little uh International mncs uh including big Force like ey and I have been working with the Accenture Middle East and other organization in my past and I I work predominantly with government sector uh bfsi insurance and uh and other specific domains and have a good uh Indus sectoral knowledge as well so I have credentials including fellow in privacy uh cippe cipm sisa fipt wondrous which is fellow in privacy technology from one trust and CSA star so these are the different credentials I have uh just to make you uh give you a question that you are definitely on the safe hands so I'll be going through the agenda again interest of everyone so yesterday we covered about the introduction to data privacy and different iipp certifications overview uh we did discuss about why you should do a Capp and and why should you opt infosec train I'll again quickly cover those elements today as well for the new people who have joined a review of important topics in Capp exam will be the core Crux of this entire Workshop we will be starting with three different chapters today and uh exam strategy and roadmap I did discuss about a quick overview I think we will discuss them in detail today and we will also cover exam Capp mock exam questions and we'll also cover a few data privacy interview questions and I'll be sharing some free templates and resource part of this Workshop so kindly tune in for all the five uh days of the workshop I'll be covering different sections of the agenda during those five days all right so today we are at day two and uh so I'm gonna give a quick overview for the people who have joined today so we have different variants of certificates uh certification cap cipm and cipt cittp is about understanding the uh different legal or laws around the world so there are four different variants within cipp which is cippe which is gdpr and European data Protection Law the second variant is Capp U.S and third variant is Capp Canada and fourth variant cap Asia right and we predominantly focus on Cape which is gdpr because it's considered as a gold standard uh if you understand one global data Privacy Law it will usually help us to uh equip yourself in interpreting any other data Privacy Law in the world right so that is the reason we uh we usually follow the gold standard which is gdpr if you understand that law even the Indian pdpp bill it will be only a matter of 10 to 15 percent A variation that could be there in terms of terminologies are or there are certain places there will be few uh new terms introduced but that's something which is easily adaptable so that's the reason we should understand one law in detail when it comes to your data privacy career the second course is capm is certified information privacy manager so it's only certification that focuses on for uh on your day-to-day data privacy operations how do you work as a data privacy manager how do you handle your data privacy program how do you build a program from scratch starting with your vision mission uh data privacy framework your strategy operating model policies procedures uh how do you build a notice how do you actually manage consent data subject rights data breach management uh day training and awareness all these things will be discussed part of your cipm course and finally cipt is certified information privacy technologist and in ciptipt is the uh is a very it's a very interesting course for any tech savvy person who over in the domain of development or they are part of Building Solutions and tools so how do you embed data privacy uh into this solutioning and into the development Arena of your organization so it's a benchmark for the professional to validate the knowledge of privacy requirements and so it's a it's a interesting certification for people who are Tech tech savvy and they want to uh it completely be in the technology domain so FIP is not a certificate it's an accreditation if you finish two out of these three certifications then you will be uh eligible and you need to Showcase three years of experience plus you need to have some referrals with that you will be able to get this created title of iapp fellow of information privacy it's a very prestigious uh accreditation uh it it will really demonstrate you and your uh experience in a data privacy Market all right so why infosec train uh this is a very important question I have been answering to many people who over uh is opting this particular uh training program with us so if you go to any other training institute which are providing data privacy training they generally offer you 12 hours or 14 hours or 16 hours but in at infosec train we provide 32 hours of instructor-led training that's a clear differentiator the reason is the topic whichever we are discussing is very complex it is a law which we are studying and we need time to digest the requirements right you need to go back go to your drawing board learn the new learn the materials uh read the different uh requirements which I share over the weekend come back with the questions clarify and then move on to the next topic right so in this course I'm not just planning to make a candidate just pass the exam I am trying to build a candidate to have a fruitful data privacy Journey or did I'm making them eligible for uh having a fruitful career in data privacy and data protection right so that's a clear differentiator when you come to infosec train and uh so if you come to me and ask I just need a a dumps to clear the exam definitely infosec train is the not place is not the right place to come for you and we never look into shortcuts we are always looking forward the right way we want to train you and we want to make you part of a privacy Community to grow along with us and that's the clear uh differentiator when you come to infosec train and we will always guarantee you the lowest price if you can compare yourself in the market and approved and certified instructor with FIP and I am I'm An approved iapp trainer carrier oriented skill based course you will see lot of Industry examples when you when you come to my course and these examples are direct derivation of what people face challenge in their day-to-day work uh mock exam is included part of the package and finally we part of this offering you will get the iapp ebook which is the official textbook and you'll also get the participant guide which is the day-to-day content