An Overview of the

General Data Protection

Regulation (GDPR)

GROUP-3
BOYA LOKESH - MS21A010
SAYAN BHOWMICK- MS21A060
VIJAY KUMAR - MS21A073
Why Data privacy law like
GDPR is essential ?
Rapid growth of internet users across the
world.

Large scale processing of sensitive

personal data by digital media.

Globalization enabling constant collection,

processing and sharing of personal data
across nation state.

Social media data analytics has found

increased usage in laying foundation of
digital marketing campaigns.

Digital marketers are eager on spending

bucks for getting personal data.
What is GDPR stands for General Data Protection Regulation.

GDPR? It is a comprehensive data privacy law which was adopted

on 27th April, 2016 and became enforceable on 25th May,
2018 replacing earlier 1995 EU data protection directive.

More stringent rules , more empowerment of individuals

using digital media.

GDPR applies to the all the establishments in EU

whether it is a data controller or processor in the
Where does context of personal data processing, regardless of
whether it takes place in the Union or not.
GDPR
It applies to all organization outside EU when they are
apply? dealing with personal data of individuals residing in EU.
Which data
The GDPR regulates the collection, storage, use, and
sharing of “personal data.”

is GDPR “Personal data” includes any data that relates to an

concerned identified or identifiable individual like online identifiers
(e.g., IP addresses , geo location data), employee
with? information, sales databases, biometric data, CCTV
footage, health and financial information and much
more.

Does GDPR
apply to GDPR not only applies to "controllers" i.e.
organizations that collect and process data for their
organizations own purposes but as well as to "processors", the
organizations that process data on behalf of the
indirectly controllers.

processing
data?
Key principles of GDPR

Lawfulness, fairness Purpose limitation Minimize collection

and transparency of personal data
Process personal data
Individuals must be only for specified, Store only data
clear on how their data explicit and legitimate adequate and relevant
is being used. purposes. for the process
 Key principles of GDPR

Ensure Data accuracy

Limit data storage Ensure confidentiality,
Individual data stored by
security and integrity
2021 Marketing Agenda

If purpose is served and

the organization has to
personal data is no Data storage and
be accurate. Data
more required then do processing should
subjects have right to get
not retain them comply with CIA triad.
their data corrected or
anymore.
erased.
 RISK : NON COMPLIANCE OF GDPR

Civil litigation against AMAZON WHATSAPP

organizations that
breach the GDPR

Amazon was fined $780.9 mn WhatsApp was fined $247 mn

for tracking user data without for unclear privacy policies
acquiring appropriate and a lack of transparency in
consent from users or how it was using user data..
4% of an organization’s providing the means to opt
annual global revenue. out from this tracking

GOOGLE BRITISH AIRWAYS

The maximum fine for Google was fined $66 mn The airline was fined $26 mn
serious infringements for failing to give users an for failing to prevent a massive
will be the greater of
easy way to refuse cookies data breach that exposed the
€20 million
under both the GDPR and personal data of 400,000
the ePrivacy Directive. customers and failing to spot
and respond to the breach in a
timely fashion.
 TRANSPARENCY: GDPR

RULE RULE
Organizations must tell How long the data will
This information must be
individuals about processing of be stored?
presented in a way that is
personal data.
clear and easily accessible.
with whom the
Why the personal data is being personal data will be
processed? shared?
 LEGAL BASIS : GDPR
Six legal bases for processing personal data

Consent Public interest

If the person to whom the personal data If the data processing is necessary for
Organization can’t
belongs to has agreed to the processing for carrying out a task in the public interest or in
process personal data
one or more clearly defined purposes, the the exercise of official authority, the data
simply because they
data processing is lawful processing is legal.
want it.

Vital interests Legal obligations

Organizations must
point to a “legal basis”
This applies when someone’s life is in If a company has to process personal data in
for processing
danger, and the processing is necessary in order to meet its legal obligations, the data
order to save it. processing is lawful.

