SlideShare ist ein Scribd-Unternehmen logo

Feedback on Non Personal Data Governance Framework

N
Nanda Mohan Shenoy

The Report by the Committee of Experts on Non-Personal Data Governance Framework has been submitted to MEITY in July. MEITY has called for the feedback on the framework.These are the gaps identified by us on the Framework. Initially it was supposed to be open for feedback till 13th Aug. Now it has been extended up to 13th Sep.

Recht
1 von 24
Feedback on Non Personal Data Governance Framework Nanda Mohan Shenoy D CAIIB,DBM-Part I,, NSE Certified Market Professional Level-1 ,P G Diploma in IRPM, PG Diploma in EDP and Computer Management, DIM,LA ISO 9001,LA ISO 27001 NISM empaneled CPE Trainer Director
Summary of Gaps in the Framework-1/3 2 # Gap Impact Remedy Addl. Info –Sec/Page Slide No G1 Contradictory Jargons Used :Re- identification in place of De- anonymisation Total Confusion Substitute the word De- anonymisation wherever De-identification is used Multiple places -22 occasions 5 G2 Lack of Clarity in Anonymised data definition Total Confusion Give explanation Sec 4.6 Pg17 & Pg11 6 G3 Contradictory views on Anonymisation Interpretation Clarify the same or explanation required Sec 4.5.iii Pg16 & Pg44 7 G4 Appendix 3- Out of Context Conflict with PDP Bill Delete this appendix and refer to PDP Bill Sections Appnedix-3 Pg59 8 G5 Data Principal Consent is out of Context Conflict with PDP Delete this and refer to PDP Bill Sections Sec 4.6 Pg17 9 G6 Sensitive Non Personal Data Definition not specific Interpretation Specifics to be given similar to PDP Bill Sec 4.5.iii Pg16 10
Summary of Gaps in the Framework-2/3 # Gap Impact Remedy Addl. Info –Sec/Page Slide No G7 Public Non Personal Data definition not clear Confusion & Interpretation Redraft the definition Sec 4.2.ii Pg-14 11 G8 Overlap between Community & Private Non Personal Data Confusion & Interpretation More clarity and bifurcation required Sec 4.3.ii Pg-15 12 G9 Global Data Set –No Clarity Confusion & Interpretation More clarity required Sec 4.4.i Pg-15 13 G10 Ambiguity in Data Principal Definition Confusion & Different Interpretation More Clarity Required Sec 4.7 Pg-19 14 G11 Difference between Data Trust , Custodian & Principal is not very clear Confusion & Different Interpretation More clarity with specific examples required Sec 4.8 Pg-19 15 G12 Difference between Data Trustee & Data Custodian Confusion & Different Interpretation One single example to be given from end to end Sec 4.9 Pg-20 16 3
Summary of Gaps in the Framework-3/3 # Gap Impact Remedy Addl. Info –Sec/Page Slide No G13 Ambiguity in the role of Data Trust Confusion & Interpretation Redraft the same Sec 4.10 Pg-21 17 G14 Contradiction in sharing Data Voluntarily and Mandatorily Confusion & Interpretation Redraft the same Sec 4.10 Pg-21 18 G15 Legal Basis for Public Non Personal Data not defined Lack of clarity can lead to confusion Add the legal basis for the same Sec 5.1 Pg-23 19 G16 Overlaps and Contradictions with Personal Data Protection Bill (PDPB) Utter Confusion for the layman Contradictory clauses to be removed and cross reference to PDPB Sec 5.4 Pg-26 20 G17 Linkages of Data Business with other roles like Custodian etc not established Utter Confusion for the layman Establish the relationship between the two Sec 6 Pg-27 21 G18 One regulator for Data protection both Personal and Non Personal Cost of Compliance / Contradictory views Uni-regulator 22 4
G1-Re-identified Data Definitions as per PDPB (2)"anonymisation" in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority (6)"de-identification" means the process by which a data fiduciary or data processor may remove, or mask identifiers from personal data, or replace them with such other fictitious name or code that is unique to an individual but does not, on its own, directly identify the data principal; (34) "re-identification" means the process by which a data fiduciary or data processor may reverse a process Some of the examples out of the 22 where re-identification is used wrongly (1)Page-16 Para 4.5.iii ” It is anonymised data, that bears a risk of re- identification” (2) Page-17 Para 4.6.ii “any subsequent harms arising from re-identification” (3) Page-17 Para 4.6.v “any subsequent harms arising from re-identification” (4) Page-41 Para 8.2.ii “so that issues around data sharing,competition, re- identification or collective privacy are harmoniously dealt with.” On 22 occasions the word re-identification is used On 6 occasions the word de- anonymised/de- anonymisation is used (with U.S English and Indian English being used ) 5Back to Summary
G2-Clarity on Anonymisation of data Sec 4.6 Consent for Anonymised Data (page 17 ) “iv. Therefore, the Committee recommends that the data principal should also provide consent for anonymisation and usage of this anonymised data while providing consent for collection and usage of his/her Personal Data.(pag-17) v. The Committee also recommends that appropriate standards of anonymisation be defined to prevent / minimize the risks of re-identification” Key Take away –(page -11) iv. To address privacy concerns, including from re-identification of anonymised personal data, preventing collective harms arising from processing of Non-Personal Data, and to examine the concept of collective privacy(page-11 in the key take away) Q1-No clarity whether this anonymisation , as mentioned in 4.6 ,is of the Personal data or Non Personal data. It is assumed/interpreted to be that of Personal Data as in key take away ,in page 11 , is talking about Personal Data Q2If it is referring to only Personal data anonymisation the PDPB 2019 already addresses the same and needs to be cross referred to in this framework as the same is covered as per definition below: – (2)"anonymisation" in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority 6
G3-Contradictory views on Anonymisation Contradiction 1 : Within the Framework Sec 4.5.iii pg16 The Committee felt that it is important to bring in the concept of sensitivity to Non-Personal Data as well, from the following perspectives(page-16) – It relates to national security or strategic interests; – It bears risk of collective harm to a group (collective privacy etc.); – It is business sensitive or confidential information; – It is anonymised data, that bears a risk of re-identification Sec 9 –page 44 & 45 “Prevent de-anonymization – Best of breed Differential Privacy algorithms”- page 44 and page 45 Q1. If best of breed Differential Privacy Algorithm is used where is the risks of de-identification? Q2. In case the best of breed is used what is the purpose of classification of such data as Sensitive Non- Personal data, as below? At the most call it simply “Anonymised personal data” throughout the document as standardisation as a class of data 7
G4-Appendix 3 -Out of Context It is assumed that the Appendix 3(Page 52) is pertaining to anonymisation of Personal Data Issue 1: If it is about anonymisation of Personal data this appendix is not related to this framework If that is so this appendix has to be deleted as S50 of the PDPB Bill addresses the method of anonymisation as below: Sec 50 (6) (m) (6) The code of practice under this Act may include the following matters, namely:— (m) methods of de-identification and anonymisation; Issue 2: Mix up between algorithms and tools. – 1,2,3,4 & 9 are algorithms – 5,6,7 & 8 are tools 8Back to Summary
G5-Data Principal Consent is out of Context Sec 4.6 page 17 iii. Under the PDP Bill, consent is necessary for the collection and processing of Personal Data. Since the conditions of ‘specific’ and ‘capable of being withdrawn’, as specified in PDP Bill Chapter II, 11 (2), do not apply to Non- Personal Data, we cannot assume that consent provided for Personal Data applies automatically to Non-Personal Data. iv. Therefore, the Committee recommends that the data principal should also provide consent for anonymisation and usage of this anonymised data while providing consent for collection and usage of his/her Personal Data. • The two sections are redundant here and can be addressed in the PDP bill through Sec 7 Notice or S-50 Code of Practice by DPAI. Sec 50 (6) (m) (6) The code of practice under this Act may include the following matters, namely:— (m) methods of de-identification and anonymisation; Further, In case of Anonymised personal Data the data principal rights of right to erasure /right to be forgotten etc cannot be exercised needs to be explicitly mentioned in the Notice and consent (Sec 7 & Sec 8 og PDP) Also Sec 91 in the PDP has the right for the Government to call for the anonymised data, hence it is more appropriate there – This will have to be naturally covered under Sec 50 (6) (m) 9Back to Summary