which we'll be discussing plus the exam voucher of uh and the one year IAP membership so this is all included for the package when you join us with infosec train if you opt yourself you are gonna almost pay the same fees without the textbook without the ebook Okay and that is the reason I would say when I did my certification I didn't go to a 10 training but I paid almost the same 800 to uh to just register for me into the exam as well as to uh to pay the certification maintenance fee right so which means uh getting these training plus getting the ebook and the iappp participants guide at at a cost which is almost equals when you do it separately it's a win-win situation right uh so it's it's a it's a heavily subsidized price when it comes to the training so you should definitely look forward I I'm not promoting that you should join only infosec train but I would recommend that go for such training because the cost of such training along with all these materials is is almost the same cost when you pay it independently when you take up this exam right uh what is the key differentiated from other vendors so we provide 32 hours of practical and quality preparation with sufficient time for you to understand complex topics so that's a clear differentiated in the market it's a case study approach yesterday you would have seen uh seen a lot of case studies for each of the the topics that is the way I generally take up my sessions it's not Theory templates and other useful resources are included part of the session I I generally share a lot of templates like how do you build a ropa how do you do a Pia dpia I'll share a lot of working documents and I do conduct a specific exam strategy session and exam support so I I give you clear guidance in terms of how do you strategize yourself for the exam what are the do's and don'ts what are the important materials which you need to practice and finally I keep supporting as a community I I've been last two years there are a lot of people who have cleared under my guidance and they we work as a community and so we are still in touch we are all part of the same Forum we help each other we grow together so that's a that's a wonderful place to be part of if you are going to start your data privacy journey and I do help for people who want to shift into Data privacy domain for a people who are like just out of the college I provide a lot of career guidance and people who are shifting with after a lot of years of experience maybe 10 years 15 years they want to jump into Data privacy how do they structure their career I do help them suggest them what are the right steps to take so these are the clear clear differentiators when it comes to infosec train uh program what what we deliver here all right so uh this is the exam roadmap which is very specific to the cipp course uh for the people who are joining uh uh today so this content was not covered yesterday this is this is the exam strategy roadmap which I'm I'm clear prepared for the participants so the first step I would always recommend is book an exam slot fix a Target date so this this itself will actually take care of a majority of your exam uh related doubts right once you actually booked the exam date uh it will give you a lot of clear Focus this give you fear as well as the focus and uh it will it will definitely help you to streamline your efforts as well uh generally people say this itself is 30 of success in terms of clearing any any certification exam and uh don't worry if you book an exam date you always have an option to reschedule the exam 48 hours before the exam day right so it's not like if you book the exam date it's it is not irreversible within the one year period you can always go back and change the exam date so don't worry but booking an exam date will always give you the correct path how many days you need in hand and how much effort you need to uh keep it so generally 45 days is what I suggest to the candidates 30 days of my trainings and another 15 days for you to uh practice the Q a you can also give the exam within 30 days as well before which you need to put some extra effort right which means you need to clear you need to practice the Q a along with my training which is very much doable right so 30 days of continuous preparation is definitely sufficient I had candidates who have cleared in three weeks I had majority of my candidates who cleared in four to five weeks so uh it is 100 doable just that you need to commit yourself and uh just follow whatever requirements I I mentioned during the training and it's definitely doable right so the first three to four weeks what are the important requirements you need to read the official textbook the official textbook is from European data Protection Law which is by Edward ustran and that textbook should be read along with the materials which I covered during the session so iappp uh participants guide which we will be discussing on our day-to-day course will uh we'll be having 11 modules but there are 18 chapters in the official textbook but don't worry all the curriculum is definitely covered in the participants guide which we will be discussing uh the only only important point is those 18 chapter factors are for elaborate reading on the course curriculum right so only request which I ask all my candidates is that start reading the textbook from day one so after the 30 days you should have done the reading and you should directly go for your q a right so reading the textbook and listening to my training and just going through the participant guide at least once is a minimum task to for you to complete in the first three to four weeks now coming to the practice test when it comes to practice test there is a there is a big myth in the industry and also there is a lot of uh misleading information which is available uh uh there right so you should not practice any dumps which are free in the market the reason is they have at least 50 to 60 percent of wrong answers this can have a big problem in corrupting your memory as well as your logic right so that's the reason I always recommend just go for the official practice test whichever I recommend do not take any other practice test outside uh because they have it I don't know who has done this purposefully they have 50 to 60 wrong answers and people who believed that just with dumps they can clear the exam they