Foreign The Institute is established in 2016 and we remember the finest security and technology training and consulting company and a wide range of professional training programs certifications and consulting services in the it and cyber security domain high quality Technical Services certifications or customized training programs curated with professional off over 15 years of Combined experience in the domain and we are one of the best in terms of certification training which is well known in the market and we are the official training partner of uh iapb certifications which you can see cap cappus c-a-pm cipt Capp Californians
cetp Asia so so we are very happy to introduce us as official training partner and it has partnered with World leading information and data privacy Organization iepp this gives the opportunity to provide the following certification courses and these are our endorsements for your view we have four plus years of service 70 plus pool of trainers 200 plus courses 30 000 professional train 10 plus value Partners 150 corporate delivery and 20 plus countries served currently and uh these are some of our trusted clients So the agenda for today is that a review of important topics in
citd and cipm so today's slot is only for cappe and please do join us tomorrow at the same time for the CIP exam prep discussion data privacy interview questions and plan for preparing clear the exam inside two months so this is how we will be discussing the topics today and let's get started so day one is your cape certified information privacy professional Euro And this is one of the most sought out certifications in the data privacy market and if you want to build your career in data privacy I would say this is the first and
important foundation block for anyone who's starting a Rita privacy career because this gives you a clear understanding of uh gdpr which is one of the regulations in the world but still that's considered as a gold standard and once you have a clear grasp of all the data privacy Concepts it is Only a matter of application of other all other Azure section including your us uh your Canada and Asia and other regions as well so this we consider as one of the building blocks or foundations of a successful data privacy career so we uh solve the
slides but just focusing again on available certifications for data privacy and these are the top four uh certifications and accreditation which are renowned in The market right now anyone who wants to build the career should ideally focus on these four certification and accreditation the first three are the certification and the final one is an accreditation in terms of once you complete either of the first two and showcase the relevant experience along with uh certain uh referrals then you will be entitled for a fellow of information privacy title from iappp so these are the best certification
that Are available in the market for data privacy privacy currently and anyone anyone who wants to uh switch the career anyone who's planning to take up data privacy ideally should have uh depends on different skill set and different Focus area but if you have a either a case two of them which is Capp and cipm or Capp plus Capp then you are ideally set in terms of uh reaching a much uh quick and faster growth in this particular domain So uh the plan for today is to discuss the overview of different chapters which are there
in the cappe curriculum and so I'll be running the exact blueprint replica of how the course will be structured and how we actually run it through in our actual course which will be which will be followed soon next month so uh this will give you a complete overview how uh the course will be taken up and uh what are the different topics Which are there to discuss during a course so this is just a overview or outline course uh a session which we are having right now and we'll be discussing in terms of what will
be the actual contents will be discussed during our uh full-fledged course which is gonna follow up uh in next month the first Topic in the cape curriculum is that uh the origins and historical context of data Protection Law so this chapter is a completely important in Terms of understanding the origins of how data privacy and data protection as Concepts evolved in Europe and what are the important Landmark uh Landmark decision that happen in terms of the laws the regulations and and what are the subsequent uh consequences they had and what are the drivers for such
requirements across these are some of the important historical elements that one should be completely aware and if especially if you're going to work in Europe without understanding the elements of why data privacy as a concept evolved and what are the important drivers what are the key Landmark uh patients what are the different treaties and uh without knowing currently it's going to be slightly difficult because without knowing the the purpose without understanding the drivers of why this was required uh it will it will not be able to appreciate uh the data privacy Concept so in this
particular chapter we'll be looking into all these elements so this is just a summary so in this in this particular uh chapter I'll be providing you the entire details of each and every sections of the events that started after the second world war that especially the event uh human uh passing the echr and uh there are different Milestone events starting from 1946 and 1948 is the first important decision Which is the universal Declaration of Human Rights which we call which we call it as UD HR and in 1950 it followed by EC HR which is
the EU convention so these are the first two important pillars or Milestones of data privacy in Europe and followed by we have 1980 which is the oecd guidelines on transferring the data data across different Transporters and this guideline was a second was the third important Milestone and followed by that We have the first uh official uh binding instrument we call in 1981 which is the uh treaty uh of 108 which is called EU data protection convention or convention 108 this is the first legally binding instrument that came into the data privacy domain and followed by
that uh we had some uh some events which are like the in the UK the Treaty of or not it became a data protection act and then later on we had the 1993 important case which had lot of Significance and then finally we had the most important uh part of legislation which is the 1995 director so 1995 directive is the predecessor of gdpr and this uh this almost we have 60 to 70 percent of the same content of what we see in gdpr was all already the part of the 1995 director so anyone who thinks
gdpr was the first officially data privacy related regulation which has this uh which which has all the elements it was not the case in 1995 elective we Already have a very strong uh data privacy requirement just that the nature of the uh the bill was not a regulation but it was a director and followed by that we had 2003 the pecr which is the privacy and electronic communication regulation and then we also had some other uh important elements I'm not going into each and every detail since it since we have to cover around 18 chapters
