SOC 2 Privacy | Service Organization Control 2 | Tsaaro Exclusive Webinar #SOC2

[Music] welcome everyone good morning and welcome to this webinar right and uh the agent this webinar is to help you get some

insights into the software privacy or principle and apart from that we will also be talking about a lot of different data privacy legislations and the basic data

privacy principles and for this webinar we have anil who is a senior associate director at ust blue con and you have me this is krishna and i take care of the security consulting

practice here at saro and we would be the panelist or the host for this webinar today so i would just give anil a few minutes to maybe introduce himself to the audience here

anna all right so good morning everyone uh and welcome to this webinar on software privacy uh organized by

saro my name is anil loli i'm heading the information security practices at usd blue conch here in india and overseeing the u.s operations

the u.s operations a couple of years back we started our journey with the you know data privacy uh pertaining to clients requirements related to gdpr and

then we eventually got into various uh other areas and uh i'm happy and proud to announce that we are among one of the

first few companies in india in ites sector to get iso 27701 certified uh last year uh i received the honor and

you know recognition from data security council of india as jury special recognition for uh you know privacy leader of the year uh also our organization used blueprints

who won the best security practices in itits sector so been in this in this industry for almost around 24 years i have several

certifications cesar csuma iso 27001 and so and so forth uh passionate about cyber security as well as data privacy uh

trying to learn from various uh you know sources sorrow is one of them i learned a lot from you know these people their blogs their various webinars

and good to connect with you all uh just to give a background uh used to blue punch is a leading product and platform services company we build product for our customers

most of our customers are based out of us [Music] as well as in a uk area and now we are spreading geography uh uh geographically along with our parent

company usd and many of you might be aware about usd earlier it was named as usd global and now it is being branded as usd

we work on high-tech next-gen technologies and provide services for product engineering as well as business

assurance quality assurance and you can know more about us on www.ust.com

that's all about us uh or myself uh anything else you would like to add krishna you're welcome or you can do it thank you thank you for that introduction i think uh it speaks

volumes about the experience you have in the industry which is why i think it's a great opportunity for us to interact with you as well right so i'll just speak take a few minutes and talk about sorrow a little about what we have been

doing in the industry in the past year so we are a data protection consulting firm we focus primarily on data privacy and security and we have been helping a bunch of our clients with improving

their security infrastructure and their privacy infrastructure at the same time and most of our data privacy clients are based out of netherlands because that is where the market is much more mature when you talk about the data privacy

angle so that is where we primarily deal with our data privacy practices and we also help a lot of startups in india to build up their security infrastructures so startups

especially non-tech startups that do not have a technical background or don't have an i.t administrator or information security personnel they usually come to us to help us evaluate their infrastructure and that

is when we implement security solutions and also make sure that they're complying to certain standards such as the iso 27001 and that is something we are going forward to and of course as a part of saro i'm pretty

sure most of you must have heard about sargo academy as well that is our flagship data privacy academy and uh we have been one of the fastest growing

data privacy academies in india we only started about an year ago and we have trained more than 500 professionals across the industry and that is something we're really proud of and of course our blogs articles are something

you might have seen across social media and on our web page and a little bit about me uh i am mostly uh very much into the cyber security that is how i started my career

i've been uh dealing with a lot of cyber security problem statements and trying to customize solutions for our clients and that is i believe where my expertise lies and of course data privacy is something that i'm very passionate about

as well because fundamentally i believe it's a human right and that is my perspective when i look at data privacy that is how i look into all the different controls that need to be put in to an

organization as well right i think uh now we can probably move ahead with the webinar yeah so it's just a disclaimer we wanted to put out for everyone that the

statements or the discussion points that are made in this webinar are solely mine and his personal opinions or personal perspectives right uh they of course do not represent saro

or ust or ust blue conking anyway so these are just our understanding and our you know our knowledge about the different privacy principles that are followed in the industry

perfect so the agenda of this discussion would primarily start with data privacy legislations uh then we'll move on to privacy principles and then we'll help people understand how data privacy correlates

with soft2 and how the trust service criteria within soft to the privacy criteria how people actually tackle it and what are the benefits of going for a software

report or a software audit so it's a very easy agenda to understand because we really want to focus our conversation around data privacy and that is why we have also compared

software gdpr and what are the differences between the the gdpr legislation and software right so uh if you have been a part of asaru webinars before we do a lot of

mentee sessions wherein wherein we want our attendees to engage with us so if you could just quickly go to mentee.com and use the code 66502286 uh you would see different questions uh