G6-Sensitive Non Personal Data Definition not specific Sec 4.5.iii pg16 The Committee felt that it is important to bring in the concept of sensitivity to Non-Personal Data as well, from the following perspectives(page-16) • It relates to national security or strategic interests; • It bears risk of collective harm to a group (collective privacy etc.); • It is business sensitive or confidential information; • It is anonymised data, that bears a risk of re-identification Issues : – Just because Personal Data is classified as sensitive does not mean that Non Personal data also needs to be classified. – In case of Sensitive Personal Data it is mutually exclusive and very explicit. Here there can be overlaps of sensitive data across , Government, Community & Private Data and segregation will be difficult unless explicitly defined by the framrwork – How will it be segregated needs clarity 10Back to Summary
G7-Public Non Personal Data definition not clear Ambiguity in 4.2.ii (Page-14) • Anonymised data of land records, public health information, vehicle registration data etc. • Issues – Anonymised data of land records- • What is anonymized ? Is it the name of the holder of land ,his age , his occupation etc. .Nothing is clear – Vehicle registration data • Currently evahan API & SMS gives full details of the vehicle including the name of the owner .Is the name of the vehicle owner Personal data? • Is the entire data set personal data? • May be the National Industries Code or the GST Code(HSAC) can be used for the same. – http://mospi.nic.in/classification/national-industrial-classification/alphabetic-index-5digit – HSN/SAC Code of GST Clarity required on both fronts 11Back to Summary
G8-Overlap -Community & Private Non Personal Data Sec 4.3.ii (Page-15) Community Non-Personal Data means Non-Personal Data, including anonymized personal data, and non- personal data about inanimate and animate things or phenomena – whether natural, social or artefactual, whose source or subject pertains to a community of natural persons. Provided that such data shall not include Private Non-Personal Data. – For instance, besides datasets collected by the municipal corporations and public electric utilities, datasets comprising user-information collected even by private players like telecom, e-commerce, ride- hailing companies., should be considered Community Data Issue 1: Ride hailing companies like Ola & Uber will it come under Private Non Personal data or community Non Personal Data Issue 2: Is community data a subset of the Private Non personal data ? Issue 3: Telecom provider – for e.g. BSNL/MTNL data will it be Public Non Personal data . If no then it has to be reworded private telecom operators, similarly with Airlines , Banks etc. .The list will increase. Clarity required 12Back to Summary
G9-Global Data Set –No Clarity Sec 4.4.i (Page-15) • It may also include such data in a global dataset that pertains to non-Indians and which is collected in foreign jurisdictions (other than India). • Issues: – Cant this data be collected by Government Bodies ? – What if this data is collected by Private organisations outside India ? – Will one ever come to know ? – Why Global Dataset only for Private Non personal Data? – Who will share? – Under which law of land can one ask for these data and from whom? – Are these organisation obligated to share this data that too of Non Indians? 13Back to Summary
4.7. Data Principal (page 19) i. However, in case of Non-Personal Data, the definition of a data principal is related to the type of Non-Personal Data - Public, Community and Private data, as well as based on different possible kinds of subjects of data.1 ii. In case of Public Non-Personal Data: o Government may collect data pertaining to citizens (like census),companies (like company registration, financial filings) and communities. o The data principal will be the corresponding entities (individuals,companies, communities) to whom the data relates.2 iii. In case of Private Non-personal Data:o Private sector may collect data pertaining to citizens (like customer surveys), companies (like vendor registration, vendor product information) and communities. o The data principal will be the corresponding entities (individuals,companies, communities) to whom the data relates.2 iv. In case of Community Non-Personal Data:o A community, that is the source and/or subject of community data and as defined in Section 4.3 , may be treated as the data principal for such data, and should be able to exercise key rights, including economic rights, to this data. 1- What is meant by different possible kinds of subjects of Data ? (people may confuse with Data Subject of GDPR)- need more clarity 2- Data Relates -not at all clear-totally confusing –it is interpreted as if it is the person from whom the same is collected G10- Ambiguity in Data Principal Definition 14Back to Summary
G11-Difference - Data Trust, Custodian& Principal 4.8. Data Custodian (Page 19) 4.8.i. The data custodian undertakes collection, storage, processing, use, etc. of data in a manner that is in the best interest of the data principal. ii. The data custodian may also be considered as data fiduciary, subject to certain directions and control and acting as per the interest of data principal/group/community. 4.10. i Data trusts are the institutional structures, comprising specific rules and protocols for containing and sharing a given set of data. Issue : 1. Strike off /group/community..The principal is already defined in Sec4.7. If required mention like “ii. The data custodian may also be considered as data fiduciary, subject to certain directions and control and acting as per the interest of data principal as defined in Sec 4.7.” 2.What is the co-relation between Custodian and Trust ? 3.How is the Custodian Different from Principal ? Both are collecting the data As per 4.7.2 “ii. In case of Public Non-Personal Data: Government may collect data pertaining to citizens (like census),companies (like company registration, financial filings) and communities.” The data principal will be the corresponding entities (individuals, companies, communities) to whom the data relates” 4Who will share the Data to the Trust the Custodian or the Trustee or the Principal ? 5 Should Custodian be registered or Data Trust be registered like registration of significant data fiduciaries as is envisaged in the PDPB? 15Back to Summary
G12- Data Trustee Vs Data Custodian 4.9.Data Trustees (Page 20) ii. The Ministry of Health and Family Welfare, Government of India can be the trustee for data on diabetes among Indian citizens v .For example, the data regulator may work with the government transport department(playing the role of a data trustee) Issues: 4.9.ii 1.Who is the Custodian for the example given above? Taking one example all roles have to be clarified 2.Whether every Non personal data have a Custodian as well as Trustee? 3. Is Custodian as well as Trustee mutually exclusive ? 4.Can Trustee and Custodian be same ? Is it following the same principle of Data Fiduciary and Data processor?{it cannot be so because 4.8.i. mentions as follows: “ The data custodian undertakes collection, storage, processing, use, etc. of data in a manner that is in the best interest of the data principal.”} 5. Is data Custodian applicable only to Community Non Personal data? 4.9.v 6. Who is the Custodian for the example given above? 16Back to Summary