have they have failed miserably okay I I know at least so many candidates who took that shortcut and actually iappp is very particular they are revising the question and answer continuously so believe in in a right way and right effort will definitely fetch you the certification right so I have created a list of uh practice exams which is which I recommend for you in the order which I have mentioned start for a foundation level which is uh crush the gdpr gdpr in udemy and uh the second one is Jasper Jacobs Redbook in Amazon so all these are available in the format of e uh ePub online reading right it comes at I think 499 rupees you will get all these uh formats and Franklin Phil uh Phillips from practice for practice exam I think you will get 180 questions from Amazon and finally Majid practice exam from Amazon so majithis is a bit of optional because it it's a bit costly it comes around 3 500 rupees but uh it's it's again a very uh sort of a medium to a difficult level questions will be there in right so the questions somehow give you a sense of what you need to uh what you can expect in the exam but there is one important material which all of you should practice is your iapp official q a okay uh so iapp official q a is a very very important uh material because that gives you a near exam simulation so those 90 questions you need to purchase from iappp and that gives you a perfect uh uh Clarity in terms of where where do you stand ready for the exam right so in the same order which if you if you can practice it you can definitely complete all these elements within one week all right so you must read and be very familiar with gdpr articles uh actual wordings which are used so gdps uh the actual legal text is open source material which is available and the Articles 4 to 50 84 to 91 are very very important what I generally tell my candidates is that please take a printout of the official text and start making your own notes in that printout right so if you start reading it day by day you will definitely get familiar with the actual wordings you will be not required to memorize all these actual content but each of the word which is present in gdpr articles uh there is definitely a lot of inference which you need to understand all right and uh there are other open source material which are available uh with iapp which is your Capp body of knowledge which is the actual course curriculum which outlines what are the important topics you need to prepare for the exam and you should make sure you have a fair idea about all the topics another clear uh guidance I give my candidates is that if you open that body of knowledge before the exam right and if you are able to remember each of these topics and if you are able to speak for 10 to 15 minutes what is this topic about so which makes you clearly that you are in a good shape that you you you are ready for this exam that is another way that you can evaluate yourself whether you are ready for this exam right uh review the exam blueprint to know the chapter wise exam weightage during the five day workshop for each of the chapter I also mentioned the exam weightage uh each of this chapter what is the minimum and maximum question you can expect from the exam so another important uh document which I share you during the entire courses ADP guidelines so edtp guidelines on controller processor gdpr scope consent data protection impact assessment and previously by Design all these are very very important guidelines they have very good examples not only from the exam perspective also from a practical Implement implementation perspective uh these are sort of a gold standard when you are preparing your uh data privacy certification let it be any certification these guidelines are very very uh important simulate the exam with the above resources which I mentioned practicing 90 questions for two and a half hours so this exam is for two and a half hours and there are 90 questions so whenever you take all these practice exams don't take like 50 questions 25 questions always practice in a set of 90 questions for two and a half hours so this will help you to adjust to the exam environment right so people who are not familiar with your uh professional certification I would highly recommend all of you to start uh to practice in this exam mode the reason is these professional certification exams when you when you take test your questions in Silo you will be able to answer but under a pressure situation for two and a half hours your brain or your attention span definitely needs to be improved and got it get into a mode of answering continuous 90 questions right so you need to train yourself to get into the mode uh there are a lot of candidates who do very well when they when they do 10 20 Questions 25 questions but when they take up 90 questions at a stretch you will feel that you are mentally drained after 50 60 questions right so you need to adapt to that model that's the reason I highly recommend that you need to take all this 90 question uh in a two and a half hour stretch so use Quizlet application there's a quizlet app which is available in Play Store as well as in the web version so these Quizlet have helps you to remember lot of important topics for example there are six lawful bases is there are seven important data subject rights and there are six principles right so all these things can be uh can be remembered handily by using such application and read the IAP glossary and uh ensure that you remember each and every terms which are mentioned part of the glossary or aware of it and work as a team discuss your wrong answer and understand the logic behind it whenever you give such exam uh it is not important that you scored uh X percentage it is important that even for the right answer understand the logic which was explained in the iappp official q a right you would have chosen answer maybe it was with a different logic you've got you got it right but understand the logic behind each of these questions right that's a very very important factor if you make a mistake that is perfectly fine all of us did this mistake before reaching the level what we have done so make mistakes understand the logic correct your understanding behind it if you do this then you will be definitely ready for the exam a clear Benchmark which I tell all my candidates is that keep 75 percent Benchmark for