where we want your inputs of course these these are obviously to data privacy as well we just wanted your opinion on a certain set of different questions to try and understand how you think about privacy

and what are your personal perspectives around it so just go to www.menti.com and use the code

www.menti.com and use the code 6650-2286 or you could simply scan the qr code if that is more feasible for you right so this is the question that you would see on mentee uh

according to you how many countries in the world have data protection laws what is your personal opinion on this we have three different options which is almost all countries more than 120

countries or if you're not sure about it what would be your opinion on this yeah i think uh you know let's wait till uh right absolutely you know

there are about more than 130 countries who have already either enacted uh or ruled out the data protection legislations or in the draft stage

in the words of releasing so most of the audience is correct over here right i think conversations have all also started to build up around the india data protection law because that's in the news uh

recently and a lot of people have heard about it yeah that is also something that uh have you know kind of pushed people towards data privacy and understanding its complications

absolutely absolutely and uh you know now it is getting into it's not just a personal data it is uh you know data protection all together because it includes non-personal data as

well that's true yeah right so i think a lot of people are more inclined towards choosing more than 120 countries all right so as

most of you have rightly mentioned you know it's more than 100 the countries who have already enacted the data privacy legislations of the data protection religions worldwide

there are several countries uh around 10 of the countries who are in the draft stage so either that is being debated discussed or getting ruled out and

you know there are about 20 of the countries who are not who do not have any regulations why we have asked or we have picked up this

particular area is because sometimes it may so happen that because there are no legislations uh some of the service providers may tend to shift to these areas and that's when the law of the

land would uh you know get into conflict and the people who are working may have certain uh legal issues

i say please all right so when we uh compare the data protection uh or the data privacy laws uh typically you know uh in india when we uh say ourselves that you

know we are in the services sector you know services outsource outsourcing so most of the companies are either doing business with us

or european union or they are dealing of uh within the india itself for various other services so definition of the personal law itself varies

with regards to u.s european so when when we talk about european union their personal data is definition says that you know any information relating

to an identified or identifiable natural person what it means is that you know this is from the gdpr itself because that is one of the

most comprehensive laws as far as data privacy laws are concerned and the there are several arrangements done by this particular legislation

which is related to you know having the supervisory authorities out in u.s if we consider the personal data and sensitive personal data varies from

sector to sector so what it means is let's say for fintechs or the financial services the same uh definition differs for healthcare sector as well

and there are there is no single law as far as uh us is concerned as of as of now uh though there are state-specific laws which are coming up one of them is uh

ccpa some of many of you might be aware it's california consumer privacy act in india definitely we still rely on id

act 2000 idea 2000 which got amended several times and within that we have two categories one is the personal data and the second

is sensitive personal data uh or information in india typically just to highlight password is considered as a sensitive personal uh information

whereas in any other law or any other countries password is not considered as sensitive first of all why do we implement privacy practices as krishna rightly mentioned at the beginning of

the session privacy is the fundamental right which is recognized by all the countries all the legislations and even in india

supreme court also has declared privacy as the fundamental right during the lot of controversies related to other card that were going on few years back and

if the organization practices can be achieved as a benefit so first is maximum efficiency uh which means that what personal data is required by the organization only that

much is collected rest all burden is reduced and then when we know for sure that what type of personal data is being processed or being collected

at that time we can provide better services to our customers the third most important component out here is risk management see here in cyber security or

data privacy or data protection ecosystem what we are trying to cover is uh the risk management risk management means uh you know

reducing the risk to an acceptable level which is acknowledged or ex well accepted in the industry as well as accepted to the various laws of the compliances higher

quality of data because the minimum the data you collect you may have more better visibility better control so that the accurateness as well as the quality of the data can be made once you have

put in the best practices or once you have the framework placed or once you have the policies and processes in place for for the organization

you can better shape yourself you can do utilize that material for your marketing purposes you can show abilities your competencies

your customers your prospects that's where you can gain and you know you can have an advantage or an edge over the other competitors and the most important and the last the

market in this particular area is improved cyber security the less of the data you have the more visibility you have at the same time appropriate controls are implemented

your risk reduces that's where you can be more resilient as well as you know you can assure back to your customers and other stakeholders both internal as well as

external that you have a robust system in place i would just like to add to that uh since you mentioned our information uh the other the entire conspiracy or the entire

issues around it so while i was working uh well i was googling basically on some keywords so i what i saw was that on the website of

government websites had a lot of other information that was leaked out by a simple google search you can find aadhar numbers of a lot of different people across the country

