Awareness on

Privacy Framework & GDPR

UnboxRobotics Labs Private Limited Presidio Information Risk Management LLP

Confidential
Agenda
• Introduction to GDPR
• GDPR Applicability
• Benefits of Data Privacy Framework
• Key terms of GDPR / Privacy
• Personal Data breaches samples
• What is PII & Key areas where PII may be present
• International Data Protection & Privacy Legislation
• Data Privacy Committee - Roles and Responsibility
• Key Areas to Address
• GDPR Policies , Procedures & Templates
• Privacy Breaches Notification
• Do’s and Don’t for protecting PII
• Protection of PII Data
• ISMS Polices to Remember again for PII Protection

Confidential
Introduction to GDPR
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation
adopted by the European Parliament.
The intent is to strengthen and unify data protection for all individuals within the European
Union (EU).
It also addresses the export of personal data outside the EU.
The primary objectives of the GDPR are to give citizens and residents back control of their
personal data and to simplify the regulatory environment for international business by unifying
the regulation within the EU.
From 25th May 2018 onwards, organization needs to be in full compliance with the new rules
of the GDPR.

Confidential
 GDPR Applicability
•
Context Impact of Non-Compliance

Operating inside EU and have access to personal data of Penalty of maximum 4% of annual
EU citizens and entities worldwide turnover or
Offer offshore services to EU companies as service €20 million - for GDPR
provider or captive unit and in process access personal
information of EU citizens and entities Up to Rs. 5 Cr - Indian IT Act Section 43

Store process or access personal information of EU Legal Risk

citizens or entities from your premises
Data Subject, Data Controller, Data Processor.
Benefits of Data Privacy Framework
 Builds trust in your company’s ability to manage personal information, both for customers and
employees.
Supports compliance with GDPR and other applicable privacy regulations.
Covering privacy legislations worldwide, the standard is useful to companies operating
internationally.
Clarifies the roles and responsibilities within your organization.
Improves internal competence and processes to avoid breeches.
Provides transparency on established controls for the management of privacy.
Facilitates agreements with business partners where the processing of Personally Identifiable
Information (PII) is mutually relevant.
Integrates easily with the leading information security standard ISO/IEC 27001.

Confidential
Key terms of GDPR / Privacy
Terms as used in GDPR Alternative term
Personal information management Privacy information management
system / Data Protection Framework system (PIMS)
Personal data Personally identifiable information (PII)
Data Subject PII principal / Data Principal
Data protection by design Privacy by design
Data protection by default Privacy by default
Data controller PII Controller / Data fiduciary
Data processor PII Processor

Confidential
Definitions of Key terms
 Data Subject : Natural person to whom the personally identifiable information (PII) relates
 Data Controller : Privacy stakeholder (or privacy stakeholders) that determines the purposes
and means for processing personally identifiable information (PII) other than natural persons who
use data for personal purposes
 Data Processor : Privacy stakeholder that processes personally identifiable information (PII) on
behalf of and in accordance with the instructions of a PII controller
 Privacy Risk : Effect of uncertainty on privacy
 Data Privacy Impact Assessment (DPIA) : Privacy Impact Assessment is an overall process of
identifying, analyzing, evaluating, consulting, communicating and planning the treatment of
potential privacy impacts with regard to the processing of personally identifiable information,
framed within an organization's broader risk management framework

Confidential
Illustrations of Personal Data Breach
• Access by an unauthorized third party;
• Deliberate or accidental action (or inaction) by a Data controller or processor;

• Sending personal data to an incorrect recipient;

• Computing devices containing personal data being lost or stolen; 
• Alteration of personal data without permission; and
• Loss of availability of personal data.

Confidential
Top Data Loss Breaches Reported
 Yahoo - In August 2013 with Impact on 3 billion accounts
 Alibaba - In November 2019 with Impact on 1.1 billion pieces of user
data
 LinkedIn- In June 2021 with Impact on 700 million users
 Sina Weibo- In March 2020 with Impact on 538 million accounts
 Facebook- In April 2019 with Impact on 533 million users
 Marriott International (Starwood)- In September 2018 with Impact
on 500 million customers
 Adult Friend Finder- In October 2016 with Impact on 412.2 million
accounts
 Court Ventures (Experian)- In October 2013 with Impact on 200
million personal records

Reference :www.csoonline.com

Confidential
Cost of Non-Compliance
900

800 764

700

600

500

400

300
225
200

100
50 35 27.8 22 20.4
0
Amazon WhatsApp Google H&M TIM British Airways Marriott

Figures in Million Euros

Reference : ww.tessian.com

Confidential
 What is PII and where does it reside?
Personally identifiable information (PII) : Any information that
(a) can be used to establish a link between the information and
the natural person to whom such information relates, or
(b) is or can be directly or indirectly linked to a natural person

Confidential
 Few PII Examples

• Employees’ salaries and • Bank account • Customer contact

Customer\Vendor
Human Resource

Corp. Functions
human resources files • Financial profile information
• Any information collected • Vendor Details
during health services
• Tax Reports
• Biometric Info • Visitor Data • Social ID number /
• Date of birth • CCTV footages. Aadhaar / PAN
• Education details • Company and personal • Personal Email address
• Employment history mail id • Health records
• Photograph • Designation of the • Phone number
• Reference details personnel • Address
• Employee ID and details • Photo
• Mobile Number • Social Networking
profile

Confidential
International Data Protection & Privacy Legislation
North America
 PIPEDA (Canada)
Europe
 CCPA (California)
 BDSG (Germany)
 CalOPPA (California)
 GDPR (EU region)
South America
Asia-Pacific
 PDPA (Argentina)
 PDP Bill (upcoming -India)
 LGPD (Brazil)
 Cyber Security Law (Myanmar)
 Data Privacy Act 2012 (China)
Africa  Privacy Act 1988 (Australia)
 DPA (Kenya)
 POPI (South Africa)

Confidential
Current Privacy Governance Structure
Data Protection Officer - Prashanth Adiyodi

Data Privacy Committee Data Protection Champion

HR Head -Prayag Lele HR

Operation Head- Rohit Pitale OPS

Finance Head -Rati Oke Finance

Marketing Head -Pranav Iyer Marketing

Sales Head -Pramod Ghadge Sales

Product & Tech Head -Shahid Memon Product & Tech

Confidential
Roles and Responsibility
Data Privacy Committee
Role:
◦ Acts as a central representative body for Business and support functions to jointly discuss and resolve data
privacy issues.