G13- Ambiguity in the role of Data Trust 4.10. Data Trust (Page 21) ii. Data trusts can contain data from multiple sources, custodians, etc. that is relevant to a particular sector, and required for providing a set of digital or data services. iii. Data custodians may voluntarily share data in these data trusts, as many private organizations may come forward to share data held by them. Another important source of data pooled into these common data trusts will be from public organizations producing and holding various public data. Issues: 1.What is multiple sources ?Should it not be any specific entity like custodians/Trustee etc? Strike off multiple sources 2.By the very definition of Data Custodian “4.8.i. The data custodian undertakes collection, storage, processing, use, etc. of data in a manner that is in the best interest of the data principal. The public organisation producing and holding various Public data will also be custodian .Hence it is strongly recommended that “Another important source of data pooled into these common data trusts will be from public organizations producing and holding various public data” be deleted 17Back to Summary
G14 Sharing Data Voluntarily and Mandatorily 4.10. Data Trust (Page 21) iii. Data custodians may voluntarily share data in these data trusts, as many private organizations may come forward to share data held by them. Another important source of data pooled into these common data trusts will be from public organizations producing and holding various public data. iv. Governments / data trustees may also seek mandatory sharing of important data for a sector for specific purposes, which would also be managed and provided by such data trusts. It may also consist of both mandatorily and voluntarily shared data. Issue 1.Are Governments not custodians by the very definition of Data Custodian? Why separate? Delete Governments / 2.How can Data Trustees decide whether the same should be shared voluntarily or mandatorily? 3.Conditons of mandatory and voluntary sharing should be clearly laid out 18Back to Summary
G15- Legal basis-Public Non Personal Data 5.1. Legal basis for establishing rights over Non-Personal Data (Page 23) iii The rights over community Non-Personal Data collected in India should vest with the trustee of that community, with the community being the beneficial owner, and such data should be utilized in the best interest of that community. Issues 1: It is silent about Public Non Personal Data. The same also need to be defined 2: What about Private Non Personal Data? 3.As per 5.1.iii “In case of Non-Personal Data derived from personal data of an individual, the data principal for personal data will continue to be the data principal for the Non-Personal Data, which should be utilized in the best interest of that individual.” This is directly contradicting G10 where the Data Principal is defined. Once the data is anonymised and shared it is next to impossible to exercise his right. Hence this needs to be stricken off 19Back to Summary
G16-Overlaps and Contradictions with PDP Bill 5.4 Private Data (Page 26) i. In the “Private Non-Personal Data”, as defined in Section 4.4., only such raw /factual data pertaining to a community, that is collected by a private organization may need to be shared, subject to the well-defined grounds (refer to Recommendation 5)at no remuneration” The PDPB bill clause is as follows: 91. (1) Nothing in this Act shall prevent the Central Government from framing of any policy for the digital economy, including measures for its growth, security, integrity, prevention of misuse, insofar as such policy do not govern personal data. (2) The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed. Explanation.—For the purposes of this sub-section, the expression "non-personal data" means the data other than personal data. Issue 1. As per the definition of Data Fiduciary ,the State (i.e. the Government ) is included . Where as 5.4.i of this framework is restricted to Private Non Personal data only and not applicable to other 2 classes of data. Needs to be standardized 2. Remuneration is silent in PDP Bill Sec 91 whereas it is mentioned here as with no remuneration.This contradiction to be removed. 3. Sec 5.4.i should cross refer to Sec 91 of PDPB as well 20Back to Summary
G17-Data Business 6 Data Business (Page 27) Create a new category / taxonomy of business called ‘Data Business’ that collects, process, store, or otherwise manages data, and meets certain threshold criteria. 4.8. Data Custodian (Page 19) i. The data custodian undertakes collection, storage, processing, use, etc. of data in a manner that is in the best interest of the data principal. 4.10. Data Trusts (Pag 21) i. Data trusts are the institutional structures, comprising specific rules and protocols for containing collecting and sharing a given set of data. Issues: 1. In 4.10.i there is a typo error. It should have been collecting and not containing as highlighted above. 2. In page 17 four types of Data Roles are defined viz .1) Data Principal 2) Data Custodian 3) Data Trustees and 4) Data Trusts.The Data Business belongs to which role is not clear ? The Data custiodian also collects the data, Data Trust also collects the data, the data business also collects the data. 3. Is Data Trust like an NGO (Not for Profit ) and Data Business Like a company ? Need clarity 4. Is data Business like Significant Data Fiduciary of PDP Bill and Data Custodian the super set? 5. The Data sharing also has lot of impacts based on this clarity a Data sharing refers only to data custodian and not data business “iv. If the data custodian refuses to share the request, the request is made to the Non-Personal Data Authority (refer to Chapter 8). The authority evaluates the…”-page 37 It can be interpreted as Data Business need not share the information 6. The national Industries Code be used defining the various data businesses 21Back to Summary
G18- Uni-regulator Sec 8.2 (Page 40) • 8.2. Ultimately, the Committee felt that the best option is to create a separate Non-Personal Data Authority. Issues 1.The PDPB is defining the regulator “ Data Protection Authority of India” • This definition is broad and not bifurcating between Personal data and Non Personal Data • Hence it is strongly recommended that we have only one regulator. • It is tax savers money wasted for nothing Other Industry Experience • FMC and SEBI. From Day 1 ,I have been harping upon the need for a uni regulator and after 10 years the commodity derivatives moved to SEBI • Another example is the Appellate Tribunal for IT Act which was merged with TDSAT after ₹ 27 Crores down the drain.(https://thewire.in/banking/tragic-comedic-functioning-indias-cyber-appellate-tribunal) 22Back to Summary
Background of Nanda Mohan Shenoy • Nanda Mohan Shenoy is Certified Data Privacy Solutions Engineer (CDPSE & CISA- both from USA).He also possess the Banking qualification CAIIB from India , and is also a Lead Auditor for ISO 27001:2013. • Banking & Information Security Professional with more than 30+ Years BFSI Experience with deep understanding of Business, Operations, Technology Information/Cyber Security & Privacy. • Held leadership positions in three different banks-BNP Paribas India, Global Trust Bank and Bharat Overseas Bank. • One of the latest assignment in the area of Privacy was supporting , Bureau Veritas India, the certification body as a Subject Matter expert for the ISO Standard 27701 :2019,the Privacy Management Information Systems ( PIMS) certification for Infosys • International Speaker Contact : nmds@bestfitsolutions.in • Had submitted the feedback in Sep 2018 version • Was also part of NASSCOM Committee in Mumbai • Following three recommendations were accepted • (14) "data principal" means the natural person to whom the personal data referred to in sub-clause (28) relates; • (26) “Official identifier” means any number, code, or other identifier, including Aadhaar number, assigned to a data principal under a law made by Parliament or any State Legislature which may be used for the purpose of verifying the identity of a data principal • (23) "in writing" includes any communication in electronic format as defined in clause (r) of sub-section (1) of section 2 of the Information Technology Act, 2000- this definition was added • Submitted 31 gaps to the Parliamentary Committee on PDPB 2019 • https://www.slideshare.net/NandaMohanShenoy/feedback-on-personal-data-protection-bill- 2019 23
Proof of Submission 25

