Privacy Mode fellowship programme

STATEMENT OF PURPOSE
Privacy is recognised as one of the most important rights conferred on the citizens in the present century. In India, Privacy is recognised as a fundamental right well within the contours of Article 21, in the landmark judgement of K.S. Puttaswamy v Union of India. The aftermath of this led to the formation of the Joint Parliamentary Committee headed by Justice Srikrishna for drafting the Personal Data Protection Bill. The Personal Data Protection bill which is now known as Data Protection Bill derives inspiration from the General Data Protection Regulation (“GDPR”). The GDPR is the ace privacy legislation and has acted as a touchstone for almost all the newly drafted Data Privacy Legislation.
Through the project we wish to undertake for this fellowship programme, we intend to describe the practises that are to be followed particularly by a SaaS (Software as a Service) Company in order to satisfy the GDPR requirements. GDPR applies to the companies that interact with EU citizens, operate in the European Economic Area (“EEA”), employ EU citizens, and engage with companies that engage with EU citizens, thus magnifying the ambit of its applicability. We shall, through this project, provide the practical steps that we took, including but not limited to drafting suitable Cookie Policy, Privacy Policy, Data Processing Agreements, Organisational and Technical measures adopted, Data breach management, and their implementation to display compliance with the GDPR provisions to the very essence of it. The project will provide a tailored solution for “most frequently asked questions” in GDPR compliance-related woes which may be encountered by a SaaS company in the process of managing data breaches. We will try to depict the challenges encountered during the process, and most importantly how to tackle them in order to make a robust and resilient infrastructure that has the data protection principles as prescribed in GDPR, enshrined within.
We see the project becoming tangible in the form of a 2000 words article which shall be completed in accordance with the Milestones prescribed as under :

Milestone 1:- Drafting a Proper Privacy Policy and Cookie Policy for the Product. [ By 28th February 2022]
Drafting a proper Privacy Policy and Cookie Policy helps to achieve the basic compliance that demand conformity, in order to establish congruence with this ace legislation. As a company that provides Software as a Service and also provides services via its other verticals like Frappe School, we shall provide for a comprehensive account attuned to the requirement of a company with a similar business model as ours, and also discuss the relevance of the Cookie Policy whilst commenting on the requirement of a Cookie Banner and how to manage it.

Milestone 2:- Adoption of a Proper Access Control Policy within the Organisation. [By 15th March 2022] As an Open source Enterprise Resource Planning (“ERP”) Solutions Company, we face a deep challenge providing proper and adequate access controls in our Systems. Access control plays a vital role in preventing data breaches and is opted as an important security practice among companies. Under the project, we will try to address the issue of access control within the company and try to opt for the best industry practice to ensure data security and prevent data breaches within the company.

Milestone 3:- Adoption of a Data Retention Policy within the Organisation. [By 30th March 2022] As an ERP Solutions Company, we provide ERP in our Cloud services which entitles us to retain a large amount of data of our customers and our customer’s customers for which we are devising a proper data retention policy within the Company. This policy shall be an internal document that the company has to abide by if the Customer requests for the deletion of their account or any of the data that we are withholding from them. Under the project, we will draft the data retention policy (i.e. within how many days we shall be deleting a particular kind of data and related details) which is adopted by the company and devise a mechanism within the company to ensure that all the departments are aware that such a request has been generated by the Customer. The project will enumerate the step by step procedure adopted as per this policy for dealing with such Customer requests.

Milestone 4:- Opting for a Proper Backup Policy. [By 10th April 2022] To devise a proper backup policy and conduct backup regularly is one of major the major courses of action to prevent loss of data. Since we provide ERP on our Cloud services it is pertinent to devise a proper backup policy that puts out the process of carrying out backups that can be used to restore lost or corrupted data, which can ultimately lessen the financial blow to your organization. In this project, we will try to highlight the measures we have adopted in our Backup policy so that we minimise the loss of data as much as possible.

Milestone 5:- Data Portability. [By 20th April 2022] Data portability is an important requirement for many SaaS companies. It means the ability to move data between different environments and software applications. Very often, data portability means the ability to move data between on-premises data centres and the public cloud, and between different cloud providers. In this project, we will try to highlight how we offer the right to data portability to our customers.

Milestone 6:- Final conclusion and findings [By 30th April 2022]
The project will conclude with suggestions from our end as to what can be improved and where and how the legal lacunas can be dealt with for a holistic data privacy regime.