this was about a few months back but when i redid the search as of last month the government had plugged in all the issues so that is something that is something positive that came out around the other

issues right the government actively worked to make sure that they plug in the security gaps within their infrastructure as well so a lot of government websites had this uh publicly exposed iep that could share

all different types of pdf files which had other numbers of individuals so that is very confidential information but then with the updation of the i t act and with the coming of the data protection law in

india the government really took measures to mitigate those as well yeah it's a learning curve for all of us because you know we have gone through several uh stages of uh the personal

data protection bill itself right from uh 2019 and everybody is working towards strengthening the security practices as well as data privacy practices

i agree i agree and i think one more point i would like to make that uh when we mention higher quality of data or in data privacy terms we call it data minimization so something that uh

that is a very valid argument is that it could also limit business opportunities so what is your take on this anal not necessarily see the thing is that if

i'm a data processor for let's say an uh european company i wouldn't collect the data which i don't need for business processing purposes

uh that is one one factor over here remember is any multinational company are very cognizant nowadays at least because of various

data breaches those are happening worldwide and they wouldn't give you uh entire database or entire data they would restrict it either mask it or either anonymize it

right so anonymization and masking is something uh most data privacy professionals have heard about right it's also part of the different certifications that you go for right so we hope that is clear for

everyone i think uh now the next slides will speak about the benefits actual outcomes of that those are based on research papers yes of course so now again back to your

mentee uh tabs that have opened up in your browsers or your mobile phones uh can we quickly go to mentee.com type in the code if you have exited it and then uh of course we just have a generic question for everyone why is privacy

important to you just your personal opinion on what it matters to you and how do you think data privacy is a part of your life not as a of course a security or data privacy

professional but just as a citizen of the world what is your opinion here right so in case you're confused you just have to go to mentee.com type in the code and just type in your responses it could be anything it could be

something like you want to avoid companies modeling your behavior i like that statement because it's your business no one else is

very well put right so privacy is your fundamental right and it needs to be protect protected i agree with that so i think we have a few interesting uh statements here by a lot of people

people want to avoid misuse of their data and to secure personal data of course i don't want to disclose myself to everyone yeah

that's a very good part of that actually comes as a very good part of data privacy you don't want to disclose your personal doings to anyone

yeah this answer is also good one avoid misuse of data you know once the data is uploaded you can't really control you're right right so it doesn't

yeah right yeah i was saying it is equally important for organizations to make sure that when they put up their privacy notices they also mention uh the processing that they do with the data it

has to be very clear and crisp for the user to understand and it has to be right in every case that is also something that would help them be closer to data privacy compliance

everyone is not required to know everything that's a that's a fun statement true all right so let's uh explore something uh within the

importance of privacy first is as the privacy statement says it's all about individuals and individuals data being collected which is in and mostly online

form because we work in a digital era where everything is digital so it gives an in individual control over their data what can be used

what what can be disclosed or what can be processed and so and so forth second is it prevents spying of any kind you know currently if we do the if we

check it out in india itself you know you may this you may have received several uh phone calls related to credit card or related to personal loans or something where did this information got into

because we don't have a strong law or strong punishment as of now uh though id act to some extent addresses this uh you

know both 43a and 72a to some extent but uh since india is not yet up to the mark as far as the privacy awareness is concerned and i'm sure

people would get in the due course aware about what is mean by smiling why we don't want to get spied on all the stuff then another point here is uh mentioning

to worth mentioning is that if you misuse the data collected then there should be some kind of accountability we have seen several cases related to

facebook and google's of the world in the past but they are also changing their own ways to do businesses the next thing is it helps building

trust if i share some private information or let's say some personal information or some secrets i do would expect that it should be kept

secret it should not be publicized but in digital world it doesn't happen that way most often or not unknowingly you know the service may get hacked and the data grid goes to the data that's

where the collection comes in picture as well as processing of legitimate processing also comes another factor over here is it protects the individuals rights as

far as freedom of speech as well as freedom of thought is concerned it also helps in protecting the finances because nobody wants to

give benefit to others because of their personal data at the same time for organizations reputation is at stake and once the reputation is gone and you

know there are there could be a lot of consequences around it there are several companies who have you know shut their shops or there are several companies who are

going through these multi-million dollar litigations what could happen it's not a debate of this particular session we can have a separate station for that and we can go through uh

various uh data breaches that have happened and the fines imposed by various legislations so this is my favorite slide you know

what are the direct benefits of privacy practices and this survey was done none other than by cisco who was very renowned in their

research papers very renowned company in ideas field for several years and they have you know they published the data