Empfohlen

GDPR compliance with Varonis
GDPR compliance with VaronisGDPR compliance with Varonis
GDPR compliance with VaronisAngad Dayal
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpraudrey miguel
 
Feedback on Personal Data Protection Bill 2019
Feedback on Personal Data Protection Bill 2019Feedback on Personal Data Protection Bill 2019
Feedback on Personal Data Protection Bill 2019Nanda Mohan Shenoy
 
Takshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaTakshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaThe Takshashila Institution
 
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...TrustArc
 
Deck for Chardan conference call on ePrivacy and GDPR
Deck for Chardan conference call on ePrivacy and GDPR Deck for Chardan conference call on ePrivacy and GDPR
Deck for Chardan conference call on ePrivacy and GDPR Johnny Ryan
 
Purpose limitation in data protection law as a protection against "cascading ...
Purpose limitation in data protection law as a protection against "cascading ...Purpose limitation in data protection law as a protection against "cascading ...
Purpose limitation in data protection law as a protection against "cascading ...Johnny Ryan
 
Sage CRM and GDPR Overview
Sage CRM and GDPR OverviewSage CRM and GDPR Overview
Sage CRM and GDPR OverviewSundae Solutions Co., Ltd.
 

Empfohlen

GDPR compliance with Varonis
GDPR compliance with VaronisGDPR compliance with Varonis
GDPR compliance with VaronisAngad Dayal
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpraudrey miguel
 
Feedback on Personal Data Protection Bill 2019
Feedback on Personal Data Protection Bill 2019Feedback on Personal Data Protection Bill 2019
Feedback on Personal Data Protection Bill 2019Nanda Mohan Shenoy
 
Takshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaTakshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaThe Takshashila Institution
 
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...TrustArc
 
Deck for Chardan conference call on ePrivacy and GDPR
Deck for Chardan conference call on ePrivacy and GDPR Deck for Chardan conference call on ePrivacy and GDPR
Deck for Chardan conference call on ePrivacy and GDPR Johnny Ryan
 
Purpose limitation in data protection law as a protection against "cascading ...
Purpose limitation in data protection law as a protection against "cascading ...Purpose limitation in data protection law as a protection against "cascading ...
Purpose limitation in data protection law as a protection against "cascading ...Johnny Ryan
 
Sage CRM and GDPR Overview
Sage CRM and GDPR OverviewSage CRM and GDPR Overview
Sage CRM and GDPR OverviewSundae Solutions Co., Ltd.
 
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Ted Myerson
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
How to Maximize Data Governance in Snowflake Test Environment
How to Maximize Data Governance in Snowflake Test EnvironmentHow to Maximize Data Governance in Snowflake Test Environment
How to Maximize Data Governance in Snowflake Test EnvironmentJade Global
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleUlf Mattsson
 
GDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewGDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewErnest Staats
 
GDPR and Analytics
GDPR and AnalyticsGDPR and Analytics
GDPR and Analyticsbrunomase
 
Disclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDisclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDavid Erdos
 
GDPR Ramifications of Blockchain Technologies
GDPR Ramifications of Blockchain TechnologiesGDPR Ramifications of Blockchain Technologies
GDPR Ramifications of Blockchain TechnologiesParsons Behle & Latimer
 
Digitial Personal Data Bill 2022 feedback
Digitial Personal Data Bill 2022 feedbackDigitial Personal Data Bill 2022 feedback
Digitial Personal Data Bill 2022 feedbackNanda Mohan Shenoy
 
Quick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami ZahranQuick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami ZahranDr. Sami Zahran
 
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]TrustArc
 
How Is Your Data Shared? 10 Surprising Stats
How Is Your Data Shared? 10 Surprising StatsHow Is Your Data Shared? 10 Surprising Stats
How Is Your Data Shared? 10 Surprising StatsThe Cloud Communications division of NTT Ltd.
 
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDaviesParker
 
GDPR solution for websites and apps. Digital Content Next (DCN) webinar, Apri...
GDPR solution for websites and apps. Digital Content Next (DCN) webinar, Apri...GDPR solution for websites and apps. Digital Content Next (DCN) webinar, Apri...
GDPR solution for websites and apps. Digital Content Next (DCN) webinar, Apri...Johnny Ryan
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix LLC
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarEryk Budi Pratama
 
GDPR - Top 10 AWS Security and Compliance Best Practices
GDPR - Top 10 AWS Security and Compliance Best PracticesGDPR - Top 10 AWS Security and Compliance Best Practices
GDPR - Top 10 AWS Security and Compliance Best PracticesAhmad Khan
 
The ASEAN Data Protection Index 2020
The ASEAN Data Protection Index 2020The ASEAN Data Protection Index 2020
The ASEAN Data Protection Index 2020FairTechInstitute
 
ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR Annelore van der Lint
 
Emerging application and data protection for cloud
Emerging application and data protection for cloudEmerging application and data protection for cloud
Emerging application and data protection for cloudUlf Mattsson
 
Srimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdfSrimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdfNanda Mohan Shenoy
 
D07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdfD07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdfNanda Mohan Shenoy
 

Weitere ähnliche Inhalte

Ähnlich wie Feedback on Non Personal Data Governance Framework

Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Ted Myerson
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
How to Maximize Data Governance in Snowflake Test Environment
How to Maximize Data Governance in Snowflake Test EnvironmentHow to Maximize Data Governance in Snowflake Test Environment
How to Maximize Data Governance in Snowflake Test EnvironmentJade Global
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleUlf Mattsson
 
GDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewGDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewErnest Staats
 
GDPR and Analytics
GDPR and AnalyticsGDPR and Analytics
GDPR and Analyticsbrunomase
 
Disclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDisclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDavid Erdos
 
GDPR Ramifications of Blockchain Technologies
GDPR Ramifications of Blockchain TechnologiesGDPR Ramifications of Blockchain Technologies
GDPR Ramifications of Blockchain TechnologiesParsons Behle & Latimer
 
Digitial Personal Data Bill 2022 feedback
Digitial Personal Data Bill 2022 feedbackDigitial Personal Data Bill 2022 feedback
Digitial Personal Data Bill 2022 feedbackNanda Mohan Shenoy
 
Quick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami ZahranQuick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami ZahranDr. Sami Zahran
 
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]TrustArc
 
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDaviesParker
 
GDPR solution for websites and apps. Digital Content Next (DCN) webinar, Apri...
GDPR solution for websites and apps. Digital Content Next (DCN) webinar, Apri...GDPR solution for websites and apps. Digital Content Next (DCN) webinar, Apri...
GDPR solution for websites and apps. Digital Content Next (DCN) webinar, Apri...Johnny Ryan
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix LLC
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarEryk Budi Pratama
 
