Conversation
The world was converging to global privacy legislation after GDPR. We thought country after country will adapt the GDPR legislation. However, all is not well with GDPR in recent years. #PrivacyNama2021
1
Privacy is not just legal requirement. It is a company policy. #IdrissKechida #Match #PrivacyNama2021
1
Legal background is not sufficient to give the skill set to be the chief privacy officer. No aspect of organisation that does not invovle data. They should be excellent communicators. #JustinWeiss #NaspersProsus #PrivacyNama2021
1
One has to look after legal compliance. It requires wide range of skills. I would encourage to think about it from a wide perspective. At the end of the day, you have to do all of these things well #JustinWeiss #NaspersProsus #PrivacyNama2021
1
The role is to provide assurance to the management that data privacy compliance is met. There are additional safeguards by data protection laws. The role is not regulatory. #SrinivasPoosarla #Infosys #PrivacyNama2021
1
It is a techno-legal function. The role continues to remain advisory. We never get into implementing things. The significance of independence is becoming important. #SrinivasPoosarla #Infosys #PrivacyNama2021
1
For privacy, an important aspect is that we do not know the enemy as it is an unknown hacker. Data privacy world, the ones who are adversary, is from within the organisation. The role of CPO is one where you require a balancing act #SrinivasPoosarla #Infosys #PrivacyNama2021
1
There is a great amount of requirement of independence and autonomy. Many organisations do not think privacy strategy. One needs a privacy strategy. It is important for industry which consumes data as raw material. #SrinivasPoosarla #Infosys #PrivacyNama2021
1
You have to embed the strategy with your risk appetite. Some companies won't take that risk. #SrinivasPoosarla #Infosys #PrivacyNama2021
1
Companies think of privacy issues as a risk. When you do that, you might assume, running a privacy program is like running other departments which are risky. #JustinWeiss #NaspersProsus #PrivacyNama2021
Replying to
I do not think the way data protection legislation operates, it is not a check list of yes and nos. It is usually how. The privacy leader has a whole bag of tricks to explain things. It could be suite of data minimisation tools. #JustinWeiss #NaspersProsus #PrivacyNama2021
1
At some point, there are trade-offs. You need to make sure to have sponsorship from the highest level of the organisation. I think CPOs are fortunate depending upon the company they are in #IdrissKechida #NaspersProsus #PrivacyNama2021
1
Do not copy your structure. It depends on where the company is. One needs to ascertain what is legal and compliance. The smaller you are, the less you are able to differentiate the role. That's fine in the beginning of the journey. #IdrissKechida #NaspersProsus #PrivacyNama2021
1
Most countries have data subject rights. The effectiveness lies in listening to these demands. #SrinivasPoosarla #Infosys #PrivacyNama2021
1
No one wants to be under the eyes of the regulator. Companies will comply and solve complaints filed with them because of that. It's not that DPA is shifting burden. - Idriss Kechida (Match Group) #PrivacyNama2021
1
How large must internal data protection teams be for companies? - You could have everything centralized and a massive privacy team or you could have individual teams who are trained to apply the data protection legislation. - Idriss Kechida (Match Group) #PrivacyNama2021
1
Right to be forgotten made a huge impact in Google case. And then GDPR came. It is not absolute right, must be balanced with other factors. - Srinivas Poosarla (Infosys) #PrivacyNama2021
1
Starting point in complying with new data rules: The first step is the CEO themselves and the executive team. You explain to them the full range of activities that will occur. They will do what is necessary to give you resources. Justin Weiss (Naspers-Prosus) #PrivacyNama2021
1
Then you have to have a playbook. Good news is other companies have already done this and there is enough commonality that you can have a Ikea toolkit. - Justin Weiss (Naspers-Prosus) #PrivacyNama2021
1
What occupies the most time for orgs? It is training. Training isn't just once per year. You are in the weed w each dept figuring out what they can do for privacy. So that there can be privacy by design. - Justin Weiss (Naspers-Prosus) #PrivacyNama2021
1
In my team I have privacy counsels and privacy managers that take projects and go through the finish line. This takes time and resources. - Idriss Kechida (Match Group) #PrivacyNama2021
1
What budget should be set aside for data protection teams within companies? - I consider it in categories: at least one person (salary is mid-level lawyer), cost of automation (annual licenses), and costs involved for training. - Justin (Naspers-Prosus) #PrivacyNama2021
1
No straightforward answer in how many people are required or what budget. Consumer facing orgs will need more. If you're constantly adding new features, then risk assessments for privacy is a major cost. Srinivas Poosarla (Infosys) #PrivacyNama2021
1
If we have 100 jurisdictions with 100 different privacy laws? How will companies and products that are global comply? - #PrivacyNama2021
1
1
There are lots of overlap between legislations. My company we go for global standards that map principles of multiple jurisdictions. Only time there are issues is if there is conflicting legislation, which is not often. - Srinivas Poosarla (Infosys) #PrivacyNama2021
1
Ninety percent of what people around the world expect as privacy overlaps. But even if you build something that is global that very same feature might be experienced differently by diff regions. - Justin Weiss (Naspers-Prosus) #PrivacyNama2021
1
To close this session: What are your expectations and thoughts on India's upcoming privacy law (PDP Bill)? - #PrivacyNama2021
1
Setting standard for foreign countries (adequacy requirements) in the bill is not very helpful. In Europe this posed problems. Avoid the rigidity of language in the law that restricts data flows. - Justin Weiss (Naspers-Prosus) #PrivacyNama2021
1
Safety and competition. Hope the new law takes this into account. - Idriss Kechida (Match Group) #PrivacyNama2021
1
Our bill has embodied best practices from the world and adapted it for out cultures. Some areas where I see possibility of improvement is consent and localization aspects. Localization should be kept separate from this law. - Srinivas Poosarla (Infosys) #PrivacyNama2021
1
We went into a rabbit hole just as we expected. Probably one of the most substantial conversations that has gone into the gritty-nitty of what's next. - @PrivacyNama2021
1
And that’s a wrap! Thank you for joining us for our inaugural PrivacyNama conference. #PrivacyNama2021
1
We’d like to thank Facebook, Flipkart, Internet Society, Mozilla, Mobile Premier League, Omidyar Network, Paytm, Star India and Xiaomi for their support for this discussion. #PrivacyNama2021
1
We are also thankful to our community partners, the CyberBRICS Project, Centre for Internet and Society and Centre for Communication Governance (NLU Delhi), for their help in putting together this programme. #PrivacyNama2021
1
1
1
We hope to see you again next year! Hopefully, in-person and after the PDP bill has passed. In case you wish to revisit day 2 sessions, it’s available at youtu.be/YiQ1utjiBSo #PrivacyNama2021