privacy benchmark study i was reading the latest report which was published a few weeks back and what it

mentioned is it helps in reducing the sales delay i think krishna this answers your question why because more than 90 percent of the companies are now considering uh

having privacy compliances or best practices being implemented as one of the factors for getting into new business so here is a straight equation if you

want to get into a new account or new business you should have best practices in place it's as simple as that you know if you want to get into malls you need to show the certificate of both the doses

so you should have those one those two similarly you should have best practices for security as well cyber security as well as for data privacy that's the direct impact yes i think i agree with

that analogy so i mean uh especially the one where you mentioned those one and those two of course so also i think uh this particular slide also helps us pitch it to executives or the board

members of a company right for them if data privacy is not legislation it could be challenging for you to help them understand why it is crucial for your business as well so i think this is a very good source that you can use and

communicate your idea of data privacy and why you think it's important and of course from a business standpoint what it could uh do for your organization as well so this slide gives you a lot of insight

into that you can directly quote these numbers and you can code the cisco data privacy benchmark study which is of course renowned in the industry because of cisco's reputation

apart from that you know currently if you uh notice you know many of the companies are struggling with data visibility or visibility over their assets and data being considered as the

next oil it's not my statement it is mr mukhi shambani's statement who you know said in a press conference during the launch of

geofiber and when the oil giant the chairman of reliance gives that particular statement we should take it very seriously uh why

operational efficiency is very important because how the data is being traveled or traversed among the ecosystem of your organization if you are not very sure if

and if you have not sufficient controls on that place it becomes then really not difficult to prove yourself or to demonstrate your capabilities to your customers you would like to add uh krishna

yeah uh i'll take this up under i'll take up the slide data previously awareness and training because uh this is something that we should do as a company as well the training part of course so when you want to incorporate something

new in an organization the first step would be to increase awareness amongst employees right it is crucial for you to make sure that you can segregate employees based on their privileges

based on the privileges they have in the company and you can simply do us in senior management and non-senior management uh segregation uh through that you can have a generic awareness training for every employee in

the company but the c-suite people or people who are in the board committee or people who are in the executive committee uh a separate training is something that should be ideally provided to them so that they

have an enhanced understanding of the privacy that they need to follow in the company but also when you talk about different employees in the company you have to educate about the personal information types what are the different

information types that can be considered as pii or sensitive personal data and especially when we talk about sensitive personal data it differs from company from country to country it is something

that is particularly subjective so it is actually important to educate all your employees about the different information types and then of course you have to start with why right why do you do we need privacy so from there you can

create a back story and you can help them understand that this is why privacy is required and this is how it will actually help you and it will also make sure that your data subjects or the

users of your solution or product are also secure and also you have to make sure that the data that you process or the data that you use is also done in a particular manner that is

cognizant with organizational policies having organizational policies is very important right you know you can float it around to different employees so that they have an increased understanding of the policies as well what is acceptable

in your organization and what is not then from there you can also make them understand the key principles of data privacy so data privacy awareness is the key step in to incorporate data privacy in

your organization that is the gist of this slide of anil would you like to add anything to it definitely you know krishna you covered it uh well uh so start with why because

it's not just a law as a compliance stuff but the thing is that most importantly everybody wants and understands the importance of privacy but the only thing is that

how do you define it that is through policies and processes at the same time krishna you pointed out very correctly the leadership team or the man senior

management they also need to go through this particular curve of learning the privacy expectations or the various legislations expectations or best

privacy principles to follow as far as the organizational ecosystem is concerned right i agree with that completely yeah right

all right so moving on suck two systems and uh organizations uh system controls uh in this if you look at it uh you know

this is particularly from aicpa which is developed by american institutes of uh certified uh the public auditors and the criteria is uh defined as you

know managing the customer data based on trust service principles and there are uh five trust service principles first of course it is the

security which is common for all and then you can choose [Music] have it either availability processing integrity

confidentiality and privacy so as mentioned privacy's security is mandatory criteria for every organization whoever is going for stock to compliance

and then other poor you can choose one or two based on your business requirements most of the companies who are who claim that

you know they are soft to compliant they go minimum for three criterias trust curriculum service principles because that gives us gives the

prospect customers or existing customers a basic confidence of uh you know having the robust systems coverage at the same time the point of focus which are mentioned in the

software okay i'll just add on to that a little so sock two has basically these nine common criterias right which is something that uh an organization has to follow apart

from the supplemental criteria that is provided for the additional different trust service principles so within security there are around 208 different points of focus that is something that every organization