GDPR - Top 10 AWS Security and Compliance Best Practices
GDPR - Top 10 AWS Security and Compliance Best PracticesGDPR - Top 10 AWS Security and Compliance Best Practices
GDPR - Top 10 AWS Security and Compliance Best PracticesAhmad Khan
 
The ASEAN Data Protection Index 2020
The ASEAN Data Protection Index 2020The ASEAN Data Protection Index 2020
The ASEAN Data Protection Index 2020FairTechInstitute
 
Emerging application and data protection for cloud
Emerging application and data protection for cloudEmerging application and data protection for cloud
Emerging application and data protection for cloudUlf Mattsson
 

Ähnlich wie Feedback on Non Personal Data Governance Framework (20)

Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
How to Maximize Data Governance in Snowflake Test Environment
How to Maximize Data Governance in Snowflake Test EnvironmentHow to Maximize Data Governance in Snowflake Test Environment
How to Maximize Data Governance in Snowflake Test Environment
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? Article
 
GDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewGDPR Benefits and a Technical Overview
GDPR Benefits and a Technical Overview
 
GDPR and Analytics
GDPR and AnalyticsGDPR and Analytics
GDPR and Analytics
 
Disclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDisclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google Spain
 
GDPR Ramifications of Blockchain Technologies
GDPR Ramifications of Blockchain TechnologiesGDPR Ramifications of Blockchain Technologies
GDPR Ramifications of Blockchain Technologies
 
Digitial Personal Data Bill 2022 feedback
Digitial Personal Data Bill 2022 feedbackDigitial Personal Data Bill 2022 feedback
Digitial Personal Data Bill 2022 feedback
 
Quick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami ZahranQuick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami Zahran
 
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
 
How Is Your Data Shared? 10 Surprising Stats
How Is Your Data Shared? 10 Surprising StatsHow Is Your Data Shared? 10 Surprising Stats
How Is Your Data Shared? 10 Surprising Stats
 
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
 
GDPR solution for websites and apps. Digital Content Next (DCN) webinar, Apri...
GDPR solution for websites and apps. Digital Content Next (DCN) webinar, Apri...GDPR solution for websites and apps. Digital Content Next (DCN) webinar, Apri...
GDPR solution for websites and apps. Digital Content Next (DCN) webinar, Apri...
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdf
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI Webinar
 
GDPR - Top 10 AWS Security and Compliance Best Practices
GDPR - Top 10 AWS Security and Compliance Best PracticesGDPR - Top 10 AWS Security and Compliance Best Practices
GDPR - Top 10 AWS Security and Compliance Best Practices
 
The ASEAN Data Protection Index 2020
The ASEAN Data Protection Index 2020The ASEAN Data Protection Index 2020
The ASEAN Data Protection Index 2020
 
ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR
 
Emerging application and data protection for cloud
Emerging application and data protection for cloudEmerging application and data protection for cloud
Emerging application and data protection for cloud
 

Mehr von Nanda Mohan Shenoy

Srimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdfSrimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdfNanda Mohan Shenoy
 
CEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdfCEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdfNanda Mohan Shenoy
 
IS17428_ISACA_Chennai_20220910.pptx
IS17428_ISACA_Chennai_20220910.pptxIS17428_ISACA_Chennai_20220910.pptx
IS17428_ISACA_Chennai_20220910.pptxNanda Mohan Shenoy
 

Mehr von Nanda Mohan Shenoy (20)

Srimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdfSrimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdf
 
D07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdfD07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdf
 
D06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdfD06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdf
 
D05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdfD05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdf
 
D04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdfD04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdf
 
D03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdfD03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdf
 
D02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdfD02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdf
 
D01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdfD01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdf
 
09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf
 
08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf
 
07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf
 
06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf
 
05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf
 
04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx
 
03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf
 
02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf
 
01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf
 
CEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdfCEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdf
 
IS17428_ISACA_Chennai_20220910.pptx
IS17428_ISACA_Chennai_20220910.pptxIS17428_ISACA_Chennai_20220910.pptx
IS17428_ISACA_Chennai_20220910.pptx
 
F 32-Mukundamala- Part-6
F 32-Mukundamala- Part-6F 32-Mukundamala- Part-6
F 32-Mukundamala- Part-6
 

Kürzlich hochgeladen

The Main Steps on Starting a Business in Spain
The Main Steps on Starting a Business in SpainThe Main Steps on Starting a Business in Spain
The Main Steps on Starting a Business in SpainBridgeWest.eu
 
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理Airst S
 
一比一原版(USYD毕业证书)澳洲悉尼大学毕业证如何办理
一比一原版(USYD毕业证书)澳洲悉尼大学毕业证如何办理一比一原版(USYD毕业证书)澳洲悉尼大学毕业证如何办理
一比一原版(USYD毕业证书)澳洲悉尼大学毕业证如何办理A AA
 
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理Airst S
 
Understanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective BargainingUnderstanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective Bargainingbartzlawgroup1
 
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam TakersPhilippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam TakersJillianAsdala
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubham Wadhonkar
 
一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理Airst S
 
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理ss
 
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategySmarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategyJong Hyuk Choi
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理e9733fc35af6
 
Elective Course on Forensic Science in Law
Elective Course on Forensic Science in LawElective Course on Forensic Science in Law
Elective Course on Forensic Science in LawNilendra Kumar
 
CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsAurora Consulting
 
一比一原版埃克塞特大学毕业证如何办理
一比一原版埃克塞特大学毕业证如何办理一比一原版埃克塞特大学毕业证如何办理
一比一原版埃克塞特大学毕业证如何办理Airst S
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理Airst S
 
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...Dr. Oliver Massmann
 
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理bd2c5966a56d
 
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptxAnalysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptxadvabhayjha2627
 
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理Airst S
 
ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.tanughoshal0
 

Kürzlich hochgeladen (20)

The Main Steps on Starting a Business in Spain
The Main Steps on Starting a Business in SpainThe Main Steps on Starting a Business in Spain
The Main Steps on Starting a Business in Spain
 
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
 
一比一原版(USYD毕业证书)澳洲悉尼大学毕业证如何办理
一比一原版(USYD毕业证书)澳洲悉尼大学毕业证如何办理一比一原版(USYD毕业证书)澳洲悉尼大学毕业证如何办理
一比一原版(USYD毕业证书)澳洲悉尼大学毕业证如何办理
 
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
 
Understanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective BargainingUnderstanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective Bargaining
 
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam TakersPhilippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptx
 
一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理
 
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
 
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategySmarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
 
Elective Course on Forensic Science in Law
Elective Course on Forensic Science in LawElective Course on Forensic Science in Law
Elective Course on Forensic Science in Law
 
CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction Fails
 
一比一原版埃克塞特大学毕业证如何办理
一比一原版埃克塞特大学毕业证如何办理一比一原版埃克塞特大学毕业证如何办理
一比一原版埃克塞特大学毕业证如何办理
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
 
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
 
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
 
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptxAnalysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
 
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
 
ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.
 

