in due course.
Examples : The Property Developer (Person, or Company), or a
Re-Seller (Person, or Company), positioning the Property to the Data Principal.
Data Processor *
i)“Data Processor” means any person who processes personal
data on behalf of a Data Fiduciary;
* As defined at Section 2 (j) in DPDPA-2023;
** Also called as PII Processor, in Industry.
Examples : The Channel Partners (Person, or Company), or a Property Agent
(Person, or Company), promoting the Property to the Data Principal.
There could be Data Processors at the back-end also, like Managed Services Team,
for IT, Accounting, HR etc.
i)“Data Processor” means any person who processes personal
data on behalf of a Data Fiduciary;
* As defined at Section 2 (j) in DPDPA-2023;
** Also called as PII Processor, in Industry.
Examples : The Channel Partners (Person, or Company), or a Property Agent
(Person, or Company), promoting the Property to the Data Principal.
There could be Data Processors at the back-end also, like Managed Services Team,
for IT, Accounting, HR etc.
Privacy *
* Not defined in DPDPA-2023;
** Mixed up with Secrecy, Confidentiality etc.
* Not defined in DPDPA-2023;
** Mixed up with Secrecy, Confidentiality etc.
Principles of Information Security vs Privacy
Personal Data / PII Protection is about protecting Data Principal,
From the fall-out of any unauthorised, unaccounted, unethical, unlawful, unclear,
illegal, irresponsible, irrelevant, incompetent, or immaterial use of Personal Data.
Information
Security, i.e.
Protection of
Confidentiality,
Integrity, and
Availability (CIA),
of Personal Data,
is just one of the
Requirements of
Personal Data
Protection.
Personal Data / PII Protection is about protecting Data Principal,
From the fall-out of any unauthorised, unaccounted, unethical, unlawful, unclear,
illegal, irresponsible, irrelevant, incompetent, or immaterial use of Personal Data.
Information
Security, i.e.
Protection of
Confidentiality,
Integrity, and
Availability (CIA),
of Personal Data,
is just one of the
Requirements of
Personal Data
Protection.
Obligations* of the Data Fiduciary
4. (1) A person
#
may process the personal data
of a Data Principal
Only in accordance with the provisions of this
Act and for a lawful purpose,—
(a) for which the Data Principal has given her
consent; or
(b) for certain legitimate uses
* As defined at Chapter II of DPDPA-2023;
# Includes a Artificial (Legal) Person i.e. Company, Trust, Society, etc.
# Also includes a Natural Person i.e. a Living Human Being.
4. (1) A person
#
may process the personal data
of a Data Principal
Only in accordance with the provisions of this
Act and for a lawful purpose,—
(a) for which the Data Principal has given her
consent; or
(b) for certain legitimate uses
* As defined at Chapter II of DPDPA-2023;
# Includes a Artificial (Legal) Person i.e. Company, Trust, Society, etc.
# Also includes a Natural Person i.e. a Living Human Being.
Processing * of PII / Personal Data
Collection Transfer Use.
StorageDisposal
* (x) “Processing” in relation to personal data, means a wholly or partly automated
operation or set of operations performed on digital personal data, and includes
operations such as collection, recording, organisation, structuring, storage,
adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure
by transmission, dissemination or otherwise making available, restriction, erasure
or destruction;
* As defined at Section 2 (x) in DPDPA-2023;
By
Data Fiduciary,
Or
Data Processor.
Collection Transfer Use.
StorageDisposal
* (x) “Processing” in relation to personal data, means a wholly or partly automated
operation or set of operations performed on digital personal data, and includes
operations such as collection, recording, organisation, structuring, storage,
adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure
by transmission, dissemination or otherwise making available, restriction, erasure
or destruction;
* As defined at Section 2 (x) in DPDPA-2023;
By
Data Fiduciary,
Or
Data Processor.
Liability in Data Processing
Data Fiduciaries are responsible and accountable
for protection of Personal Data, collected /
created by them, or shared with them.
Data Processors are also responsible and liable
for protection of Personal Data, captured by
them, or shared with them, in relation to the
business agreement with the Data Fiduciary.
Data Fiduciaries are responsible and accountable
for protection of Personal Data, collected /
created by them, or shared with them.
Data Processors are also responsible and liable
for protection of Personal Data, captured by
them, or shared with them, in relation to the
business agreement with the Data Fiduciary.