all the exams if you reach 75 percent consistently 70 to 75 percent 70 percent is a cat on the wall 75 percent is a clear uh win uh winnings uh percentage so if you score 75 percent uh you are definitely ready for the exam right so last two days before the exam don't take any test just revise so that will definitely uh keep yourself uh focused and not create a stressful environment and as I said whatever preparation you do on the D-Day it's about how you keep yourself calm right how you yourself are able to read the question read each and every word and not make a a error in judgment right so it is 50 of your knowledge and fifty percent of on presence thinking right uh if you are able to think on your feed by reading this question and read every single word a last word of a question can actually lead to the right answer so that is why you need to be really calm during these professional exams and that is what is expected from you to be a data privacy professional all right I hope uh the exam roadmap helped you this is my exam strategy when I did my exam so pay attention to the details there are a lot of similarly worded answer choices so elimination approach is the best approach so out of four options two options will be similar two options you can easily eliminate so that is an approach which when which I will suggest when you are not sure of the answer definitely go for the elimination approach if an answer jumps out out at you go with your gut instinct by when you read the question you read the options directly you see an option right that is the right answer and 99 it Remains the right answer uh the first reading generally uh with a fresh mind generally helps you to find the right answer uh don't spend too much time in one question it's a competitive exam uh so uh if you spend there are questions which are purposely spent set to make you spend long time because there are two types of question one is a passage question and there is a factual question the passage questions will contain three to four paragraph so making you read and spend a lot of time right so uh don't waste too much time on any question uh you have to devise your own strategy like first are how many questions I'll complete second are how many questions I'll complete and uh this is the way you can set your own strategy and if for scenario based question try to read the question before you read the passage there are three to four past uh different passages which are there uh I would recommend you first feed the three four questions below the passage then go and read the actual passage that will help you to scan and for the exact content which you need to examine for the for answering this question right so don't go back to back over the questions you have already answered uh you have an option to flag the questions uh so the exam is divided into two parts uh 45 question and 45 question after you complete 45th question you will be asked to review the question whichever you are flagged or the questions which you have not answered and once you do that then only you will be allowed to move to the next section so after the 45th question you get a 15 minutes break and uh and that with the 15 minutes break you you have option whether to take the break or you can directly go to the next section so you will not be allowed to cross the next section with before completing the first half right so uh that is something which you need to take care and also you will not have that much time to go back and review each and every question what you have already uh uh completed and you're done with confidence right so this is the uh resources which I would highly recommend for all of you so official text official text from uh the gdpr law and edpb and Ico guidelines from iapp you get body of knowledge which is the curriculum exam blueprint and the certification candidate handbook which helps you to whatever we discuss will be covered there and European data protection Third Edition this is the official textbook and uh you can also look at uh overview videos like gdpr overview under UH 60 minutes and this is a CIP Capp overview which I have provided you can also check that and exam practice which I mentioned already I have summonized here so these are the official uh different exam practice which you can offer your Capp practice okay so this is the exam blueprint in terms of for we have 18 chapters 18 chapters uh we have minimum and maximum questions for different topics and this will help you to strategize in terms of where you need to focus your attention and remember one thing the exam has sectional weightage you just cannot uh put complete Focus only on section two if you actually don't get the required percentage for section one or section three you may still fail in the exam right so that's a very important point you need to get a sectional weightage for all of these courses so don't look into uh just focus on only one section you need to equally score in all the three sections all right so this is the exam blueprint in terms of what are the minimum and maximum questions which we will be covered uh so yesterday we started with data protection concept and territorial scope and today we will start with data privacy principle lawful processing criteria right so we are also launching a cdpo course a course fee and everything you can check out uh uh with the sales team participants so that you will get a Clarity on that so we are also launching a cdpo course which is certified data Protection Officer so this is the agenda of this particular course and uh and these are the different components of it and it's a it's a completely Hands-On course we will be discussing on building the data governance part and we will be discussing on how to do manual data Discovery how to build a ropa and how to define your retention requirement we'll be looking into the Privacy by Design and security of processing control perspective assessments like DPI API and uh and also looking into uh third party assessment there is an error this is actually a legitimate impact assessment and data subject Rights Management data breach management uh and data transfers including transfer impact assessment standard contractual Clauses and binding corporate rules and finally how to build cookie notice and consent so all these things will be discussed in a Hands-On model so it's a it's a 24-hour