literally has to follow but apart from that depending on the trust service principles the control numbers or the points of focus would increase so that varies on the auditor's perspective as well as well as the organization's

decision on to which of the trust service principles they wish to follow right so coming back to our mentee uh since we want this to be an actually engaging session which is why we have a lot of mainly questions between these

slides uh right so the question is is software applicable to every kind of organization so just drop in your comments here drop in your responses uh go to mentee.com use the code

mentioned here and you can just type in your responses here i really like people who type in maybe as the answer because they are secure from the correctness or the wrongness of the

question so i think it's really fascinating you know in this question i guess majority of this people are not

uh answering because the total uh is very less so i agree i agree i think they're catching up to the speed yet slowly so we just stay waiting for your responses because we'll take up this question in our next slides

as well right so i think we can move forward from here so coming back to uh the question that we've showed in the previous slide who does it apply it to so these are some

options or some certain set of companies or type of companies uh where software is applicable technology service providers uh these could be your cloud service providers as well of for example

aws as your azure or google cloud platform so you would see that on their websites they they do have a software report that is for any organization's need and requirement as a part of your audit if you go for

any audit and if there is a vendor risk management section to that audit you can use these software reports to also showcase compliance that your vendor is someone who has a secure infrastructure for you as well and then of course sas

companies any sas based platform that is providing a service to different users or different businesses software is something that is applicable to them as well and i just wanted to mention that software is not something that is

mandatory right it is not a legislation of any sorts but of course it is very important for you for your organization to show compliance to security data privacy and of course the cia right of

cyber security so having a software report also gives trust to a lot of your customers and other businesses that you actually secure data and you have the right kind of controls and measures to

protect that data then after sas companies we also have support organizations and third-party vendors so a lot of different companies really try and understand if software is

applicable to them or not and they are in this dilemma whether they should go for it because it is not actually very easy it is a complicated process it could take you minimum of six months to

a maximum of how long you want it to be depends on the organization size and structure as well but a minimum of six months is something that's soft to type two has that requirement yes i know

yeah so there are two types of certifications one is soft to type one uh which is just defining your organizational structure or a framework for your organization which is custom

built uh you cannot just download any policies or processes and just say that you know you have done it it really needs to go through the you

know the gap analysis with regards to vis-a-vis what is expected as a control expectations and what practices you you do follow as you rightly pointed out this could take anywhere you know

the type one itself takes about three months and from then on the entire journey starts off sub to type 2 assessment which requires about six months of data you know whatever you

have defined as a process or process uh procedures or maybe based out of policies are you following that those records are verified and as

krishna rightly based on the scientific and the you know the complexity of the various business uh internal business operations it could lead to you know the

actual assessment could lead to a couple of weeks to several weeks in terms of uh getting it assessed by you know a certified public auditor not everybody can do some compliance uh

but at the same time we need to understand if we are in the type of services wherein soc2 is a de facto demand or a standard requirement from

customers then it is really worth doing it it also changes your internal processes drastically it gets into a cultural change as well right i think we have a few questions in

the chat section i will dispose it for you charmaine has this question how is it different from iso 27001 we have a separate slide for that and even after discussing that if still

the question persists we would answer that again of course of course so we just have a bunch of questions i hope we can take this up right now so if a service provider says they are compliant to sock2 and they cannot agree to

applicable data privacy laws is this an acceptable position see like i mentioned in service in a stock 2 there are five trust criterias right if

the organization says that they are stocked to compliant you need to go through the report and check whether the privacy is also included in that particular software

if not then that means that they have not sufficed put in sufficient efforts in order to put those practices at the same time any organization cannot say that

they do not comply with the privacy laws because if the law of the land demands you to protect personal data you have to comply with that there is no excuse that

you can't take exceptions from that it's it's only matter just sitting on the top of it you don't know when it is going to explode i like that analogy so we just have one

other question it says that is soft to type one necessary for a company or a company can directly go for soft to type two and what is the benefit of having soft to type one

see suck to type two uh preempts stock to type one okay so you can't pass uh 12 before you passing 10 is the same thing essentially

what it means is if you have done sock to type 2 which means that you already have sub 2 type 1 and the disadvantage of type only type one is that it is

based on for that particular day so let's say uh on this particular day let's say 10th of march i have sucked to type one compliant

assessment done by a cpa that means it is only for that particular day he has just reviewed your policies and processes he has not reviewed the controls established he has

not reviewed the records and it doesn't stand in the market the people who understand software reports uh especially your vendor management that krishna pointed out