Compliance to PII / Data Protection
▪Identify Personal Data in the System
▪Identify the Business Purpose of Processing Personal Data
▪Identify role as Data Fiduciary / Data Processor / 3
rd
Party
▪Identify Flow of Personal Data within the System
▪Identify Access Points of Personal Data in the System
▪Identify Share Points of Personal Data outside the System
▪Identify Life-cycle of the Data in the System
▪Institute a Management System for Personal Data Management
▪Identify Personal Data in the System
▪Identify the Business Purpose of Processing Personal Data
▪Identify role as Data Fiduciary / Data Processor / 3
rd
Party
▪Identify Flow of Personal Data within the System
▪Identify Access Points of Personal Data in the System
▪Identify Share Points of Personal Data outside the System
▪Identify Life-cycle of the Data in the System
▪Institute a Management System for Personal Data Management
Other important compliances
▪Categorisation of PII / Personal Data
▪Rights of the Data Principal / Data Subject / PII Principal
▪Responsibilities of the Data Fiduciary / PII Controller
▪Data Processing by a Data Processor / PII Processor
▪Data Flow / PII Flow Description and Data / PII Inventory
▪Records of Data / PII processing activities
▪Data / PII Protection roles and responsibilities
▪Data / PII breach notification and investigation
▪Privacy Impact Assessment (PIA)
▪International Data / PII Transfers
▪Categorisation of PII / Personal Data
▪Rights of the Data Principal / Data Subject / PII Principal
▪Responsibilities of the Data Fiduciary / PII Controller
▪Data Processing by a Data Processor / PII Processor
▪Data Flow / PII Flow Description and Data / PII Inventory
▪Records of Data / PII processing activities
▪Data / PII Protection roles and responsibilities
▪Data / PII breach notification and investigation
▪Privacy Impact Assessment (PIA)
▪International Data / PII Transfers
Rights of Data Principal *
Right to
Be
Informed
Right to
Erasure of
Personal
Data
Right to
Information
on Personal
Data
Right to
Rectification of
Personal Data
Right to
Restrict
Processing
* As defined at Chapter III of DPDPA-2023;
Right to
Be
Informed
Right to
Erasure of
Personal
Data
Right to
Information
on Personal
Data
Right to
Rectification of
Personal Data
Right to
Restrict
Processing
* As defined at Chapter III of DPDPA-2023;
Heavy Penalties MinorPenalties
01
The Data Protection Board has the
power to issue penalties up to
INR 250 crore.
02
Data fiduciaries are liable to pay a
penalty up to 250 croresforbreach
inobservingtheobligation of Data
fiduciary to take reasonable
security safeguards toprevent
personaldata breach.
Penaltyondataprincipal
Breachinobservanceofthe
dutiesof dataprincipal
Non-compliance shall lead to a
penalty of INR 10000.
Breach in observing
the obligation to
give the board or
affected data
principal notice of a
personal data
breach.
Non-compliance in this
case shall lead to a penalty
ofINR200crore.
Breach in
observance of
additional
obligations of
significantdata
fiduciary
Non-complianceshallleadto
apenalty of INR 150 crore.
Breach in observance of
additional obligations in
relationtochildren
Non-complianceshallleadto
apenalty of INR 200 crore.
Breach of any other
provision of this Act
or the rules made
thereunder
Non-complianceshallleadto
apenaltyofINR 50crore.
1
6
Impact of Non Compliance : Penalties *
* As defined at Chapter VIII of DPDPA-2023;
01
The Data Protection Board has the
power to issue penalties up to
INR 250 crore.
02
Data fiduciaries are liable to pay a
penalty up to 250 croresforbreach
inobservingtheobligation of Data
fiduciary to take reasonable
security safeguards toprevent
personaldata breach.
Penaltyondataprincipal
Breachinobservanceofthe
dutiesof dataprincipal
Non-compliance shall lead to a
penalty of INR 10000.
Breach in observing
the obligation to
give the board or
affected data
principal notice of a
personal data
breach.
Non-compliance in this
case shall lead to a penalty
ofINR200crore.
Breach in
observance of
additional
obligations of
significantdata
fiduciary
Non-complianceshallleadto
apenalty of INR 150 crore.
Breach in observance of
additional obligations in
relationtochildren
Non-complianceshallleadto
apenalty of INR 200 crore.