Legitimate interest
Contract
It applies when an organization has a
When an organization enters into a contract
legitimate interest in processing the data,
with the data subject and needs to process
and the person’s interests, rights, and
their personal data in order to fulfil that
freedoms do not override this legitimate
contract, the data processing is lawful.
interest.
 KEY TERMS

Controller Processor Personal data Processing Pseudonymis

Natural or legal person, Natural or legal person, Any information relating to an Any operation or set of
ation
public authority, agency or public authority, agency, or identified or identifiable operations which is
other body which, alone or other body which processes natural person (“data performed on personal data Processing of personal data
jointly with others, personal data on behalf of subject”) such as a name, an or on sets of personal data in such a manner that the
determines the purposes the controller identification number, personal data can no longer
and means of the location data, an online be attributed to a specific
processing of personal data. identifier data subject without the use
of additional information
SECURITY: GDPR
Security Controls

Identity and Access Management (IDAM):

Ensure that employees have access only to information or systems applicable
to their job function.
GDPR doesn’t mandate the exact security
measures organizations must take
Data Loss Prevention (DLP)
According to GDPR, organizations, whether they are the controller or processor
of personal information, are held liable for the loss of any personal data they
It requires organizations to determine collect.
security measures themselves, Incorporating DLP controls adds a layer of protection by restricting the
depending on factors like the nature of transmission of personal data outside the network.
the personal data, its sensitivity, and the
risks involved in the processing.
Incident Response Plan (IRP):
A step-by-step process for reporting and mitigating data breaches.

Secure Access Service Edge (SASE):

It recognizes the challenges presented by remote work and operations.
SASE differs from traditional models in that it uses cloud services to deploy
security protocols to remote locations.
REQUIREMENTS

01 02 03 04 05

Data subject Limitation of Consent Data Awareness

rights purpose, As and when the
Protection and training
Individuals has right to ask
data and company has the intent Officer Organizations must
to process personal data
the company what storage beyond the legitimate
When there is significant
create awareness
information it has about purpose for which that among employees
them, and what the processing of personal about key GDPR
Forbid processing of data was collected, a
company does with this data in an organization, requirements, and
personal data outside the clear and explicit
information the organization should conduct regular
legitimate purpose for consent must be asked
assign a Data Protection trainings to ensure that
which the personal data from the data subject.
Right to ask for correction, Officer. employees remain
was collected.
object to processing, lodge Once collected, this aware of their
a complaint, or even ask for Advises the company responsibilities with
Ask that personal data consent must be
the deletion or transfer of about compliance with regard to the protection
should be deleted once documented, and the
his or her personal data. EU GDPR requirements. of personal data
the legitimate purpose for data subject is allowed
which it was collected is to withdraw his consent
fulfilled at any moment.
INDIVIDUAL RIGHTS

RIGHT-1 RIGHT-2 RIGHT-3

Rights to access the personal data Ask organizations to stop processing their Right to data portability means organizations
organizations hold about individuals personal data must provide individuals their personal data
in a way that makes it easy for them to move
Personal data corrected or deleted (the Revoke consent for certain uses of personal their personal data elsewhere
“right to be forgotten”) data
 GDPR VS. DATA PROTECTION DIRECTIVE (1995) :
WHAT ARE THE KEY CHANGES?

Personal data redefined

GDPR broadens the scope of personal data. It defines personal data as any
information that could be used, either on its own or in association with
other data, to identify an individual.

Personal data now include IP addresses, mobile device identifiers,

fingerprints or retinal scans, geolocation, medical records, socio-cultural
information besides names, physical address, phone number, email
address etc.
 KEY CHANGES IN GDPR - A COMPARATIVE
ANALYSIS

Individual Rights : Opt-in and Consent

Under GDPR , organizations are required to secure opt-in and
consent for the processing of any personal data of individuals by
providing a short but sufficient explanation on its usage through
specific GDPR-compliant privacy agreements.

Right to access and right to be forgotten

GDPR empowers individuals by providing them right to obtain from

data controllers information on how their data is being used, where,
and for what purpose.

Individuals also hold the right of their data to be erased or restrict

from further processing.
 KEY CHANGES IN GDPR - A COMPARATIVE
ANALYSIS

Accountability of Data processors and

appointment of data protection officer

Earlier, under DPD, only data controllers were held accountable for
any mishandling of personal data. Under GDPR, Both data
controllers and data processors are jointly responsible.

Data processors to enter into a contract with data controllers

defining responsibility of data security during processing of
personal data.

GDPR mandates appointment of a data protection officer who will

serve as the central point of contact for inquiries about how
personal data are collected and processed.
 KEY CHANGES IN GDPR - A COMPARATIVE
ANALYSIS

Mandatory Data Protection Impact

assessment for High risk project
GDPR makes it mandatory to conduct a Data protection Impact
Assessment for High risk projects i.e. working with sensitive
personal data on a large scale or profiling vulnerable persons or
section of society. DPIA helps identifying probable risks
associated with processing of personal data and corresponding
mitigation plan.