today I'll give you the overview and finally we had the gdpr Which is 2016 which was first built in 2018 it was enforced so uh the idea of this first first particular chapter is to understand what are the key key important laws and regulations that were enacted in Europe and what are the drivers for such uh uh such laws and regulations what are the impact of the same on the Euro so we'll be covering all these elements in detail during our course so in Chapter 2 we are going to study uh The European Union institutions
so European Union institutions are for example in every country you have a powerful controlling bodies and institutions which are responsible for governance isn't it so the same goes in terms of European Union so European Union has institutions that govern the laws and the regulations of the land and for that we have different uh institutions within so we we have the Council of the Euro European Parliament European commission European Council European Court of Human Rights and European court of justice so why we need to learn this chapter for data privacy is that and all these institutions
had some very important role in terms of the data privacy laws and regulations that we witnessed in the previous slide so we will study about about the nature and the powers of such institutions and what role they played in terms of data privacy a sample of that is this slide So generally how the power is there and which institution is responsible for what a quick overview is that European Parliament and Europe Council of ministers are one of the key institutions within the European Union European Parliament is similar if from an Indian perspective like the Indian
Parliament directly elected by the people and Council of ministers is elected by the they they represent each member State and they are elected by the Government and so these people are these institutions are primarily responsible for most of the important decision taken and European commission is the executive body and the executive body uh implements the decision taken by the Parliament and the Council of Minister together along with that we also uh they play important role in terms of taking decisions and there is a there is a European Court of Human Rights and uh so They
also play important role in terms of handling the data privacy related uh judgments and we also have a court of Auditors in court of justice so in a nutshell it's it's important for you to understand how these institutions had played a role in terms of data privacy and what uh what powers they share and what what is impact uh it had on the European Union as a European Union region so this is all about the chapter two and we will be studying all these Elements in in terms in in complete detail in terms of what
are the roles and responsibility of each of these institutions and uh what what are the powers they have and what uh what in correlation with data privacy what role they have played so far so all these things will be studied in detail during our actual course so with that uh we jump into chapter four so there is one more chapter which is Chapter three which is almost uh the same replica we will uh study in chapter one and two which will be covered in chapter three in detail which is the legislative uh the actual legislations
which is uh starting from your uh uh which is the one not eight convention and then we have multiple other laws related to it and finally we will be covering the gdpr in detail so in in correlation to the time we are jumping to the other chapters So this this entire curriculum of gdpr uh of sorry not gdpr the cape exam is divided into three parts okay the first three chapters are called the foundation and the origins of uh data protection in Europe and the second is the actual uh building block of gdpr chapter 4
to chapter 14 correct chapter 4 to chapter 14 are about the building block of the actual gdpr so Um what I generally uh do part of the course is that we start with chapter four because this essentially is the gdpr which you need to know and the section one and section 3 are two different elements section one is about the history of gdpr and section 3 is about the application of gdpr but section two is the actual Crux of the gdpr itself so starting chapter 4 we will understand Some very foundational and important building blocks
of data privacy and they are what is personal data what is sensitive personal data what is synonymous data and Anonymous data what is mean by processing and what is the who are controllers who are processors who are join controllers and who are sub processors and who is called a data subject so we will study all these elements in Detail with lot of examples and to make the concepts very clearly we will have lot of practical discussions in terms of giving you examples of your day-to-day work and understanding the different elements of all these important requirements
of data protection concept I'll just run you through some of the very important elements here for example the definition of personal data within gdpr is that any information relating to identified or identifiable natural Person the statement looks very simple but each and every word of such statement has so much Essence to it for example when when I say any information there are subset to any information what do you mean by subset here there are the the nature of the information itself the information can be an objective information it can be a subject of information many
people think subjective information may not be part of the data which we need to protect but it's not we Need to also protect the subjective information like uh for example I I work in a company and there is an appraisal and during the appraisal someone gives a feedback about me that uh Jay is is a very hard working person XYZ blah blah blah and there are a multiple statement uh characteristic traits defined about me it's very subjective statement but these subjective statement are also clearly a personal information and these Information will be required to be
protected under the gdpr and going forward we have content the content can be a professional data and can be a personal and the tech data a good example of tech data is uh the cookies the cookies are what we use from a web browser for example whenever you logged into any any website you tend to see cookies getting placed on your browser so these browser these browser cookies essentially try to capture uh uh Elements of your browsing patterns your likes and dislikes and what you what you what you generally do part of your browsing habit
so these elements also fall under the gdpr realm so it is important for you to understand all these Concepts and depth because uh when you when you look at the articles of the gdpr in general they look uh very simple but all these words all these words which are there describe within the gdpr Articles have lot of depth and and if You don't understand in their their debt their application will have a lot of problem okay and format of the personal data includes a paper and the electronic formats when we say paper not every paper
which is possible uh which is there will fall under gdpr there are certain nuances what categories of paper assets will be applicable applicable in the gdpr so all these things we will be studying in details with a lot of practical examples and uh relating to This is a very important factor because the data should be able to relate to a particular person and it's it's about the content the information and so relating to here is about the content information on the individuals and purpose evaluation and Analysis and the result so basically uh any any information