Feedback on Non Personal Data Governance Framework

  • 1. Feedback on Non Personal Data Governance Framework Nanda Mohan Shenoy D CAIIB,DBM-Part I,, NSE Certified Market Professional Level-1 ,P G Diploma in IRPM, PG Diploma in EDP and Computer Management, DIM,LA ISO 9001,LA ISO 27001 NISM empaneled CPE Trainer Director
  • 2. Summary of Gaps in the Framework-1/3 2 # Gap Impact Remedy Addl. Info –Sec/Page Slide No G1 Contradictory Jargons Used :Re- identification in place of De- anonymisation Total Confusion Substitute the word De- anonymisation wherever De-identification is used Multiple places -22 occasions 5 G2 Lack of Clarity in Anonymised data definition Total Confusion Give explanation Sec 4.6 Pg17 & Pg11 6 G3 Contradictory views on Anonymisation Interpretation Clarify the same or explanation required Sec 4.5.iii Pg16 & Pg44 7 G4 Appendix 3- Out of Context Conflict with PDP Bill Delete this appendix and refer to PDP Bill Sections Appnedix-3 Pg59 8 G5 Data Principal Consent is out of Context Conflict with PDP Delete this and refer to PDP Bill Sections Sec 4.6 Pg17 9 G6 Sensitive Non Personal Data Definition not specific Interpretation Specifics to be given similar to PDP Bill Sec 4.5.iii Pg16 10
  • 3. Summary of Gaps in the Framework-2/3 # Gap Impact Remedy Addl. Info –Sec/Page Slide No G7 Public Non Personal Data definition not clear Confusion & Interpretation Redraft the definition Sec 4.2.ii Pg-14 11 G8 Overlap between Community & Private Non Personal Data Confusion & Interpretation More clarity and bifurcation required Sec 4.3.ii Pg-15 12 G9 Global Data Set –No Clarity Confusion & Interpretation More clarity required Sec 4.4.i Pg-15 13 G10 Ambiguity in Data Principal Definition Confusion & Different Interpretation More Clarity Required Sec 4.7 Pg-19 14 G11 Difference between Data Trust , Custodian & Principal is not very clear Confusion & Different Interpretation More clarity with specific examples required Sec 4.8 Pg-19 15 G12 Difference between Data Trustee & Data Custodian Confusion & Different Interpretation One single example to be given from end to end Sec 4.9 Pg-20 16 3
  • 4. Summary of Gaps in the Framework-3/3 # Gap Impact Remedy Addl. Info –Sec/Page Slide No G13 Ambiguity in the role of Data Trust Confusion & Interpretation Redraft the same Sec 4.10 Pg-21 17 G14 Contradiction in sharing Data Voluntarily and Mandatorily Confusion & Interpretation Redraft the same Sec 4.10 Pg-21 18 G15 Legal Basis for Public Non Personal Data not defined Lack of clarity can lead to confusion Add the legal basis for the same Sec 5.1 Pg-23 19 G16 Overlaps and Contradictions with Personal Data Protection Bill (PDPB) Utter Confusion for the layman Contradictory clauses to be removed and cross reference to PDPB Sec 5.4 Pg-26 20 G17 Linkages of Data Business with other roles like Custodian etc not established Utter Confusion for the layman Establish the relationship between the two Sec 6 Pg-27 21 G18 One regulator for Data protection both Personal and Non Personal Cost of Compliance / Contradictory views Uni-regulator 22 4
  • 5. G1-Re-identified Data Definitions as per PDPB (2)"anonymisation" in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority (6)"de-identification" means the process by which a data fiduciary or data processor may remove, or mask identifiers from personal data, or replace them with such other fictitious name or code that is unique to an individual but does not, on its own, directly identify the data principal; (34) "re-identification" means the process by which a data fiduciary or data processor may reverse a process Some of the examples out of the 22 where re-identification is used wrongly (1)Page-16 Para 4.5.iii ” It is anonymised data, that bears a risk of re- identification” (2) Page-17 Para 4.6.ii “any subsequent harms arising from re-identification” (3) Page-17 Para 4.6.v “any subsequent harms arising from re-identification” (4) Page-41 Para 8.2.ii “so that issues around data sharing,competition, re- identification or collective privacy are harmoniously dealt with.” On 22 occasions the word re-identification is used On 6 occasions the word de- anonymised/de- anonymisation is used (with U.S English and Indian English being used ) 5Back to Summary
  • 6. G2-Clarity on Anonymisation of data Sec 4.6 Consent for Anonymised Data (page 17 ) “iv. Therefore, the Committee recommends that the data principal should also provide consent for anonymisation and usage of this anonymised data while providing consent for collection and usage of his/her Personal Data.(pag-17) v. The Committee also recommends that appropriate standards of anonymisation be defined to prevent / minimize the risks of re-identification” Key Take away –(page -11) iv. To address privacy concerns, including from re-identification of anonymised personal data, preventing collective harms arising from processing of Non-Personal Data, and to examine the concept of collective privacy(page-11 in the key take away) Q1-No clarity whether this anonymisation , as mentioned in 4.6 ,is of the Personal data or Non Personal data. It is assumed/interpreted to be that of Personal Data as in key take away ,in page 11 , is talking about Personal Data Q2If it is referring to only Personal data anonymisation the PDPB 2019 already addresses the same and needs to be cross referred to in this framework as the same is covered as per definition below: – (2)"anonymisation" in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority 6
  • 7. G3-Contradictory views on Anonymisation Contradiction 1 : Within the Framework Sec 4.5.iii pg16 The Committee felt that it is important to bring in the concept of sensitivity to Non-Personal Data as well, from the following perspectives(page-16) – It relates to national security or strategic interests; – It bears risk of collective harm to a group (collective privacy etc.); – It is business sensitive or confidential information; – It is anonymised data, that bears a risk of re-identification Sec 9 –page 44 & 45 “Prevent de-anonymization – Best of breed Differential Privacy algorithms”- page 44 and page 45 Q1. If best of breed Differential Privacy Algorithm is used where is the risks of de-identification? Q2. In case the best of breed is used what is the purpose of classification of such data as Sensitive Non- Personal data, as below? At the most call it simply “Anonymised personal data” throughout the document as standardisation as a class of data 7
  • 8. G4-Appendix 3 -Out of Context It is assumed that the Appendix 3(Page 52) is pertaining to anonymisation of Personal Data Issue 1: If it is about anonymisation of Personal data this appendix is not related to this framework If that is so this appendix has to be deleted as S50 of the PDPB Bill addresses the method of anonymisation as below: Sec 50 (6) (m) (6) The code of practice under this Act may include the following matters, namely:— (m) methods of de-identification and anonymisation; Issue 2: Mix up between algorithms and tools. – 1,2,3,4 & 9 are algorithms – 5,6,7 & 8 are tools 8Back to Summary
  • 9. G5-Data Principal Consent is out of Context Sec 4.6 page 17 iii. Under the PDP Bill, consent is necessary for the collection and processing of Personal Data. Since the conditions of ‘specific’ and ‘capable of being withdrawn’, as specified in PDP Bill Chapter II, 11 (2), do not apply to Non- Personal Data, we cannot assume that consent provided for Personal Data applies automatically to Non-Personal Data. iv. Therefore, the Committee recommends that the data principal should also provide consent for anonymisation and usage of this anonymised data while providing consent for collection and usage of his/her Personal Data. • The two sections are redundant here and can be addressed in the PDP bill through Sec 7 Notice or S-50 Code of Practice by DPAI. Sec 50 (6) (m) (6) The code of practice under this Act may include the following matters, namely:— (m) methods of de-identification and anonymisation; Further, In case of Anonymised personal Data the data principal rights of right to erasure /right to be forgotten etc cannot be exercised needs to be explicitly mentioned in the Notice and consent (Sec 7 & Sec 8 og PDP) Also Sec 91 in the PDP has the right for the Government to call for the anonymised data, hence it is more appropriate there – This will have to be naturally covered under Sec 50 (6) (m) 9Back to Summary
