data protection and privacy

A quick guide on the concept- Privacy by Design

January 21, 2023 Leave a comment

Introduction

The concept of data privacy has been in papers way before the coming of the digital era, and so does the concept of Privacy by Design, which was introduced in the 90s by Ann Cavoukian, former Information and Privacy Commissioner for the Province of Ontario.

Privacy by Design (“PbD”) defines the nature of Privacy and how we must approach it. It means that at the beginning of an organization or a project’s existence, privacy must first be implanted, enabled and implemented into its very own foundation. Rather, than just looking at it from a compliance point of view and merely as a remedy against breaches and risks. Moreover, it should be adopted as a culture, and not as an add-on to your shopping cart list.

Let’s dive into how to implement PbD within an organization with its Seven foundational principles-

  1. Privacy measures should be “Proactive not Reactive”; “Preventive not Remedial”

Taking this viewpoint, it can make your team’s life easy and save your organization from huge penalties, here’s why- This principle discusses the very nature of privacy, and how it benefits and add value to an organization when it is proactively utilised. The reasoning behind the implementation of privacy should be to detect and minimize/eliminate potential threats, not wait for the potential threats to cause harm first, and then implement security measures. That’s not how privacy should work. An example of this could be- Conducting a Data Protection Impact Assessment before processing or Transfer Impact Assessment before cross-border transfers.

  • You must enable “Privacy as the Default setting”

This simply means that privacy must be implemented into the systems and processes as a default setting and by putting privacy at the forefront. Although, this looks the toughest to crack, however, it only minimizes the potential cyber risks. By enabling privacy as a default setting, your organization aims to achieve this by limiting the collection of data, not retaining the data after its purpose and ensuring that no users are required to act separately to protect their personal data. For example- having the personalised ads or precise location option turned off as a default setting.

  • “Privacy embedded into Design”

Privacy must be implemented into the skin of the products/services that you offer from its initial stage. It should be treated as an integral part of your business practice. Lastly, it shouldn’t be considered an add-on or a strategy taken as countering measures against risks. In simple terms, this principle states that an organization must thrive to provide privacy at all stages while offering the users with its products/services. For example, ensuring an end-to-end encrypted platform, giving users the choice of receiving targeted ads, etc.

  • Full Functionality – Positive-sum, Not Zero-sum

The fourth principle simply states that privacy by design is an approach which seeks to accommodate all legitimate interests, dismissing unnecessary trade-offs, and avoids all such false dichotomies such as privacy v security, etc, ensuring that by implementing privacy by design an organization could achieve a win-win scenario. For example, if an organization limits and minimizes data collection and data sharing, and destroys it according to its retention policy. This can ensure fewer security flaws, and enable users’ privacy to be at the forefront, without making any unnecessary trade-offs.

  • End-to-End Security – Full Lifecycle Protection

This principle simply states that data privacy & protection goes hand in hand, and shall be delivered during the entire lifecycle of the data. An organization must ensure all reasonable security measures are taken that are industry-recognized right from data collection to deletion. For example- During a cross-border transfer of personal data, an organization must conduct a transfer impact assessment in order to assess and analyse the potential risks, and only then move ahead with such transfers.

  • Visibility and Transparency – Keep It Open

This principle lays out that the privacy of the users means complete visibility and transparency of their data. To ensure this every organization must thrive to have easy-to-ready privacy and cookie policies. This could help users to understand exactly what happens with their data. Always remember, privacy is a trust-building initiative and has a direct impact on every organization.

  • Respect for User Privacy – Keep It User-centric

And, lastly, privacy only comes by putting consumers/users at the top. Organizations must keep in mind that at last they are processing their users’ data, and must ensure to keep it consumer-centric by granting them control and visibility over their data. Data privacy should come in line with respecting the users’ experience throughout. For example- a user must have the right to seek correction & erasure of his/her data from any platform.