that speaks about a particular individual and uh it it is used on a purpose for example evaluation analysis a good example is any activity That you do is involving certain analysis for example I uh I'm trying to evaluate a person's uh civil score I'm trying to do a HR assessment on a on a candidate in an employee in an organization right a candidate being assessed during an interview so all these things are examples of purpose of evaluation and Analysis and the result which also an important factor of impact so all these terminologies come with a
lot of examples we'll be looking into These examples in detail and these harmless keywords of any information relating to identified or identifiable person identify natural person all these harmless keywords have so much of depth right and for example what do you mean by identifiable person identifiable person uh is like where do you stop the boundary right so this you will not be able to understand when you read uh on your own uh so here there is a lot of factors that you need to look at the the Combining Factor there could be a multiple personal
data combined to become personally identifiable information variable information a good example is and plus if I say a certain unique uh certain other parameters I'll be able uh those personal data on a standalone will not be able to identify our identify a person but when we combine these personal data they can become personally identifiable information right so this Is important in terms of uh having a clear scope of boundary what is identified or identifiable natural person so natural person here means a living person uh any dead people will and organizational data will not be part
of gdpr many people uh will not have that Clarity right uh organization data is also called as personal data because organizational data is not related to any human being so it is not covered under gdpr and also the people who have Passed away their data is also not covered under gdpr so these nuances with a lot of depth in detail we'll be covering during our courses so what is a sensitive personal data so sensitive personal data is a category within the gdpr personal data and here we will be uh looking into the definitions already given
under gdpr which is the Trade union membership Health Data genetic data religious belief political beliefs biometric data Race ethnic origin sex life or sexual orientation so these informations are these data sets are already classified as sensitive personal data and these data sets while processing needs separate attention and care and uh so there are a lot of nuances again about it for example photographs are definitely a biometric data right and uh so do all photographs will be considered a sensitive personal data is one of the very important practical aspect that you Need to understand and what
do you mean by Anonymous data and pseudonymous data so Anonymous data is when you remove all the personal identifiers from a data and comp and becomes a completely unidentifiable data then you call it as Anonymous data and pseudonymous data is only partial removal which means you remove it and keep it in a in in a nice it you isolate the key identifiers and keep it in a separate place and you can link it back That is the Sudan organization so these are some of the techniques which are used to in terms of data data protection
and masking pseudonymization are some of the some of the technological Concepts which are even appreciated by the gdpr itself so we'll be studying all these elements in detail during our courses next important topic is the controller and controller is is a very very important topic because if you are going To work for any organization you need to understand what will be the role of that organization whether the organization is a controller or a processor or a join controller and basis that the the roles and responsibility will definitely vary and that is where you need to
understand this concept clearly and controller again what do you mean by controller controller are the people who Define why this data and is collected and what are The ways and means this data is gonna get processed so with this we decide who would uh whoever takes up those responsibility will be identified as a controller once you know you are a controller then you have those uh responsibility attached with them which is uh which is your comp what are the compliance requirement you need to notify and uh and communicate the breach with the supervisory Authority as
well as the data subject conducting data Privacy impact assessments uh handling the records or processing activity and uh appointing a data Protection Officer Technical and organizational measures that needs to be adopted and cooperate with the data privacy Authority data protection authority so this is this is a very very important topic and we'll be studying their roles and responsibilities in detail and their obligations under gdpr and processor uh so processor again uh is is a element Defined within gdpr where uh a controller nominates or appoints a processor uh who conducts the activity behalf of the controller
so the controller processor Arrangement should be clear and the processor should have clear instruction in terms of what they do and what they cannot do and this needs to be needs needs to be documented and since the earlier versions of the data protection laws and regulations within Europe there was not much Emphasis on the processor but within gdpr we have clear obligations or processor which includes uh maintaining a records of processing activity and notifying the data controller aboard the bridge and prior approval of Prior approval and contract for appointing a sub processor so you have
specific roles and responsibility for both controller and processor we'll be studying all these elements with practical examples in our curriculum So this is all about the very important data protection building Concepts and then we'll be moving on to the next important chapter which is the Territorial and material scope so any law any regulation any uh any act anything which is brought uh which is implemented on a wider scale will always have a clear scope and so is the case with gdpr gdpr has uh clear Territorial and material scope so we will see in terms of
territorial scope uh Territorial scope means uh gdpr is not just applicable only for the European Union so this is again a myth a lot of people have so European uh the data which is handled within European Union is is of course will be there under the gdpr and but there are certain uh fine uh prints within the territorial scope which is which is one of the very important testing concepts for the exam as well so during our course we will make you understand certain topics which Are tricky and certain topics which you definitely expect a
lot of questions during the exam and one such important topic is the territorial scope so a clear way of understanding this is like if you have a company and the company is operating based out of the European Union and straightforward gdpr is applicable to you but now the second part is the most tricky part even if your company is not operating within European Union but you are delivering Goods and services targeting the data subjects who are there in the European Union second point you are monitoring the your monitoring the habits you are monitoring the people