course but there is a prerequisite you should either have completed my training on Cape cipm or I have taken a foundation training with us so this is a direct Hands-On session so you will not be covering all the basics in this course it's a it's a direct course when it goes to so cdpo is from infosec train uh I in iapp doesn't have a cdpo uh certificate for uh so so we'll not be getting a iappp certificate but this is a infosec train uh course and you will be required to clear exam which which will have 50 questions and you need to score 70 to get a pass pass the cdpo course all right so we also provide a combo course of Capp plus DP cdpo or cipm plus cdpo these are ideal combination for you to uh get the data Protection Officer role in the market so these are excellent opportunities for you to groom yourself and we are also we also have a lot of data privacy Consulting Services running on infosec train so we do provide a services on data Discovery and data classification uh compliance assessment like Gap assessment recommendations and roadmap and uh uh compliance assessment and privacy program management building your policies procedures and creating those templates and cookie compliance assessment how do you uh evaluate cookie compliance for your website and for the different collection endpoints data inventory building your ropa and conducting various data protection assessment and data processing agreements supporting on data subject Rights Management and benchmarking study of evaluating the data privacy tools for your organization and if you need a staff augmentation we will also help you on that so these are the different components we do provide data privacy Consulting Services if you need any help for your organization if you want to look into the uh uh you will you will uh need any support for building your data privacy program we are always there to help you so with that I'll be starting uh today's agenda of data processing principles all right uh I will take a couple of minutes just to look at some of the important uh so I will cover the course content now and then move on to the topics for the questions later on once I complete a session so in today's session uh we're gonna look into the data processing principles so in gdpr we have six important principles okay so which is lawfulness fairness and transparency purpose limitation uh so these are the uh actually there are six principle and there is one principle which is embedded part of uh the data privacy framework which is accountability so the seven principles which you need to uh understand in depth are starting with lawfulness fairness and transparency purpose limitation data minimization accuracy storage limitation integrity and confidentiality and accountability I'll be giving lot of examples to understand each of these principles one by one so what is lawfulness so if you are going to use six lawful bases which is defined in gdpr for processing any personal data then you are following the lawfulness principle so lawfulness principle is very straightforward gdpr has permitted you to process personal data only in only based on six approved ways right they are called lawful basis if you do that then you are adhering to the lawfulness principle what is fairness and transparency so fairness means you are processing a personal data in a fair way the data subject expects you to do example if you are collecting a personal data do not trick a person to give his personal data for example when I go to a website a lot of times I am being tricked to click a a box a tick box or sometimes just by scrolling the website it is considered as a deemed consent right so these are not absolutely Fair processing and if there is a processing activity that can have a negative impact on the data subject then it's not considered as a fair processing right and what it what is considered as a transparency so transparency is whenever you are collecting personal data from any data subject you need to ensure that the data subject is absolutely clear with the processing activity he has been provided the required information to make a clear decision right so you mentioned uh you provide a privacy notice inform them about the process activity what is the purpose how long you're going to retain with whom you're going to disclose the data is there international data transfer bound how are you going to protect the data and all these and what are the rights which is there for the data subject to exercise if you if you transparently provide this information then you are uphelding the transparency principle so these this is the first principle of gdpr the second principle is purpose limitation so if you are collecting personal data uh in an organization you always map that collection to a particular purpose right uh for instance if I go to a showroom to buy a car and I need to fill my personal information to create a quotation and the information whichever was shared the company will be sending me some information about a car whether the car is available or the next further stages like the car related to purchase their information will be processed right the same information which is being utilized placed for an unrelated purpose then it is a violation of purpose limitation for example the company decides to sell the data to other other agencies which they can send some direct marketing messages to that customer then it's said to be violating purpose limitation purpose limitation purely says that if you collect a data stick to that purpose and you do not trick a user or buy by asking them for bundled consent right so you don't ask them to provide provide 10 purposes and ask one consent or you do not use the data for unset purposes right whenever the organization collects the data there are always lot of opportunities for them to use for many purposes like the company wants to decide to do some analytics and they want to use the data from some direct marketing activities but you need to check did we mention these purposing activities when we collected the data is the data the subject aware about it so this is all the important questions we need to answer when it comes to purpose limitation the next concept is data minimization so data minimization is is very simple in terms of understanding the necessity the relevancy and the adequacy right so whenever you are collecting the