DPIA is a project specific assessment and not an organizational

operation evaluation. It ensures GDPR compliance by enabling
the organization to incorporate “data protection by design” into
new projects
 KEY CHANGES IN GDPR - A COMPARATIVE
ANALYSIS

Stringent and Uniform protocols for Data

Breach and heftier penalties

DPD allowed EU member countries to adopt different protocols for

data breach, particularly the processes for notifying data subjects.
GDPR requires any data breach to be notified to the data subjects
and supervisory authority within a span of 72 hours and this applies
to all member states.

The fines can be up to 20 million euros or 4% of global turnover of

previous fiscal year whichever is higher.
 Privacy knows no borders: we have to
protect privacy globally or we protect it
nowhere!
Ann Cavoukian
1 Full Functionality — Positive-Sum, not Zero-Sum
is the former
Information
End-to-End Security — Full Lifecycle
and Privacy 2
Protection
Commissioner
for the 3
Visibility and Transparency
Canadian
province of 4 Open Respect for User Privacy — Keep it User-
Ontario Centric

5 Proactive not Reactive; Preventative not Remedial

6 Privacy Embedded into Design

7 Privacy -Default Setting

Privacy by Design and Default
EVERY STAGE OF DEVELOPMENT AND DESIGN OF PRODUCTS, SERVICES,
AND PROCESSES .

COMPLIANT SYSTEMS-PRIVACY ENHANCING MEASURES LIKE

ENCRYPTION.

ENCOMPASSES APPLICATIONS:
1) IT SYSTEMS
2) ACCOUNTABLE BUSINESS PRACTICES
3) PHYSICAL DESIGN AND NETWORKED INFRASTRUCTURE

STRENGTH OF PRIVACY MEASURES -COMMENSURATE WITH

SENSITIVITY OF THE DATA.

OBJECTIVES- PRIVACY AND PERSONAL CONTROL OVER ONE’S

INFORMATION.
Record-keeping Requirements
02 03
01 Organizations to
Records to give
purposes of the keep records of data
Organizations to processing breaches and
maintain accurate and categories of data response measures
up-to-date records of processed
their processing details of 3RD parties
activities involved

A T S G D P R ! !
TH
Need and Practice of Data Protection
Impact Assessments DPIA
Any new processing
activity-new risk to
rights and freedoms
of individuals

COVERS

1 NATURE, SCOPE, CONTEXT, AND PURPOSES OF THE PROCESSING,

2 LIKELIHOOD AND SEVERITY OF ANY POTENTIAL HARM TO INDIVIDUALS.

 WHAT AFTER DATA BREACH??
Inform
the affected
individuals
NOTIFY authorities
WITHIN 72 hrs
Adequate tech and org
measures to detect, report, and
investigate
personal data breaches.
DATA TRANSFER PREREQUISITES OUTSIDE EU
COUNTRIES OUTSIDE OF
THE EU
Recipient country provides protection in
accordance with GDPR

TRANSFER DATA TO
COUNTRIES THAT DO NOT
PROVIDE ADEQUATE
PROTECTION

Implement appropriate safeguards such as

standard contractual clauses, binding
corporate rules, or Privacy Shield.
THINGS TO KNOW IF BUSINESS VENDOR PROCESSES PERSONAL DATA
1

PERSONAL
DATA
2 OWNER IS "CONTROLLER" VENDOR IS "PROCESSOR"

3 WRITTEN AGREEMENT

4
Sets out Obligations &
Responsibilities
Processing to Comply
with GDPR
Data protection
measures
MICROSOFT PERFECT FOR GDPR

Microsoft offers a
range of services and
tools to organizations
KEY TAKEAWAY
TO meet obligations
TOOLS FOR DATA PROTECTION
under the GDPR. IMPACT ASSESSMENTS, DATA
SERVICES
MAPPING, DATA PROTECTION
BY DESIGN AND BY DEFAULT.