who are are there in the European Union then you are still applicable under gdpr a lot of people uh will not understand this fact that is why you might end up having a hefty fine or you are breaching the gdpr requirement so understanding territorial Scope is very very important as we see gdpr as extended arm even for a company which is based out of India and you try to sell goods or services targeting a European Union data subject and uh and this activity this activity will be bound by gdpr requirements and if you are monitoring
the behavior of a data subject which takes place in the European Union again this activity will be bound by gdpr so this territorial scope is one of the very very important Topics from the uh from your data privacy work as well as your exam perspective so this is again a sort of summary we say article 3 is the one which handles about the gdpr uh about the gdpr territorial scope and we see the classification here article 3 1 is very straightforward which is like whenever there is a EU establishment uh The Establishment is based out
of EU then straightforward gdpr is applicable To you and article 323b are the second are the exceptional long arm reach long arm reaches like even though they are not established in the European Union like I said example they are based out of India or based out of any other country outside the European Union but still they are providing goods and services and they are monitoring the behavior of the natural persons taking place within the EU gdpr is applicable to them and the final category which is Article 3 comma 3 3 support P which is the
Diplomatic Mission or counselor position for example uh we have international territories for example the embassy within India or Embassy Within in the world so they are bound by the international laws and same with goes to the international waters as well so these these places gdpr is still applicable so so these are some of the important fine prints within the territorial scope which we'll be Studying in detail during our session so sir we'll this is all about the chapter 5 but chapter 5 I said this is just the outline but we will be studying at least
10 to 12 case studies generally uh that's what I do uh try to give lot of examples because without examples you will not be able to appreciate the depth of this particular topic and uh moving on is the data data processing principles and data processing principles are the some of The foundation governing the data privacy requirements of gdpr so we call something called as accountability so to establish accountability you need to follow all these six principles if anyone who adopts all these six principles in their organization then this organization is counted as accountable for gdpr
so if you violate any of these six principles then obviously are gonna end up paying a penalty for gdpr breach so we'll be Studying all these principles in detail with examples so just giving an overview of the scene the first one is the lawfulness and lawfulness being uh means you need to be transparent and fair you need to process the data when you have a lawful basis we will study the lawful basis in the next chapter in detail and the second one is purpose limitations purpose limitation means you only use the data collected data for
the specified purpose you do Not process the data for extended purposes without informing the data subject and third is data minimization uh you only collect the data what is required for the purposes for example not knowing how much data you need for a particular process and collecting excess data will definitely violate data minimization and you only need to collect the data what is exactly required for the particular processing then we have data accuracy always keep The data accurate for example there could be Corrections in terms of a certain person's address phone numbers all these things
can happen a course of time so you need to provide a Provisions for the data subjects to make such Corrections and you can also proactively reach to them during a specified time interval to allow them to make certain Corrections storage limitation is only retain the data which is necessary to serve the purpose for example I have a Process for which the data will be required for two years and beyond that I don't need the data to be retained either you delete the data or return it back to the data subject so this is the way
you handle it and there is a lot of lot of cases which especially revolve in terms of your retention because lot of companies may not clearly Define the retention requirements and that is why they end up storing and a lot of excess Data and whenever there is unfortunate event like a data Breeze this will definitely trigger a lot of Hefty fines associated with that the next is the Integrity Integrity is about uh protecting the personal data whatever you have collected with the sufficient technological and organizational measures so this is all the six important gdpr principles
with all all these principles will be again studying in detail with uh with the Relevant examples during our regular session the next uh chapter is about the lawful processing criteria so as I said the first principle is lawfulness and to be lawful you need to process the personal data with this the allowed lawful processing which is defining gdpr the ones which are currently available for any organization is the first one is consent the second one is contract the third the third is again it's not just One uh legal obligation the fourth is vital interest the
fifth is public interest and the sixth is legitimate interest and this is special categories of processing so this is a chapter content but if you see lawfulness these are the six important a lawful basis which is Allah which is allowed under gdpr so consent consent is the direct approval of the data subject whenever you are interacting with the data subject and collecting their uh approval That is on that is based on the purpose of consent and the second is contract contract is between two parties for example I go to a shop and I buy a
certain uh vegetables or anything from a supermarket and they need to process make card information so my card has a personal information associated with me as well as they collect certain information about me so just to fulfill the obligation of this particular contract between me and the vendor so I Will be using contract as a lawful basis so legal obligations legal obligation is about uh the the ones which are defined by the laws of the land for example in India uh give an example is uh there is an I.T uh related information if you're opening
an account with the bank the bank needs to send this uh information back to the uh this Bank of India or income tax department uh GST and there are so many Associated Indian laws which the banks need to oblige so this forms The legal obligation which uh every uh every institution can use to process personal data because they are dictated by the law of the land and then we have something called vital interest vital interest can only be used when the situation is life or death and this cannot be used for any other minor injuries