  • 10. G6-Sensitive Non Personal Data Definition not specific Sec 4.5.iii pg16 The Committee felt that it is important to bring in the concept of sensitivity to Non-Personal Data as well, from the following perspectives(page-16) • It relates to national security or strategic interests; • It bears risk of collective harm to a group (collective privacy etc.); • It is business sensitive or confidential information; • It is anonymised data, that bears a risk of re-identification Issues : – Just because Personal Data is classified as sensitive does not mean that Non Personal data also needs to be classified. – In case of Sensitive Personal Data it is mutually exclusive and very explicit. Here there can be overlaps of sensitive data across , Government, Community & Private Data and segregation will be difficult unless explicitly defined by the framrwork – How will it be segregated needs clarity 10Back to Summary
  • 11. G7-Public Non Personal Data definition not clear Ambiguity in 4.2.ii (Page-14) • Anonymised data of land records, public health information, vehicle registration data etc. • Issues – Anonymised data of land records- • What is anonymized ? Is it the name of the holder of land ,his age , his occupation etc. .Nothing is clear – Vehicle registration data • Currently evahan API & SMS gives full details of the vehicle including the name of the owner .Is the name of the vehicle owner Personal data? • Is the entire data set personal data? • May be the National Industries Code or the GST Code(HSAC) can be used for the same. – http://mospi.nic.in/classification/national-industrial-classification/alphabetic-index-5digit – HSN/SAC Code of GST Clarity required on both fronts 11Back to Summary
  • 12. G8-Overlap -Community & Private Non Personal Data Sec 4.3.ii (Page-15) Community Non-Personal Data means Non-Personal Data, including anonymized personal data, and non- personal data about inanimate and animate things or phenomena – whether natural, social or artefactual, whose source or subject pertains to a community of natural persons. Provided that such data shall not include Private Non-Personal Data. – For instance, besides datasets collected by the municipal corporations and public electric utilities, datasets comprising user-information collected even by private players like telecom, e-commerce, ride- hailing companies., should be considered Community Data Issue 1: Ride hailing companies like Ola & Uber will it come under Private Non Personal data or community Non Personal Data Issue 2: Is community data a subset of the Private Non personal data ? Issue 3: Telecom provider – for e.g. BSNL/MTNL data will it be Public Non Personal data . If no then it has to be reworded private telecom operators, similarly with Airlines , Banks etc. .The list will increase. Clarity required 12Back to Summary
  • 13. G9-Global Data Set –No Clarity Sec 4.4.i (Page-15) • It may also include such data in a global dataset that pertains to non-Indians and which is collected in foreign jurisdictions (other than India). • Issues: – Cant this data be collected by Government Bodies ? – What if this data is collected by Private organisations outside India ? – Will one ever come to know ? – Why Global Dataset only for Private Non personal Data? – Who will share? – Under which law of land can one ask for these data and from whom? – Are these organisation obligated to share this data that too of Non Indians? 13Back to Summary
  • 14. 4.7. Data Principal (page 19) i. However, in case of Non-Personal Data, the definition of a data principal is related to the type of Non-Personal Data - Public, Community and Private data, as well as based on different possible kinds of subjects of data.1 ii. In case of Public Non-Personal Data: o Government may collect data pertaining to citizens (like census),companies (like company registration, financial filings) and communities. o The data principal will be the corresponding entities (individuals,companies, communities) to whom the data relates.2 iii. In case of Private Non-personal Data:o Private sector may collect data pertaining to citizens (like customer surveys), companies (like vendor registration, vendor product information) and communities. o The data principal will be the corresponding entities (individuals,companies, communities) to whom the data relates.2 iv. In case of Community Non-Personal Data:o A community, that is the source and/or subject of community data and as defined in Section 4.3 , may be treated as the data principal for such data, and should be able to exercise key rights, including economic rights, to this data. 1- What is meant by different possible kinds of subjects of Data ? (people may confuse with Data Subject of GDPR)- need more clarity 2- Data Relates -not at all clear-totally confusing –it is interpreted as if it is the person from whom the same is collected G10- Ambiguity in Data Principal Definition 14Back to Summary
  • 15. G11-Difference - Data Trust, Custodian& Principal 4.8. Data Custodian (Page 19) 4.8.i. The data custodian undertakes collection, storage, processing, use, etc. of data in a manner that is in the best interest of the data principal. ii. The data custodian may also be considered as data fiduciary, subject to certain directions and control and acting as per the interest of data principal/group/community. 4.10. i Data trusts are the institutional structures, comprising specific rules and protocols for containing and sharing a given set of data. Issue : 1. Strike off /group/community..The principal is already defined in Sec4.7. If required mention like “ii. The data custodian may also be considered as data fiduciary, subject to certain directions and control and acting as per the interest of data principal as defined in Sec 4.7.” 2.What is the co-relation between Custodian and Trust ? 3.How is the Custodian Different from Principal ? Both are collecting the data As per 4.7.2 “ii. In case of Public Non-Personal Data: Government may collect data pertaining to citizens (like census),companies (like company registration, financial filings) and communities.” The data principal will be the corresponding entities (individuals, companies, communities) to whom the data relates” 4Who will share the Data to the Trust the Custodian or the Trustee or the Principal ? 5 Should Custodian be registered or Data Trust be registered like registration of significant data fiduciaries as is envisaged in the PDPB? 15Back to Summary
  • 16. G12- Data Trustee Vs Data Custodian 4.9.Data Trustees (Page 20) ii. The Ministry of Health and Family Welfare, Government of India can be the trustee for data on diabetes among Indian citizens v .For example, the data regulator may work with the government transport department(playing the role of a data trustee) Issues: 4.9.ii 1.Who is the Custodian for the example given above? Taking one example all roles have to be clarified 2.Whether every Non personal data have a Custodian as well as Trustee? 3. Is Custodian as well as Trustee mutually exclusive ? 4.Can Trustee and Custodian be same ? Is it following the same principle of Data Fiduciary and Data processor?{it cannot be so because 4.8.i. mentions as follows: “ The data custodian undertakes collection, storage, processing, use, etc. of data in a manner that is in the best interest of the data principal.”} 5. Is data Custodian applicable only to Community Non Personal data? 4.9.v 6. Who is the Custodian for the example given above? 16Back to Summary
