General Data Protection

Regulation (GDPR) Orientation

ACCELERATE WHAT MATTERS. NOW. BRILLIO INFOSEC
 AGENDA
WHY PRIVACY MATTERS !!!

GDPR AT A GLANCE

GDPR DEFINITION AND PRINCIPLES

GDPR DO’S & DON’T S

BREACH REPORTING
 WHY PRIVACY MATTERS !!!

Definition of Privacy : Right to be let alone, or freedom from

interference or intrusion

Information Privacy: Right to have some control over how

your personal information is collected and used

PERSONAL DATA IMPACTS TO DATA IMPACT TO

EXPLOITATION PURPOSE ORGANIZATION
SUBJECT
Few examples
• • Disturbance by • Financial
• Name Direct Marketing
• Telecalls/mails Fines/Implications
• Phone number Financial Fraud
• • Financial Loses • Loss of Revenue/Business
• Email id Identity Theft
• • Lawsuits/Criminal • Loss of Customers Trust
• Biometric Crimes Abuse/Black
Investigations • Loss of Reputation &
• IP address mailing
• • Mental Harassment/Stress Brand Value
• Location Espionage
• • Violence • Competitive Disadvantage
• cookie Cyber Bullying
• Health Data • Others • Threat to safety & Security
• Political opinion • Many more….
• Sexual orientation
 GDPR – WHAT, WHY, WHEN ?

What?
▪ The General Data Protection Regulation (GDPR) is a European law which replace the Data
Protection Act.
Why?
▪ The aim is to strengthen and unify personal data protection for all individuals living in the
European Union.
▪ Regulation lays down rules relating to the free movement of Personal Data across EU.
When?
▪ Enforced since 25 May 2018
 GDPR AT A GLANCE

GDPR UNIFIES data protection laws across EU

Unified Data
Regulation
across EU

Hefty Fines for

Sets Accountability and Accountability Personal data
to comply and Breach
Obligations to ensure demonstrate € 20M or 4% of Huge Penalty for noncompliance
GDPR revenue
compliance Compliance
General Data
Protection
Regulation

72 hour
Lays down rules for Personal 7 Data Breach
Privacy notification
Data protection and its free Principles SLA Obligation to notify Data Breach
movement within EU
Enhanced
Individual's
Rights

Protects ‘fundamental rights and freedoms of natural persons’

Rights to the “protection of Personal Data”
 GDPR DEFINITIONS & TERMS

Data subject: a natural person whose personal data is processed

by a data controller or processor.

Personal data: any information relating to an identified or

identifiable natural person ('data subject’);
an identifiable natural person is one who can be identified
directly or indirectly by reference to an identifier such as a name,
an identification number, location data, an online identifier etc

Principles: the fundamental principles imbedded within the

GDPR which set out the main responsibilities for organisations
Special categories of personal data: personal data revealing a
Processing: any operation or set of operations which is data subjects racial or ethnic origin, political opinions, religious
performed on personal data or on sets of personal data, whether or philosophical beliefs or trade union membership or the
or not by automated means, such as collection, recording, processing of genetic data, biometric data for the purposes of
organisation, structuring, storage, adaptation or alteration, uniquely identifying a natural person, data concerning health
retrieval, consultation, use, disclosure by transmission, or data concerning a natural person's sex life or sexual
dissemination or otherwise making available, alignment or orientation.
combination, restriction, erasure or destruction

Personal data breach: a breach of security leading to the

accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data transmitted, stored or
otherwise processed.
 GDPR DEFINITIONS & TERMS

Consent: any freely given, specific, informed and unambiguous Pseudonymisation: the processing of personal data in such a manner
indication of the data subject's wishes by which he or she, by a that the personal data can no longer be attributed to a specific data
statement or by a clear affirmative action, signifies agreement to the subject without the use of additional information.
processing of personal data relating to him or her.
Profiling: any form of automated processing of personal data consisting
Data controller: is the natural or legal person, public authority, agency
of the use of personal data to evaluate certain personal aspects relating
or other body which, alone or jointly with others, determines the
to a natural person, in particular to analyse or predict aspects
purposes and means of the processing of personal data; where the
concerning that natural person's performance at work, economic
purposes and means of such processing are determined by the Union or
situation, health, personal preferences, interests, reliability, behaviour,
Member State law, the controller or the specific criteria for its
location or movements.
nomination may be provided for by Union or Member State law.
Privacy impact assessment: a process designed to help organisations
Data processor: a natural or legal person, public authority, agency or
identify and mitigate privacy risks associated with proposed data
other body which processes personal data on behalf of the controller.
processing activities. For further information, see the University's
Privacy Impact Assessment guidance.
 KEY TENETS

GDPR key principles Data Subject Rights

Lawfulness, fairness transparency

Right to Be
Right to Access
informed
Data minimization

Purpose limitation Right to

Right to Erasure
Rectification
Storage limitation

Accuracy Right to Restrict Right to Data

processing portability
Integrity and confidentiality
(security)
Right to Automated Decision
Right to Object
Making /Profiling
Accountability
 LAWFULNESS OF PROCESSING PERSONAL DATA

Processing shall be lawful only if, at least one of the following applies:
• Data subject has given consent to the processing
• Processing is necessary for the performance of a contract
• Processing is necessary for compliance with a legal obligation
• Processing is necessary in order to protect the vital interests of the data subject
• Processing is necessary for the performance of a task carried out in the public interest
 DATA PROTECTION TECHNIQUES

• Pseudonymisation - Separation of data from direct identifiers so that linkage to an

identity is not possible without additional information that is held separately.
• Encryption - Conversion of electric data into another form, called cipher text, which
cannot be easily understood by anyone except authorized parties.
• Minimisation - Reducing the data collection to the minimum required to deliver the
service agreed by the data subject.
• Privacy by design by default - Data privacy shall be part of design consideration
• Vulnerability Assessment & Penetration Testing - Regularly testing assessing and
evaluating the effectiveness of security measures.
• Ensuring ongoing application of confidentiality, integrity and availability controls.
 GDPR DO’S & DON’TS

Do’s
• Brillio is contractually committed to personal protect (NDA/MSA/DPA)
• Familiarize yourself with client data privacy policy and requirements
• Strictly adhere to client data handling instructions
• Utmost care should be taken while handling Personal data
• Follow data minimization & privacy by design by default principle
• Implement technical and organizational measures to safeguard personal data
• Always process and store personal data on approved locations only (within EU/UK)
• Promptly notify in case of Breach within agreed SLA
• Adhere to Brillio Security policies (refer to Appendix A for links)
Don’t s
• Don't copy/transfer client Personal data on Brillio environment/laptop
• Do not use personal devices PC/mobile to access/process personal data
• Do not use unauthorized third-party Cloud services, like Dropbox or Google Drive when processing personal data
• Never post personal data on social networking sites
 BREACH REPORTING

• Brillio is contractually obligated to notify client Privacy breach as per agreed SLA in DPA
• Any Privacy or Security breach must be reported internally to Brillio Security team
• All Data breaches communication shall be interfaced through client account manager

How to report Privacy Breach

Brillio

[email protected]
[email protected]
Raise ticket on BRISC tool
Phone : 91-80- 40136111 Extn 6111

Client

Please follow client incident reporting process as defined in MSA/DPA

Appendix A

Please refer to below policy links

Brillio Information Security Policy

Brillio Personal Data Protection Policy

Brillio Personal Data Protection Guidelines

THANK YOU
LET’S BUILD SOMETHING
AMAZING TOGETHER…

© 2020 BRILLIO TECHNOLOGIES