DATA ENCRYPTION ACCESS

CLOUD DATA SERVICES
CONTROL,
What impact will the GDPR have on organizations?
Data Protection Impact Penalties and fines -
six major areas that companies will have to consider:
Assessment (DPIA) - Art. 83–84 GDPR
Data protection Heightened Immediate Data protection Art. 35 GDPR More severe fines and
through Accountabilit notification officer - Art. 37–39 DPIA required for penalties designed to
technology - y - Art. 5 requirements - GDPR using new technologies, deter companies .
Art. 25 GDPR GDPR Art. 33 GDPR Responsible for Data protection officer Other penalties, such
Data protection Ensure and Report data informing and submits declaration as seizure of profits,
through demonstrate breaches within advising employees after analysing process injunctions to end
technology (by adherence to 72 hours, who carry out & technology & infringements, and
design) and as a data legality of the data
Failure results in processing;. permanent prohibition
standard protection
fines of up to 20 Monitoring processing. of data processing
approach (by regulations,
million euros or compliance with the may also be imposed.
default. 4% of company's GDPR and national
Like through
global annual data protection
certification.
Like minimizing turnover. provisions;.
and Awareness raising
pseudonymizing and training.
the processing of Advise on DPIA
personal data. monitoring .
 GDPR and the Pandemic
As per IT Governance’s figures median GDPR penalty was €2,000.
306 fines in 2020 totalling €182,546,779 .

429 GDPR fines issued 2021 - fines totalling €1,098,942,386.84 – a

sevenfold increase.

Rise in regulatory penalties linked to the data protection due to

COVID-19- as organizations shifted to fully remote or hybrid
working solutions –with little or no existing infrastructure to
support homeworkers.

Organisations struggled in hostile work enviroment as countries

again locked down due to second wave

Significant increase in cyber attacks by criminals seeking to exploit

the pandemic by targeting people’s uncertainty and their inability
to rely on robust in-house security defences.
 The Conclusions And Way Forward
Privacy Is Here To Stay - Two years ago, privacy was not the norm but going forward privacy is going to be the new
normal. Consumers will expect it, Authorities will check it and the Corporates will do it.

There Will Be More Automation - Till now focus was on becoming compliant by setting and operationalizing the policies,
governance, and processes. With more automation, usage of Artificial Intelligence, challenges shall grow.

The Maturity Will Only Increase - For most organizations, these are early stages of privacy compliance. In the coming
years, there is likely to be an increase in maturity.

There Will Be different Privacy Laws - Lot of countries have already passed privacy laws, coming years will see
more.Compliance across different privacy laws across the globe will remain a big challenge for most countries operating
in multiple countries.

Privacy Will Become A Brand Differentiator - Privacy compliance will become a brand differentiator in terms of winning
more clients. A study by CISO shows that 82% of organizations view privacy certifications such as ISO 27701 and
Privacy Shield as a buying factor when selecting a product or vendor in their supply chain. And, this is only going to
increase and become a mandatory requirement.

In short, like it or not-- GDPR and privacy laws are here to stay.
We can always debate that this is not there and that is not fair but the law is there. And, we are better off taking a practical approach to
complying with the longer-term perspective.
 Australia – the Privacy Amendment (Notifiable Data Breaches) to Australia’s Privacy Act came into effect in February 2018.

Brazil – Brazil’s Lei Geral de Proteçao de Dados (LGPD) is modeled on GDPR , but with less harsh financial penalties for non-compliance.

Canada-Has implemented Digital Charter Implementation Act, amending its digital data privacy policies.Personal Information Protection and Electronic
Documents Act (PIPEDA) 2000.most recently amended in November 2018 to include mandatory data breach notificatidata privacy is governed by the
Privacy Act 1983.

China – The People's Republic of China passed the Personal Information Protection Law (PIPL), which came into effect in November 2021.companies that do
business in China, regardless of any physical presence in the country, have to comply or be subject to fines of up to 6 million EUR) or 5% of global annual
turnover,

India - India's Personal Data Protection Bill (PDPB) introduced in December of 2019 and likely to pass this year. Companies all over India are already
beginning to prepare. PDPB is modeled after GDPR .Heavy fines for noncompliance that may be as a high as 4% of global annual turnover.

Israel – In addition to Israel's Protection of Privacy Law of 1981, which deals with privacy in general, handling of digitized personal data is also covered by
other data privacy regulations that deal with data security (2017) and international transfer of data (2001).

Japan – Japan's Act on Protection of Personal Information, 個人情報保護法 , was amended in May 2017 and now applies to both foreign and domestic
companies that process the data of Japanese citizens. Companies located outside of Japan will now be subject to the strict guidelines laid down in the Act.

South Africa - South Africa's Protection of Personal Information Act (POPIA) came into effect on July 1, 2020 with an exactly one year grace period.

South Korea –South Korea's Personal Information Protection Act,has been in effect since September of 2011 and from the outset has included many GDPR-like
provisions,
Ref: https://www.i-sight.com/resources/a-practical-guide-to-data-privacy-laws-by-country/#India