Responsibilities:
◦ Review and approve data privacy policies and procedures.
◦ Approve significant changes in exposure of information assets to major threats.
◦ Review, monitor and resolve data privacy breaches.
◦ Review and approve all changes and exceptions to data privacy policy.
◦ Review proposal for major changes to augment data privacy.
◦ Continued compliance with data privacy objectives and local law compliances.

Confidential
Roles and Responsibility
Data Protection Officer (DPO)
Role:
◦ DPO plays key role in implementing Data protection policies and maintaining privacy of personal
Information.

Responsibilities:
◦ The DPO is responsible to ensure the implementation of the data privacy regulations in an independent
manner.
◦ To keep an inventory of all processing operations involving personal data carried out by the institution.
◦ Delegate executive responsibility for ensuring privacy of information to Data protection champions.
◦ Ensure organizations and its customer’s privacy is always maintained.
◦ Handling and reporting of incidents related to breach of privacy.

Confidential
Roles and Responsibility
Data Protection Champions (DPC)
Role:
◦ Acts as a representative to guide and handle data processing activities of data processed within their units
(projects or functions) and comply with data protection policies.
Responsibilities:
◦ The DPC is responsible to ensure the implementation of the data privacy policies and processes.
◦ Informing and guiding associates within their functions/ projects on organization’s data privacy
requirements.
◦ Provide an up-to-date inventory of all processing operations involving personal data carried out to the DPO.
◦ To monitor and enforce data protection compliance.
◦ Serving as the point of contact between the project/ function and DPO.
◦ Report performance and compliance status to DPO.
◦ Highlighting or escalating any suspicious activities related to privacy or data security breach.
◦ Reporting of incidents related to data breach to DPO.

Confidential
Key Areas to Address
 Awareness
 Personal Data Registers
 Privacy Policies to explain Organization’s Privacy Protection Framework & Practices
 Privacy by Design and Privacy by Default
 Privacy Notices (nature, purpose, use and sharing of any PII collected)
 Individuals’ rights on Privacy of PII
 Legality of processing PII
 Access Request
 Consent from Users (PII Principals/Data Subject)
 Data Privacy Impact assessment
 PII protection measures
 Data Protection Officer and Governance Structure
 Breach Notification Process
 Ongoing maintenance

Confidential
GDPR Policies & Procedures
 Consent Management Policy
 Personal Data Breach Handling Policy
 Personal Data Protection Policy
 Personal Data Retention Policy

 Data Privacy Impact Assessment Procedure

 Personal Data Handling Procedure
 Privacy Consent and Revocation Procedure

Confidential
Templates
 Data Privacy Notices
 Personal Data Access Request Form
 Data Processing Addendum
 Intercompany Data Transfer Agreement
 Privacy Consent Revocation Form

Confidential
Breaches Notification
 Report any known or suspected breach of personal data to Data Protection Officer or email to
DPO@unboxrobotics.com
 Data Protection Officer shall investigate any reported privacy breach
 As a data controller,
 The Data Protection Officer shall notify relevant legal and regulatory authorities of the respective region*
 The affected data subject(s) without unreasonable delay.
 As a data processor, Data Protection Officer shall notify client’s representative*
 Follow Security Incident Management process for reporting and investigating the breach as internal
investigation.
 Track and close the Breach reported.

* For timelines refer Unboxrobotics specific policies and procedures

Confidential
Do’s and Don’t for protecting PII
 Educate each person on What Is PII, How it can be identified, Why Should It Be Protected.
 Classify PII in terms of sensitivity. Refer Organization information classification Policy.
 Use principal of least privilege while granting access.
 Ensure use of mobile devices does not lead to a compromise of PII.
 Be Aware & Knowledgeable of Phishing Scams
 Avoid Uploading Sensitive Documents to the Cloud.
 Manage & Clear Cookies in Your Web Browser
 Use Strong Passwords, Multi-Factor Authentication.
 Encrypt data at rest, in-use, motion. because data can be intercepted by threat actors at any stage.
 Safely Dispose or Destroy Old Media with Personal Data.
 Should restrict the creation of hardcopy material including PII to the minimum.
 If physical media is used for PII transfer, ensure that the data can only be accessed at the point of
destination and not in transit.

Confidential
Protection of PII Data
Secure & privacy by design in Development application processing PII .
 Guidance on PII protection and the implementation of the privacy principles.
 Privacy and PII protection requirements in the design phase.
 PII protection checkpoints within project milestones.
 By default, minimize processing of PII. Maintain PII inventory of an application.
 The system that processes that PII should be designed in a way to facilitate this deletion requirement.

Key Information Security Polices to Remember again for Privacy protection

• Password Policy
• Information Classification
• Clear Screen & Desk Policy
• Incident Response Process
• Internet Policy
• Antivirus Policy
• Information Security Dos and Don’ts .

Confidential
Questions and Answers

Confidential
Your Extended Office for Cyber Security!
Presidio Information Risk Management

Confidential