Organizations desire to adopt best practices around data which are aligned with the risk management approaches they have in place. With increasing complexity around privacy and data security, it is necessary to gain deep understanding of the strategic directions adopted at some of leading organizations in India. With this intent, the Privacy Mode Fellowship programme was put together to work with practitioners who document easily adopted practices that are flexible and are based on well understood design principles. The Best Practices Guides provides a quick introduction to some of the topics which receive a lot of attention.
The Privacy Mode Fellowship programme considered the following themes while publishing the Call for Submissions:
- Data protection/security practices.
- Consent frameworks tied to purpose use limitations.
- Data rights.
- Encryption practices.
- Ankita Roychoudhury and Yashodhara Shukla , Frappe Technologies Private Ltd.
- Pratyush Pullela, Doosra, Ten20 Infomedia Pvt. Ltd.
- Rohan Verma, Zerodha Broking Ltd.
- Sathish KS, Zeotap
The following abstracts provide an insight into the topics covered by them. The abstracts are linked to the complete reports:
- Frappe: GDPR Compliance for ERP
- Doosra: Protecting your mobile number
- Zerodha: Data protection, security and privacy practices
- Zeotap: Privacy in Data as a Service (DaaS) business
- Anwesha Sen - Programme Coordinator
- S Kannan - Technical Writer
- Anish T P - Illustrations
- Stephanie Browne - Product Support
- David Timethy - Administration
1. [Uzma Barlaskar](https://www.linkedin.com/in/uzmabarlaskar/), Head of privacy and growth at WhatsApp. 2. [Anand Venkatanarayanan](https://twitter.com/iam_anandv), Independent cybersecurity researcher. 3. [Sankarshan Mukhopadhyay](https://www.linkedin.com/in/sankarshan/), Editor at Privacy Mode.
View acceptance criteria for the fellowship program 👉 here
GDPR & Compliance For Data Business
Statement of Intent & Purpose
I had the opportunity to closely work with various stakeholders to ensure the privacy and “Governance, Risk & Compliance” posturing of my company Zeotap was adequate to enable our data business in EU and US. This was by virtue of my position of current CTO and past VP of Engineering at Zeotap. Zeotap has 2 offerings one as Data-as-a-service and another is data platform offered as a SAAS. The former is pure 3rd party data and latter has flavours of pure 1st party as well as combination of 1st & 3rd. Operating in EU means we had to adhere to GDPR regulations and have necessary measures across the Org for the same. When CCPA was established the measures we took for GDPR gave us an easy transition to compliance of CCPA as well.
To tackle GDRP we took a product centric approach with a longer term vision around reusing the bits for future compliance regulations whether they are county specific or vertical specific. The goal was to have a system in place which delivered the flexibility to extend for new type of regulations and data assets we may get.
The first step of detailing would be around how the regulations were broken down to specific usecases including sensitive data management, PII management, Consent management, User information management, Access rights, Audit needs and so on. Next to realize all the use-cases tech design which included our infra, data storage and processing applications with the necessary modules to realizes the product usecases.
During this fellowship we want to go over the internals of this usecase esp to the people centric data collected by business and give practical examples of how these were solved. We go over the scenarios around data flows and the challenges they present in solving for regulations and privacy. This would draw across principles from privacy engineering, security, data governance and infrastructure design in cloud. We would add the relevant cross-references to these principles so that practitioners could connect them with say an control requirement for an Audit.
Then we move on to 2nd business - data platform SAAS businesses wherein multi-tenancy around data sovereignty and more vertical specific extensions come into play and how do you transform your approach to cater to this added complexity would be seen. In this model there are certain elements in terms of access control rights, tenancy around storage and client specific needs around data catalog and PII data management all come into play. We will look at the evolution of the same from a product and tech perspective.
The deep-dive during the above is going to be about as a company where we had to invest in terms of additional entity models, the services/processing which were needed to be created and how these translates or get plugged in with products delivering business value.
The example architectures and solution design can be use used as reference implementation on any cloud-based technology stack.
In the end we find parallels between existing regulations and the proposed PDP bill and look at cross-fitting and extending the approaches to aid in compliance to the same.