if a person is unconscious and we need we need to protect them and we for that which we need to use certain data without his permission we can use Vital interest the next one is public task this is again applicable to the government and the agencies which are appointed by government and for example the covet related situation where many organizations from government and Affiliated by government agencies were acting in that regard so basis the public interest the government agencies can collect and process the data which is for the larger group and so this this is
clearly defined by the law What can be used for the public interest and the final and the interesting part is a legitimate interest legitimate interest is almost sought out uh lawful basis by all the companies uh examples of lawful basis is that uh connecting a bank background check of an employee is a lawful basis doing monitoring of the systems by employ employers on the employees for example the nowadays companies monitor uh how much client how much time a particular employee Works in An organization right and this is definitely a personal data of the employee is
also getting cracked so these are examples of legitimate interest so uh there are a lot of nuances in terms of legitimate interest application whenever you use legitimate interest as a lawful basis you need to clearly have your documentation you need to do certain assessment places that only you can use legitimate interest as well helpful basis so this is a very Very interesting and important chapter for the entire gdpr exam as well as well as your data privacy Consulting and uh so understanding these lawful basis their application uh their their their boundaries this is very very
important the next chapter is about information provision obligations so whenever we are providing information to the data subject it has to follow certain uh requirements one is the transparency principle and what are the information That needs to be provided and the exemption to the obligation in terms of providing information the requirements of e privacy director and fair processing notices so in this particular in this particular chapter we will be studying these requirements in detail especially uh what you what is a fair processing notice uh example of that is whenever we login into any website you
will see a pop-up coming as notice and this notice clearly says that what Information is collected why are they collecting this information what they will do to this particular information after a period of time and what is your options in terms of raising a complaint or what you can walk you can reach out in terms of this particular data set so this is all falling under your fair processing notice in this chapter we'll be studying all these things elements in detail in terms of how do you uh these different types of notices which are Available
and how do you effectively use them and what are the requirements of providing a transparent information to a data subject for example whenever a data subject is raising a concern to know what are the information which is used about them okay so we will have a dedicated uh topic on data subject rights and one of the rights is the right to know or right to know the information right and part of that whenever it is raised you need to Provide all these data to the data subject right so you need to Clearly say identified identity
and contact details of the controller and where applicable the controllers replacement creative contact details of the data Protection Officer the purpose and legal basis of the processing where necessary if you are based out of legitimate interest you need to mention that who are the recipients or categories of recipients of personal data who is taking this data Or being the the controllers sharing this data with anyone else where the controller intends to transfer the data to any third country or international data transfer is involved what are the rights which are applicable to the data subject and
is there any automated decision making is there and whether data subject is obliged to provide personal data and the consequence they don't so these are some of the nuances we'll be studying in Detail during our course and uh where we will also see there are two categories when the data is connected directly from the data subject and when the data is not collected from the data set data subject or and it's been connected from a third party Source in that case what are the information that needs to be provided so as I said we will
also be looking into Fair processing notices there are different types of fire processing Notices which is your late uh layered approach just in time privacy dashboards and alternative formats in channels so we'll be discussing their application of such notices and uh why do we why do we need to provide a notice and what what is the importance of providing notice from a gdpr standpoint so this is all about uh the fair processing information and transparency Loop and uh we'll be discussing on the data subject rights here uh in chapter Nine so there are uh six
important data subjects and the first is right to access or we can say write to write to access this and try to access your own info write to Erasure and write to be forgotten right to restriction right to objection automated decision making against uh against automated decision making including profiling and data portability so This this chapter details about the data subject rights which are available to each and every data subject which which are in the European Union interesting question is uh someone is processing your data and you are happen to be in India and you
are not a European Union citizen and uh do you think data subject rights is applicable to you many of you would say no since because you are not a European Union Citizen and uh why would gdpr will give you these data subject Rights but actually the answer is no even you are an Indian citizen if your personal data is Crosses by European Union establishment you can exercise your data subject rights so this is how gdpr is having an Outreach right and these nuances are very important for you to understand so as I said these are
uh the rights which are available right to information right to information is right to know what what what data is being used by the Company and who are the list of information which I discussed in the previous chapter is all you need to provide part of the right to information uh right to access you can access your personal data and you can you can take some decisions based on your access and write to rectification in terms of correcting the mistakes and right to Erasure right to Erasure and write to be forgotten is like when there
is when there is no legal basis to process the Data and in that case you can definitely ask the company to delete the data or the entire processing is based out of consent and if you withdraw the consent and then you can also request to erase the data write to restriction write to restriction is putting a temporary hold for example you don't want your personal data to be processed until a decision has to be taken you can apply right to restriction write to portability right to portability is you can switch the Data from one entity