Breach of any other
provision of this Act
or the rules made
thereunder
Non-complianceshallleadto
apenaltyofINR 50crore.
1
6
Impact of Non Compliance : Penalties *
* As defined at Chapter VIII of DPDPA-2023;
But Penalties Are Insignificant
▪Negative Publicity
▪Loss of Customer Trust
▪Brand Disrepute
▪Customer Dissonance
▪Termination of Business Permit
▪Solidarity expression by other Agencies / Authorities
▪Cascading effect on Global Business
▪Negative Publicity
▪Loss of Customer Trust
▪Brand Disrepute
▪Customer Dissonance
▪Termination of Business Permit
▪Solidarity expression by other Agencies / Authorities
▪Cascading effect on Global Business
Compliance is a Business Requirement
Shift from One-time Sale to Continuous Engagement
Brand Image and Customer Trust very important
Privacy Protection is the new USP
Personal Data Management is a Business Commitment
Shift from One-time Sale to Continuous Engagement
Brand Image and Customer Trust very important
Privacy Protection is the new USP
Personal Data Management is a Business Commitment
▪PIMS ensures continued compliance
▪ Principles of Data Protection,
▪ Legal Basis
▪ Rights of Data Subject
▪ Data Controller/Processor responsibilities
▪ Data Flow Diagram and Data Inventory
▪ Data Protection Impact Assessment
▪ International Data Transfers
▪ Data Breach Management
▪ Ensure Due Diligence in Data Sharing
Privacy Information Management System
PIMS - ISO 27701:2019
▪ Principles of Data Protection,
▪ Legal Basis
▪ Rights of Data Subject
▪ Data Controller/Processor responsibilities
▪ Data Flow Diagram and Data Inventory
▪ Data Protection Impact Assessment
▪ International Data Transfers
▪ Data Breach Management
▪ Ensure Due Diligence in Data Sharing
Privacy Information Management System
PIMS - ISO 27701:2019
Privacy Information Management System
(PIMS) - ISO 27701:2019
Establish
(PLAN)
Monitor &
Review
(CHECK)
Maintain &
Improve
(ACT)
Implement
& Operate
(DO)
Interested
Parties
Requirements
for PIMS
Interested
Parties
Managed PIMS
Continual Improvement of PIMS
(PIMS) - ISO 27701:2019
Establish
(PLAN)
Monitor &
Review
(CHECK)
Maintain &
Improve
(ACT)
Implement
& Operate
(DO)
Interested
Parties
Requirements
for PIMS
Interested
Parties
Managed PIMS
Continual Improvement of PIMS
Compliance Roadblocks
Why : Should we protect PII
What : PII Needs to be protected
Where : Does PII exist in my Organisation
When : Should we begin PII Protection
Who : Should be leading the PII Protection
How : To be compliant to PII Legislations
CyberQConsultingPvt. Ltd; New Delhi [email protected]
Why : Should we protect PII
What : PII Needs to be protected
Where : Does PII exist in my Organisation
When : Should we begin PII Protection
Who : Should be leading the PII Protection
How : To be compliant to PII Legislations
CyberQConsultingPvt. Ltd; New Delhi [email protected]
Extend Your ISMS to include PIMS
CyberQConsultingPvt. Ltd; New Delhi
CyberQConsulting PvtLtd.
QualityinSecurity
ISO27701:2019
- Its not just a Certificate !
- You can refine the Culture !!
[email protected]
We can meet On-line or In-Office;
To Privacy Compliance.
Complimentary Webinar on PDP Management
CyberQConsulting PvtLtd.
QualityinSecurity
ISO27701:2019
- Its not just a Certificate !
- You can refine the Culture !!
[email protected]
We can meet On-line or In-Office;
To Privacy Compliance.
Complimentary Webinar on PDP Management
➢ DPDP : Digital Personal Data Protection
➢ PIMS : Privacy Information Management System
➢ DPMS : Data Protection Management System
Discussion Points:
•What is Personal Data ?
•How is it related to Privacy ?
•Are we processing Personal Data ?
•What is the Protection needed for Personal Data ?
•What are we expected to do for Personal Data Protection ?
•How can I get an Assurance that I am compliant to DPDPA-2023 ?
Topics of Conversation
Complimentary Webinar on Personal Data Protection (Privacy) Management
Please Send your request to : [email protected]
➢ PIMS : Privacy Information Management System
➢ DPMS : Data Protection Management System
Discussion Points:
•What is Personal Data ?