  • 17. G13- Ambiguity in the role of Data Trust 4.10. Data Trust (Page 21) ii. Data trusts can contain data from multiple sources, custodians, etc. that is relevant to a particular sector, and required for providing a set of digital or data services. iii. Data custodians may voluntarily share data in these data trusts, as many private organizations may come forward to share data held by them. Another important source of data pooled into these common data trusts will be from public organizations producing and holding various public data. Issues: 1.What is multiple sources ?Should it not be any specific entity like custodians/Trustee etc? Strike off multiple sources 2.By the very definition of Data Custodian “4.8.i. The data custodian undertakes collection, storage, processing, use, etc. of data in a manner that is in the best interest of the data principal. The public organisation producing and holding various Public data will also be custodian .Hence it is strongly recommended that “Another important source of data pooled into these common data trusts will be from public organizations producing and holding various public data” be deleted 17Back to Summary
  • 18. G14 Sharing Data Voluntarily and Mandatorily 4.10. Data Trust (Page 21) iii. Data custodians may voluntarily share data in these data trusts, as many private organizations may come forward to share data held by them. Another important source of data pooled into these common data trusts will be from public organizations producing and holding various public data. iv. Governments / data trustees may also seek mandatory sharing of important data for a sector for specific purposes, which would also be managed and provided by such data trusts. It may also consist of both mandatorily and voluntarily shared data. Issue 1.Are Governments not custodians by the very definition of Data Custodian? Why separate? Delete Governments / 2.How can Data Trustees decide whether the same should be shared voluntarily or mandatorily? 3.Conditons of mandatory and voluntary sharing should be clearly laid out 18Back to Summary
  • 19. G15- Legal basis-Public Non Personal Data 5.1. Legal basis for establishing rights over Non-Personal Data (Page 23) iii The rights over community Non-Personal Data collected in India should vest with the trustee of that community, with the community being the beneficial owner, and such data should be utilized in the best interest of that community. Issues 1: It is silent about Public Non Personal Data. The same also need to be defined 2: What about Private Non Personal Data? 3.As per 5.1.iii “In case of Non-Personal Data derived from personal data of an individual, the data principal for personal data will continue to be the data principal for the Non-Personal Data, which should be utilized in the best interest of that individual.” This is directly contradicting G10 where the Data Principal is defined. Once the data is anonymised and shared it is next to impossible to exercise his right. Hence this needs to be stricken off 19Back to Summary
  • 20. G16-Overlaps and Contradictions with PDP Bill 5.4 Private Data (Page 26) i. In the “Private Non-Personal Data”, as defined in Section 4.4., only such raw /factual data pertaining to a community, that is collected by a private organization may need to be shared, subject to the well-defined grounds (refer to Recommendation 5)at no remuneration” The PDPB bill clause is as follows: 91. (1) Nothing in this Act shall prevent the Central Government from framing of any policy for the digital economy, including measures for its growth, security, integrity, prevention of misuse, insofar as such policy do not govern personal data. (2) The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed. Explanation.—For the purposes of this sub-section, the expression "non-personal data" means the data other than personal data. Issue 1. As per the definition of Data Fiduciary ,the State (i.e. the Government ) is included . Where as 5.4.i of this framework is restricted to Private Non Personal data only and not applicable to other 2 classes of data. Needs to be standardized 2. Remuneration is silent in PDP Bill Sec 91 whereas it is mentioned here as with no remuneration.This contradiction to be removed. 3. Sec 5.4.i should cross refer to Sec 91 of PDPB as well 20Back to Summary
  • 21. G17-Data Business 6 Data Business (Page 27) Create a new category / taxonomy of business called ‘Data Business’ that collects, process, store, or otherwise manages data, and meets certain threshold criteria. 4.8. Data Custodian (Page 19) i. The data custodian undertakes collection, storage, processing, use, etc. of data in a manner that is in the best interest of the data principal. 4.10. Data Trusts (Pag 21) i. Data trusts are the institutional structures, comprising specific rules and protocols for containing collecting and sharing a given set of data. Issues: 1. In 4.10.i there is a typo error. It should have been collecting and not containing as highlighted above. 2. In page 17 four types of Data Roles are defined viz .1) Data Principal 2) Data Custodian 3) Data Trustees and 4) Data Trusts.The Data Business belongs to which role is not clear ? The Data custiodian also collects the data, Data Trust also collects the data, the data business also collects the data. 3. Is Data Trust like an NGO (Not for Profit ) and Data Business Like a company ? Need clarity 4. Is data Business like Significant Data Fiduciary of PDP Bill and Data Custodian the super set? 5. The Data sharing also has lot of impacts based on this clarity a Data sharing refers only to data custodian and not data business “iv. If the data custodian refuses to share the request, the request is made to the Non-Personal Data Authority (refer to Chapter 8). The authority evaluates the…”-page 37 It can be interpreted as Data Business need not share the information 6. The national Industries Code be used defining the various data businesses 21Back to Summary
  • 22. G18- Uni-regulator Sec 8.2 (Page 40) • 8.2. Ultimately, the Committee felt that the best option is to create a separate Non-Personal Data Authority. Issues 1.The PDPB is defining the regulator “ Data Protection Authority of India” • This definition is broad and not bifurcating between Personal data and Non Personal Data • Hence it is strongly recommended that we have only one regulator. • It is tax savers money wasted for nothing Other Industry Experience • FMC and SEBI. From Day 1 ,I have been harping upon the need for a uni regulator and after 10 years the commodity derivatives moved to SEBI • Another example is the Appellate Tribunal for IT Act which was merged with TDSAT after ₹ 27 Crores down the drain.(https://thewire.in/banking/tragic-comedic-functioning-indias-cyber-appellate-tribunal) 22Back to Summary
  • 23. Background of Nanda Mohan Shenoy • Nanda Mohan Shenoy is Certified Data Privacy Solutions Engineer (CDPSE & CISA- both from USA).He also possess the Banking qualification CAIIB from India , and is also a Lead Auditor for ISO 27001:2013. • Banking & Information Security Professional with more than 30+ Years BFSI Experience with deep understanding of Business, Operations, Technology Information/Cyber Security & Privacy. • Held leadership positions in three different banks-BNP Paribas India, Global Trust Bank and Bharat Overseas Bank. • One of the latest assignment in the area of Privacy was supporting , Bureau Veritas India, the certification body as a Subject Matter expert for the ISO Standard 27701 :2019,the Privacy Management Information Systems ( PIMS) certification for Infosys • International Speaker Contact : nmds@bestfitsolutions.in • Had submitted the feedback in Sep 2018 version • Was also part of NASSCOM Committee in Mumbai • Following three recommendations were accepted • (14) "data principal" means the natural person to whom the personal data referred to in sub-clause (28) relates; • (26) “Official identifier” means any number, code, or other identifier, including Aadhaar number, assigned to a data principal under a law made by Parliament or any State Legislature which may be used for the purpose of verifying the identity of a data principal • (23) "in writing" includes any communication in electronic format as defined in clause (r) of sub-section (1) of section 2 of the Information Technology Act, 2000- this definition was added • Submitted 31 gaps to the Parliamentary Committee on PDPB 2019 • https://www.slideshare.net/NandaMohanShenoy/feedback-on-personal-data-protection-bill- 2019 23