to another entity in a machine readable format you can press you can request the organization to do that and write to objection right to objection is about a objecting certain personal data processing for example they are based out of legitimate interest in that case definitely you can raise the right to objection and if if the company or entity is not able to prove that the legitimate interest is valid then you Can object to the processing and ask this data can be erased or remote uh revision of automation which means you can object your data being
processed under automated processing okay example is for example there is a machine that decides about you getting a loan or not okay algorithm is deciding about your profiling factors so in that case you you are aware that there is automated decision making is involved in that particular processing you can clearly Mention that I don't want to be subjected to automated decision making so these are some of the rights which are available part of the uh data subject rights in the gdpr and we will be studying all these uh rights in detail with clear examples and
questions chapter 10 is about uh security of personal data so this is uh closely related to the Integrity of personal data principle so in this particular uh in this particular chapter we'll be Looking into one important topic called Technical and organizational measures which are which are necessary to protect the personal data which is collected by the organization so when we say technical measures we have a lot of information security measures this is not the illustrative list and this is just for your guidance facility protection which is your physical security firewalls uh virtual machine security your
system Admin and many more data encryption or authorization and access control concern tracking immutable audit logs and many more and organizational measures include your privacy policies terms and conditions your data protection agreement dpia and risk assessment and many more so these are some of the technical and organizational measures which organization needs to implement to protect the personal data which is process within their environment and This is mandated by the Integrity factor of the Integrity requirement of the gdpr principle and uh so there are some very important uh elements part of this chapter which is the
data breach notification so whenever there is a data breach unfortunately occurred within an organization so how do you deal with this so in gdpr we have a 72 hours mandate and that 72 hours uh mandate also needs to be considered for example Uh if the if the beach occurs and you are not aware of the bridge then possibly you will not be able to fulfill this obligation so that is a sort of exemption allowed but whenever you are aware of the breach and you are not intimating the concern authorities within 72 hours definitely you will
be uh you might be facing certain penalties for that so the cutoff with given within gdpr is 72 hours and whenever there is a breach you need to take two important Decision one whether you need to inform the data protection Authority or you need to whether you need to inform the data subject or not so there are very important consideration for both these decisions so we will be studying them in detail for example what are the conditions that will require uh the info this breach to be informed to a data production Authority uh the number
of Records exposed the measures which are available in the organization to Mitigate the possible adverse effect the categories of data that is breached measures taken to address the breach and consequence of the data breach so you need to look into these factors and when there is no risk involved to the data subject there is no need to intimate the data protection authorities but if there is a risk involved to the data subject then definitely the data production Authority needs to be intimated within the 72 hours timeline and so the second Category of decision making is
that when you will inform a data subject whenever after your assessment you you identify there is a high risk to the data subject to his rights and freedoms then definitely you need to inform the data subject for example there is a hospital breach and the hospital breach or involves the data sensitive data like for example the cancer patients their medicines and also the list of patients with various Health ailments are all Exposed by uh username and password leak which means you should inform the data subjects immediately to change their passwords correct uh to their access
to their Hospital information systems so uh such such intimation uh notification is very much required in terms of protecting the data subject because such information can can possibly have uh can cause a life and death situation as well to many people right so this is where uh we'll see a Lot of examples in terms of how these data Bridge notification has to be uh taken up and what are the what are the steps and process involved in terms of data breach notification so that is all about uh chapter 10 and chapter 11 so we can
continue uh now so chapter 11 is about the accountability requirements so as I said if you remember if you follow the six data privacy uh gdpr data privacy principle and uh any Organization is said to be accountable so to be accountable we also need to do certain important elements which is understanding your roles and responsibility as a controller or a processor and implementing a very important concept which has data protection by Design and default documentation and cooperation with the regulators conducting data protection impact assessment Having a data protection office and binding corporate routes so these
are uh some of the some of the means through which you can also establish a clear accountability and these can be clearly documented Whenever there is whenever there is a chance of an audit or you are supposed to share these documents you can clearly prove that you are accountable for the adoption of gdpr as I said these are some of the Accountability requirements one is internal records which is uh having your policy procedures Frameworks uh defining the roles and responsibility within the organization clearly appointing a data Protection Officer is not mandated for every organization there
are specific triggers which is which is uh basis which you will be appointing a data Protection Officer the codes of conduct and certifications uh so this is a mechanism which is available within gdpr Within European Union you can apply for codes and conduct and you can get it certified as well and this is currently the certification mechanism is currently getting evolved soon we will see a lot of Direction coming in this particular topic then implementing data protection by Design and default very very important topic for the exam as well as for your uh understanding what
do you mean by data protection by Design and default so many questions people get Around this right what do you mean by data privacy by Design data production by Design and how do you actually Implement in in an organization so we will we will study a lot of examples and some very basic examples I'll give you one for example when you are going the sitting in many website and whenever you're trying to navigate that website you see a clear notice which is presented and it gives you information of what is going to happen with your