Discussion on- The Criminal Procedure (Identification) Bill, 2022 & the Right to Privacy

April 9, 2022 Leave a comment

Join us tonight at 9 PM (Instagram Live), in conversation with R H A Sikander, practicing Advocate at the Supreme Court of India, where we discuss the two important Bills- The Criminal Procedure (Identification) Bill, 2022 & The Data Protection Bill, 2021

Instagram live link- https://www.instagram.com/lawyerstrange/

#CriminalProcedureIdentificationBill2022

#PrivacyMatters

Your Guide to Managing Data Subject Access Requests

March 29, 2022 Leave a comment

DSAR means Data Subject Access Request, and this is one of the rights that a data subject or an individual under the General Data Protection Regulation (GDPR) enjoys. 

  1. A data subject is anyone whose data is collected, shared and processed by a data controller.
  2. A data controller is a company, organization or anyone who deals with the personal data/information of the data subjects. 

As per the GDPR, the data subject should be a resident living in the European Union.

Recital 63 of the GDPR states:

“A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”

  1. Reasons to have a DSAR process
S.NOReason(s) for DSAR
1.For confirming whether your organization/business processes the personal data of an individual (referred to as Data subjects).
2.For accessing the personal data/information of a data subject.
3.For determining whether such processing of data of the subject is on a lawful basis or not.
4.For knowing the duration/period for such data which has been stored in your organization/business
5.For enquiring about how the data subject’s personal information/data was obtained by your organization/business.
6.For obtaining information about automated decision-making and profiling from the data subject’s personal information.
7.For obtaining the names and further details of the third-parties with whom your organization/business is sharing the personal information of the data subject(s).

This isn’t an exhaustive list; a data subject has a right under the GDPR and can submit such a request (DSAR) without any given reason to the data controller and at any time. The data controller may only ask questions in order to verify the data subject’s identity. 

  1. Principles for DSAR

GDPR in the entirety is based on the following principles and it is the data controller’s responsibility and obligation to process data in accordance to the principles laid down-

Article 5 of the GDPR lays down the following principles-
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and Confidentiality
Accountability

Whereas, the DSAR is based on the rights granted to the data subjects under the GDPR-

Article(s)Right of the data subject
Art.15This article grants the data subject the right to access his/her personal data held by the data controller.
Art.16This article grants the data subject the right to rectify his/her inaccurate personal data without any undue delay caused by the data controller while giving access. 
Art.17This article grants the data subject with the right to be forgotten without causing any undue delay by the data controller.
Art.18This article grants the data subject the right to restrict the processing of his/her personal data.
Art.20This article grants the data subject the right to transmit his/her personal data to any other controller, and also to obtain his/her personal data in a machine-readable format.
Art.21This article grants the data subject the right to object to processing of his/her personal data.
Art.22This article grants the data subject the right not to be subjected to automated decision making and profiling.
  1. Steps to perform as a Data Controller-
S.No.Steps to be taken
1.The first step should be to verify the data subject’s identity and record the DSAR in the system.
2.The next step is collecting and categorizing the personal data that you have stored.
3.The next step should be to review the data subject’s request in order to understand the DSAR’s requirement. The reply to such a request should be within 30 days as mandated by the GDPR and without causing any undue delay.
4.Before sharing the response to the data subject, it is better to gather all the personal data of the data subject into the response, as the GDPR also encourages remote access to such data.
5.The data controller needs to ensure that the delivery of the data to the data subject should be secure as data leaks and breaches are quite expensive, moreover, it affects the trust among its users and the reputation/goodwill.
6.Once you have followed all the required steps, you are ready to send the response to the data subject
7.It is essential to remind the data subjects about their privacy rights and you may do so by adding a fews lines at the end of your response.

Comparing the stance on Protection of Non-Personal Data in India and EU

March 22, 2022 Leave a comment

First published on Tsaaro

Introduction & timeline of data protection in India

It is true that soon every business will become a tech business as “data” will be the new source of income. Managing and dealing with data of so many people by businesses and organisations, large or small, cannot be as easy as you may think. Leaving this area unregulated could lead to a global crisis from human rights violation to economic domination in the market, leading to endless privacy and cyber-crimes. Hence, regulating this area should be the prime focus of our nation’s government and any other country’s government where there is no privacy regulation. India recognised “privacy” as a fundamental right back in 2017 in a landmark decision passed by the Supreme Court in Justice K S Puttaswamy v. Union of India.

Right after the declaration of the “right to privacy” as a fundamental right, in July 2017, a Committee of Experts was constituted under the leadership of…continue reading