they review it thoroughly they go through the report when you submit it to the prospect customer and post that also there are there could be several questions coming so sub to type two preempts up to type

one right so as i will uh correctly mention that soft to type one is basically just a snapshot of your current existing policies and procedures so having

policies and procedures and actually implementing them is a different bald game altogether so just if you have policies and procedures does not mean that you're compliant and of course soft to type 2 is the report that people are

actually looking for when they talk about sort too so that is something i think we all should keep in mind as well uh then i think uh pratima has a question we'll just take up this one

what's your take on localization of data storage and its impact on data privacy legislation uh if you talk it from you know indian legislation standpoint

as on today they proposed a dpa that is data protection bill it says sensitive personal data should be uh you know stored locally within the

boundaries of the country and it it should not be taken outside of the countries that's what is the current uh

state is however if you look at it from earlier law perspective id act point of view it can be stored locally and then the

copies can be processed outside if you have incorporated that that's why you know if you look at various task providers you know cloud hosting services within the india itself

and there are various sectors who are adopting to cloud because of having local presence of the cloud services

all right now this refers to the one of the five trust principles which is privacy privacy principles now what i as we have already

discussed the best practices and on related to collection processing as well as utilization of personal data

and ensuring its safety and security at the same time you know giving proper attention to the highly sensitive as well as confidential customer data or maybe your employee data

that is what is expected as far as the privacy principle of software is concerned now this also addresses how this the data is being collected

how it is being used across various systems how long it is going to be retained which means that you can't retain the data forever

there has to be a life cycle you know you you should mention that for this particular data we will retain it for let's say one year and or this particular data would be retained for 10

years due to legal requirements and then how do you disclose it so if at all you have to disclose it to the third parties how would you disclose it and then the

disposal most important thing which is disposal and these are all based on gaap criterias which are issued by aicpa which are generally acceptable privacy

principles and this overall particular trust criteria demonstrate helps in demonstrating you have sufficient

processes in place in order to take care of the personal data being used or processed within the company right i think i just would want to add

on to the disposal part of data uh this is the challenge that we actually see in the industry because organizations were not actually developed to understand where their data recites of course it's

in one of their systems but they uh since the iit infrastructure of the id inventory is so huge or immense it is not really easy to understand where your data resides and especially meta data that could actually lead to

identification of a person so you know this has been a real based challenge across the industries that i have personally seen and uh a lot of different companies are coming up with

solutions such as data discovery tool or e-discovery tools to help identify where the different sets of data are residing and they are actually trying to identify or they are putting up an identifier for

personal data and looking for that data in across the infrastructure so it has become a huge challenge as of now to understand where your data resides across your infrastructure especially

organizations that have not taken data privacy into consideration but are actually a huge organization in terms of size and organization structure they are actually facing a lot of challenges related to this

uh the disposable part of course uh because if there's a data subject request that comes in and your subject requires you to delete your data their data from your infrastructure

it is a huge challenge to actually identify where the data is being used well said krishna all right so let's have a quick look at what are the privacy principles under

software first is access which is which means that the individual has the right to access his personal data based on request then

then we if you look at it you know the notice and communications which means that whenever you are collecting any personal data you need to provide a sufficient notice and at the

same time the communication should be crisp and clear if you have noticed a simple example in various shops nowadays there are cctv cameras

you know installed and if you look at when you visit any small shops also you know there is a notice board say that you are under the cctv

surveillance that means the person has given you notice before you enter into the shop and now if you enter it that means you have given a deemed consent

to monitor you within his premises he cannot monitor you once you come out of the shop but at the same time within his premises he has all the rights to monitor your activities

collection of data so how what all types of data is being collected that is what is expected as far as the privacy principle is concerned

then choice and consent then when we look at the choice and consent every individual should have the choice to say that you know he has given uh his

consent freely and the choice means he can opt out of it so whenever he wishes to whether he once he

once an individual doesn't want to avail the services any longer he can choose to you know withdraw his consent and take out uh and ask to delete the data like

krishna into the previous slide disclosure and notifications if uh you know if you are using the data in any other for any other purpose then

earlier stated you know let's say if you collect the word dates in order to wish the person on birthdays and if you use that particular data for any other purpose

okay let's say you want to do a profiling and if you have not disclosed it then it's not in line with the privacy page

you need to send out the notification if the purpose also changes we already discussed about use retention and disposal so we will not spend more time on it now important thing is quality of the

data the data should be accurate the data should be correct if the incorrect data is collected then you

should go back to the individuals and get it corrected only the updated data incorrect data will lead to incorrect decision making also and this has gotten gets into a lot of