Data is is a good example of privacy by Design isn't it so privacy by Design starts from your engineering aspect as well as you also supplemented with the right process in terms of what do you collect and why do you collect and how do you are going to protect it all these all these elements are embedded uh through the Privacy by Design and default concept and conducting a data production in because this is mandated in the gdpr Whenever you are doing a high risk so by doing all these activities you can clearly establish your accountability
requirements chapter 12 is about international data transfer and in international data transfer you have a lot of important topics for you to understand there are instruments which are clearly defined within gdpr which allows you to do a international data transfer and we will study each and each and every possible Instrument in detail and uh we we have a clear so we have a big uh topic which is the relationship between the U.S and the European Union because uh U.S and European Union have a long history of collaboration and we will study uh this particular uh
scenario in detail because there are direct instruments which are uh when I enacted between the European Union and the us and what is the current status of those instruments as well as We will also be uh looking the historical fact and the current uh situation of the data privacy between European union and the United States so uh to start with uh you need to understand that what do you mean by European union and uh eea okay uh so European Union is currently of 27 countries okay and uh uh European union doesn't include uh United States
or doesn't even include uh Switzerland and the other two countries Okay which is Lynch stain and Iceland and Norway so these countries are part of eea and they they are not part of EU so the gdpr is only applicable part of the uh 27 EU member states okay and uh so UK is no longer part of the uh European Union uh and as well as gdpr is not applicable to them so on the left hand side we see the multiple instruments which are available for doing international data transfer the the first one is adequacy adequacy
Status is given European commission European communication designates certain countries based on the existing data privacy laws and regulations and they find uh the the requirement the required sense of data privacy is prevailing that country and then they designate such countries as adequate and there are list of around 20 20 countries which are currently having this adequacy for which you can transact international data transfers and we have binding Corporate rules binding corporate rules are for intra group uh data transfers for example a company is situated in multiple uh regions across the world but they are part
of the same parent company you can transfer the data within this different entity based on binding corporate rules so the require assignments and the process for binding corporate rules all these things we will be studying in detail explicit consent and if you get an explicit concern from The data subject to do international data transfer that is one of the valid instruments and EU us privacy Shield as I said the European Union and the United States have a a set of a different set of arrangements and one such as the Privacy shield and privacy Shield is
currently invalidated the uh currently the U.S and the European Union have come up with the framework and there is a lot of interesting events that happens here which we can hear about the scream As judgment right known as standard contracts pressure Clauses are currently having a lot of impatiently the adpb which is the European data protection board came up with the templates for secs and this is I see uh international data transfers and the final one is the approved codes of conduct and the certifications which is still evolving within the European Union region the certification
around the certification scheme and everything Is currently in the news there is a lot of information awaited around that particular part chapter 14 is again a very very important interesting chapter which involves about the supervision and reinforcement and within gdpr there are multiple uh layers of enforcement and it it starts with the data subject and the data subject have their own uh enforcement mechanism through they they can raise a complaint with a controller Or a processor uh or they can directly reach out to the codes or they can reach out to the supervisory Authority so
there are multiple layers through which a data subject can also uh enforce and there are other ways through which enforcement is done which is a set of hierarchy defined within gdpr we have uh starting with controllers controls processors are managed by the supervisory authority of that particular member State and they again are Monitored and controlled by the adpb which is the European data protection board so we will be studying the uh entire chain of supervision and enforcement and one important topic about this topic one important uh one important aspect of this particular chapter is that
uh we will be looking into the penalties and sanctions so part of penalties and sanctions we will see the different categories which is the slab 1 and slab 2 the slab one is two percent of your Global annual turnover and our 10 million uh Euros whichever is higher the second this is the higher slab which is four percent of your Global annual turnover or 20 million euros whichever is higher so we have clear uh uh categories and the each categories is based on what is what requirement of gdpr is violated for example the higher category
is definitely around the principles if the basic principles of Processing is violated data but especially the international data transfer is violated and or the orders from supervisory authorities are not implemented so these elements attract the higher fine which is the 20 million Euros or four percent of global annual turnover and uh the second the the second slab which is slightly on the lower side which is whenever you uh violate the obligations of controller processor data Bridge notification Requirements obligation of monitoring body or obligation of the certification products so again you from an examination perspective these
topics are very very important we'll be looking at them in details and uh you can expect a lot of a lot of scenario questions based on in the exam or on this topic so one important additional fact about this course is that during this course we will be looking into a lot of examination point of view as well for Example case studies and we'll also look into some uh questions which are which you can which you can appreciate from examination perspective so these elements we will be sharing during the course of uh are during a
regular course so that we complete the section 2 which is the gdpr itself and section three is the application of the gdpr which is a chapter 14 to chapter 18 and chapter 14 uh is about the employee relationship in this chapter we will be uh looking into The employee and employer relationship and uh we'll be looking into lot of uh factors which are involved into the day-to-day employee employer relationship from a gdpr perspective uh we'll look into those elements for example e one important activity that always happens in organization is your monitoring monitoring can takes