•How is it related to Privacy ?
•Are we processing Personal Data ?
•What is the Protection needed for Personal Data ?
•What are we expected to do for Personal Data Protection ?
•How can I get an Assurance that I am compliant to DPDPA-2023 ?
Topics of Conversation
Complimentary Webinar on Personal Data Protection (Privacy) Management
Please Send your request to : [email protected]
Agenda
Time (In Hours)Topic (Questions to be Answered)
Line-up What is Personal Data and Privacy?
1
st
QuarterWhat is to be protected in Personal Data ?
2
nd
QuarterHow do I comply with the Legal requirements ?
3
rd
QuarterWhat if something goes wrong ?
4
th
QuarterHow do I assure myself, that its ‘Right Every time’ ?
Zero HourI have a Question …
Time (In Hours)Topic (Questions to be Answered)
Line-up What is Personal Data and Privacy?
1
st
QuarterWhat is to be protected in Personal Data ?
2
nd
QuarterHow do I comply with the Legal requirements ?
3
rd
QuarterWhat if something goes wrong ?
4
th
QuarterHow do I assure myself, that its ‘Right Every time’ ?
Zero HourI have a Question …
PIMS : Privacy As an Extension of Information Security
Build Your PIMS First Floor, Over Your ISMS Ground Floor !
We can help Architect, Even from Ground onwards !
Build Your PIMS First Floor, Over Your ISMS Ground Floor !
We can help Architect, Even from Ground onwards !
Privacy Independent of Information Security
Build Your DPMS, As an Independent Management System !
We can help Architect the Framework !
Confidentiality, Integrity, Availability of Personal Data
DPMS
Data Protection Management System (DPMS)
Also referred as :
Personal Information Management System
Build Your DPMS, As an Independent Management System !
We can help Architect the Framework !
Confidentiality, Integrity, Availability of Personal Data
DPMS
Data Protection Management System (DPMS)
Also referred as :
Personal Information Management System
Gp Capt Mathew P Varghese (Retd), Assessor & Tutor - Management Systems
✓Has around 35 Years of work experience, with initial 26 Years in IAF.
✓Served as Director Information Security at IAF-CERT.
✓B.E from NIT Raipur and MBA (Technology Management) from IIT Delhi.
✓Fellow of IETE, and Member of the India Management Association.
✓Certified Information Systems Auditor (CISA) & Lead Auditor for :
•ISO 27001:2022 (ISMS), and ISO 27701:2019 (PIMS)
•ISO 22301:2019 (BCMS), ISO 20000-1:2018 (SMS), ISO 9001:2015 (QMS)
Certified Trainer for Privacy Management, Information Security Management,
Business Continuity Management, Cloud Security Audit, Cyber Security Framework.
Chief Architect and Principal Consultant
More than 10000 Hours of Audit
experience in various Management
Systems, like ISMS, BCMS, IT SMS, PIMS.
More than 7000 Hours of Training experience
in various Standards and Frameworks, like
Information Security, Business Continuity,
IT Service Management, Privacy or Personal
Information Management, Cybersecurity
Management, NIST.
Training Experience
Auditing Experience
9953570078
[email protected]
✓Has around 35 Years of work experience, with initial 26 Years in IAF.
✓Served as Director Information Security at IAF-CERT.
✓B.E from NIT Raipur and MBA (Technology Management) from IIT Delhi.
✓Fellow of IETE, and Member of the India Management Association.
✓Certified Information Systems Auditor (CISA) & Lead Auditor for :
•ISO 27001:2022 (ISMS), and ISO 27701:2019 (PIMS)
•ISO 22301:2019 (BCMS), ISO 20000-1:2018 (SMS), ISO 9001:2015 (QMS)
Certified Trainer for Privacy Management, Information Security Management,
Business Continuity Management, Cloud Security Audit, Cyber Security Framework.
Chief Architect and Principal Consultant
More than 10000 Hours of Audit
experience in various Management
Systems, like ISMS, BCMS, IT SMS, PIMS.
More than 7000 Hours of Training experience
in various Standards and Frameworks, like
Information Security, Business Continuity,
IT Service Management, Privacy or Personal
Information Management, Cybersecurity
Management, NIST.
Training Experience
Auditing Experience
9953570078
[email protected]
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 29
- Slides 28
- Age 267 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views