issues as far as the automated data processing is concerned and then how do you monitor and enforce the particular uh overall privacy practices

on the privacy framework that is that should be demonstrable these are certain privacy principles would like to add krishna over here or you can go right i don't think there's something i could

add here because you've covered everything excellently so i just wanted to ask another question that's on the chat pane on the right and before that let's uh go back to mentee right

the platform where you can put in your comments and uh of course the question we have is our privacy and confidentiality same because of course the terms are similar sounding because if you ask

the layman what is privacy uh they would probably say it is confidentiality of my data or it is making sure that my data is confidential so but are these terms actually the same

so that's the question for you right so i think a lot of people's uh believe that previously and confidentiality are not the same uh but we have a few yeses coming up now

perfect so i think uh in interest of time as well uh we have to move the next slide we see that 20 or around 21 folks believe that it's different now uh i'll just take this slider bundle

yeah so yes uh privacy is actually different from confidentiality privacy is more about safeguarding your personal data and personally identifiable information but confidentiality is a more generic word it is about

safeguarding non-personal data information and data so uh privacy also gives you a kind of independent assurance that an organization follows data privacy practices which is mostly

based on a legislation or mostly based on a standard such as your iso 27701 which is a renowned standard for privacy implementation and confidentiality of course it is

something that you mention in contractual process as well with your vendors with your employees with contractors and of course when you make them accountable for the data that they

handle you are also making sure that there is some kind of risk which is also transferred to them right so in case of any data breach you are also holding them accountable your contractors third

party vendors or employees uh but of course that is the primary difference between privacy and functionality it talks about personal data and one does not talk about personal data specifically so anything you wanted to add here and

then definitely you know generally when we start an engagement with any customer they get into service contract agreement or let's say master service agreement

or if you appoint a person you know if you enroll a person you generally sign nda which is a non-disclosure agreement which includes both personal data as well as

non-personal data but here privacy talks about only about personal data and that's why if you see earlier uh in 2019 uh india

you know jake's you know drafted personal data protection bill which is called as uh which was called as pdpv and now it is dpp it is

it includes non-personal data also right right so those amendments are something that uh the government has also considered while developing the law so that is probably something you will see in probably the next two years

hopefully all right so these are the criterias for notice when a personal information is going to be used for any new purpose as i mentioned earlier you know we already

discussed that first is when collecting a personal set of personal informations you need to disclose or declare for what purposes you are collecting it if now the new

purpose has been found out by the organization then you need to communicate back you have shared these set of information to us and now we would like to utilize this particular

data for this purpose as well in that case you need to take again a new consent let's say there is a change in the privacy notice of the privacy policy you

also need to communicate that our privacy policy has been updated updated policies should be displayed in a consistent format across all platforms it's not just only on the company's

internet but it should be displayed on the internet as well and most important thing is you know this particular privacy notice

should be given to any individual at the time or before you collect any personal data now people would argue what what about

the personal data which is already collected it's again when you start putting up the privacy practices when you start putting up the privacy policies from that time

onwards also you can take but for that matter you need to do the you know a thorough gap assessment in terms of where do you stand as far as the privacy principles implementation

within the organization is concerned we have been discussing about what are benefits of privacy and all the stuff so let's quickly have a look at what is

what are the direct benefits of software first is the brand reputation so as krishna pointed out various sas companies are putting up their software certificates up on the on their websites so if you sign the agreement or india

with them they would give you the 30 40 page software report and if you go through that you realize that the company has put in sufficient practices in order to

you know protect the data uh which is which includes the security as well as uh you know it could have privacy as well

this is again to reduce the impact of uh in the adverse case like data breach or if a security incident happens and this also gives you a competitive

advantage in the market as a differentiator second is software is you know assured security assured security means what you know reasonable security controls are

implemented so how much security is sufficient if you ask any person you know people would say the senior management would expect 100 security and we know as a security

professionals in this world nothing is 100 guaranteed however in the parlance of better understanding the shock to compliance

practices are audited by a third party certified public accountants firm and those assure gives the assurance that the sufficient level of

controls are put in place sufficient practices are put in place in order to ensure that the security is measurable within the organization

and there are no loopholes or basic loopholes within the systems right the third important factor over here is it gives confidence to the regulatory compliances

as far as the regulatory compliances are concerned because if you are soft to compliant then complying with other expectations of the customers would become uh

really easy you can demonstrate let's say a company now starts planning out for sub 2

type 2 compliance and they include privacy as a trust criteria then demonstrating their capability competency against gdpr is very easy