place in multiple ways right it could be video or audio surveillance phone recording Employee location tracking or digital employee monitoring right and uh so there are there are so many uh factors involved because whenever there is a monitoring there is definitely personal data involved so what are the do's and don'ts and how what are the rights of the employee and what are the rights of the employer and how do you handle such cases this entire section is about application of gdpr so you will see a lot of practical uh scenarios situations That we will discuss
during the actual course and why do companies do employee monitoring is that they want to protect their office assets they want to secure their sensitive and corporate information track employee productivity keep the workplace secure and safe comply with industry regulations and there are risk of workplace surveillance which is lawsuits from employees when they feel their personal data has been misused reputational loss when the Company hits those uh news that they have been breached and find some legal violations that coming from The Regulators so this chapter we will be studying all these uh elements in detail
in terms of what are the nuances and what are the different types of surveillances and what are the impact of them in the employee employer relationship so then we have a general surveillance activities we will study that in detail There are different types of surveillance which is your communication data video surveillance biometric data and the location data and uh so all these elements we will be looking in detail during our original course uh your audio servers you will be like phone tapping Voice or IP and listen devices like room bugging so this can be done
by the law enforcement agencies or by the government or by any organization in those cases what will be your Responsibilities what are your rights we will be studying them in detail we will be studying all these different surveillance in detail and in practicality what does it mean uh and how do you apply and how do you actually manage them okay uh chapter 16 is again very very interesting chapter which which is almost like we'll be dealing these things on a day-to-day basis which is the direct marketing uh all of us would Have been uh affected
in a good or bad way by the direct marketing and uh there are different channels of direct marketing which includes uh your uh electronic email SMS MMS fax postcards and uh so there is different types which is located based only in behavioral monitoring and all these things we will be looking into detail and different practical examples uh in terms of this direct marketing uh so as I said uh we are impacted by Different channels including a radio television course Mail mobile online websites Billboards all these are examples of direct marketing that is always targeted towards
the data subject and we also have a very important parallel directive or regulation which is there which is e privacy director and e-privacy directive is also now getting a new shape into a form of Regulation which is e policy regulation which is yet to be enacted but they have a lot of Important correlation which you need to understand because gdpr and e-privacity directive Works in tandem in European Union so you need to understand these elements in detail what is the scope of epress directive and what is the scope of gdpr and how both will work
in dandel when it comes to direct marketing so these are some of the important elements which definitely gets tested during the exam chapter 17 is the internet technology And communication so here we will be looking into the iot's uh whenever we are designing the information Internet of Things there's a lot of personal data and customizations which happens a lot of data are collected from the home it is it is transferred to uh the iot devices and then to the cloud and uh in these cases uh what are the Privacy by Design requirements that can be
embedded how can uh how can a person how can entity can provide a notice and how do You ensure gdpr principles are protected and uh the the essence of gdpr is uh protected in iot and communication so these are the most important elements which we will be discussing in detail so I have covered only a very high level essence of what you can expect and we'll be looking at them in detail during a course and I hope you will understand with the with the time constraint what we have you can only have a high level
Essence but during our Actual course we will have lot of case studies uh practical examples and for each and every topic we will always have a practical discussion in terms of understanding this topic we will just not have a theory class where we will be just dictating and we never do our sessions in that way it is always a more interactive session we are always happy to help you uh to address your queries then and then okay so that is how this entire course has been designed So uh before jumping in there is something called
Data privacy into interview questions which uh I had few people uh uh inquired about so thought we will include them what's the difference between privacy and information security this is a very fundamental question if you go anywhere uh for any interview a lot of people get asked this question uh anyone from information security background or still confused about whether privacy is uh is A different uh different category or is it subset of information security uh so this question is still prevailing a lot of people's mind but privacy is is very much a unique uh topic
it is about human rights it is it is associated with laws and regulations and it is it's a very fundamental question of why you collect the data is associated with privacy and what you do with the data is also associated with the Privacy element and information insecurity is always about Protecting the confidentiality integrity and availability information security we don't ask this question of why are we collecting the data but we only focus of the we only focus when the data is collected we start protecting the confidentiality protecting the integrity and the availability and privacy course
one level Beyond which is why are we collecting the data what are we going to do with the data what are my rights associated with that personal data all These elements are associated with privacy so one important part here this information security is always a important enabler for data privacy is what you need to understand so we did discuss about personal data sensitive oscillator and Pai and we did discuss about anonymization and pseudonymization uh is right to be forget in an absolute right answer is no because uh none of the rights are actually an absolute
right we need to Look into the context of the application of the particular right and there are always exemptions in the gdpr which you need to understand for each and every article in gdpr what are the gdpr rights available to data subject we saw there are six GDP arrives available and do all organization need to appoint DPO answer is no there are specific conditions basis which you will appoint a dpu what is the first legally binding mechanism on data protection in Europe it's not Gdpr it's not your 1995 directive it is convention 108 so so
we'll continue the data privacy interview questions tomorrow as well okay
![IAPP CIPM Workshop: Your Roadmap to Privacy Leadership | What is Data Privacy [Part 1]](https://img.youtube.com/vi/HaofmRp2jE4/maxresdefault.jpg)