also it gives you an operational effectiveness which is which means that you know once the processes are set once it is those are institutionalized then you

don't get into certain dilemma or conflicts between among the you know the different functions why and how the information should flow and what are the different criterias related

to the reviews and assessments uh from various uh authorities i agree with that uh i think the benefits outweigh the struggle right it

is not easy to achieve stock too but the benefits are so profound in nature that it is something that a lot of organizations go for so of course uh you know you have to weigh out the pros and cons of it the

cons would be that a significant amount of resources from your organization would have to put their minds and put their efforts into achieving salt too you can't just have one person who can take care of the entire project you

would need multiple different stakeholders to put in their efforts and put in their time as well so that is something you have to look for

so as gdpr says it is general data protection regulation it is legally enforceable however software is not legally enforceable you can demonstrate your capability

with regards to software practices that you are and there is no currently certificate which is available to showcase that your gdp are compliant there is no certification

gdpr asks you to a point a dpo in certain cases if you are processing large amount of data and in soft2 there is no requirement as such to be

appointing a dedicated dq or a dpo function the roles and responsibilities in uh gdpr with regards to data controller or

the data processor are clearly defined and those are imposed uh if look at the the law occur

in detail and you know there are fines which are getting imposed on various companies if you do not comply with the expectations

of this particular and for as far as software is concerned as earlier mentioned it is relevant to your business and these are not

mandatory ones or there are no strict rules or sanctions if you're not complying with software right so of course gdpr is something that's legally enforceable it's law it's

a law but software is just something that is a good to have it could improve your business opportunities it gives trust for your employees customers vendors it gives it builds that sort of

trust as well and making sure that you're processing the data the correct way or you probably following sock to your compliant with that gives a good set of assurance to

different customers or different uh industry-leading companies that also come to you for certain set of businesses so that is why all these major cloud service providers

they already have a software report right so i think that is the end of this webinar i believe we can probably give five more minutes until if that's uh possible

for a simple q a if people have some questions that are still left unanswered definitely definitely one question uh i think we missed out to answer is what is the difference between software and iso

27001 earlier uh so see iso 27001 is worldwide accepted uh information security management system

standard uh okay and which also covers a lot of uh controls which as of now uh

the iso 27001 2013 edition covers about 114 controls but sock 2 is more comprehensive if you look at sock to privacy alone there are more than 50 controls which are expected

okay it is more comprehensive in nature at the same time it takes time to implement that the first and foremost it is not just

uh checked annually once as far as iso is concerned you need to put in all the practices because the auditors do check all the records of from the last audit

uh the another biggest difference is iso 27001 standard uh i know the certificate is valid for three years whereas soc2 certificate is valid up to maximum one

year it's not beyond that and if you want to you know let's say if you if the organization you know has uh implemented type 2 and they got assessed

in 2022 they cannot go in 2024 and ask for recertification they need to go through this cycle again right that's the major difference

right so if uh i think karthik has one question uh i'm not sure about answers for this one so i'll just direct this to you uh the question is can you give two lines on is ae 3000 which is stock for

gdpr now uh companies in europe are going for it so if you have any understand i'm just i'm so sorry i don't have the answer for it but it's a good question uh

please take it we will definitely answer uh this particular question back right so uh karthikey if you could just ping anil or me on linkedin so that we also have a

track of this question we'll probably do our own research and get back to you on this because it is something i'm curious about now that you've mentioned it definitely right so uh perfect uh i think we are good to close

the webinar uh we are just getting a lot of thanks in the comment section so i appreciate for that uh so thank you so much and thank you for taking time out of your busy schedule for making it to the webinar and i appreciate your insights into the

entire privacy of discussion that we had here and uh of course thank you sakshi shivam prajwala for organizing this session a lot of effort has been put in by you people as well

right first of all thank you sarah for organizing this particular webinar for in the interest of giving back something to the community as i mentioned i'm

i'm constantly learning and i got to learn few things through this particular webinar thank you for giving me the opportunity to speak

on this forum i know saru has been doing wonderful job in terms of beat academy or be business beat into business and i would love to collaborate with you in the future engagements as

well thank you thank you so much for that thank you so uh thank you for the all the attendees as well thank you for your comments thank you for your questions i think that also helped us understand uh

privacy a little better of course uh karthikey will uh come back to your question as well the iic 2001 we'll just have to do a quick research on it as well from our end and uh thank you for making it on a monday morning at 10 a.m

it's not something a lot of people do but of course thank you again thank you and thank you everyone bye-bye have a good

day you have a nice weekend bye