data you need to ensure that you are collecting adequate amount of the data do not collect excess data do not collect less amount of data to fulfill the to ensure the processing activity second is relevance so if you go to a bank you will generally fill a kyc document the Imp the fields which are collected in a kyc document should be absolutely necessary for processing that particular bank account right if unnecessarily there are information which is collected in the kyc then it is violating data minimization principle right so wherever data is gonna collected you need to see whether relevant data and limited data is collected if you collect excess information if you collect unrelevant information then definitely you are violating data minimization principle right so a classical example is using a biometric authentication method uh in in a company for logging into the office for example you can have access control you can have uh your PIN number for uh for an employee like for a dual authentication you don't need to have a biometric authentication at every single place right it is it is make it makes sense depends on the sensitivity of the activity for example in a bank treasury it makes sense for the bank manager or the top management to enter into the Vault you can have a biometric authentication you don't need a biometric authentication for example in a school to enter into a library to enter into the school you don't need to collect the biometric data right which is your fingerprint so this is again data minimization principle in practice you need to earn understand the processing activity and you need to collect the data which is adequate relevant and limited the next principle is accuracy ensure the data whatever is collected is accurate during the entire life cycle so you need to give provision for the data subject uh to uh to ensure that the data can be updated during the course of the life cycle example I changed my address uh there is a change in my mobile number a contact details so there should be Provisions available for the data subject to uh change the personal information right so this should be done at a free of cost and it should be available in a easy available option right that is the accuracy principle and storage limitation principle so whenever we are storing the data ensure that the data is stored only until uh the time limit which is required to fulfill the processing activity very simple if you collect an employee's data retain the data till the Employment Plus you have a legal mandate maybe five years or 10 years you need to retain the data because because there is a legal requirement for employment data to be written after the employment as well right so it could be employment plus five years that's the retention period right so we need to clearly set retention period for each and every uh personal data that is collected in your organization right so this is called storage limitation never store data in excess never store in data beyond the retention period right so there are certain exemption exemption when it comes to storage limitation we will be discussing all those things in detail during our course uh uh integrity and confidentiality so integrity and confidentiality is about uh how do you ensure the CIA perspective of your personal data how do you ensure confidentiality when you're transmitting personal data from one entity to another entity it could be your controller and processor scenario or processor to sub process a scenario and also ensuring the integrity and availability aspect as well this is the integrity and confidentiality principle and next is accountability so accountability principle requires an entity to demonstrate accountability in terms of having a proper data privacy governance which is establishing your policy procedure appointing a DPO maintaining the records which is including your data inventory conducting a dpia right and and also embedding data protection uh By Design requirements into your data life cycle so this is the way you will ensure accountability of an organization with gdpr I hope everyone are able to understand the seven different principles of gdpr XYZ widgets limited collects personal data from users on its website stating that purpose is to enable users to be authenticated to their secure portal the same data is then used by the marketing department to profile site visitor to Target advertising across many different websites so which particular principle is getting violated so this is a very uh exam simulated question you can expect such question in the exam what else purpose limitation and lawfulness is the right answer because you are exceeding the purpose for which you are collected as well as you are not having a proper lawful ground to process the data for other activities right so it is violating both uh lawfulness and purpose limitation so it is not violating integrity and confidentiality in other aspects because it is purely a case of not having a lawful ground and you are exceeding the purpose for which you collected the data right sorry I just scrolled it uh so the second case a gaming company asks data subject to provide their copy of passports and driving license to authenticate data subject to fulfill the data subject rights company never collected this information when the user subscribed to the services so there is a gaming company uh so a data subject wanted to for example they want to delete their information from the gaming company right so they went to fulfill the data subject rights but to fulfill the rights the gaming company is asking please share your passport and driving license to authenticate the data subject so to even fulfill a data subject rights you should always use less intrusive method and never collect excess personal information which is not originally with you part of the collection process so in this case what principle is getting violated team is minimization yogesh minimization I think almost all of you got it correct it's it's data minimization principle which is getting affected let's go to the third case Bank maintains customer database with email and postal address to provide accurate statement for financial year to its customers annually customer can update the details through online portal however mailing list is is stored on separate spreadsheet which is updated quarterly in last quarter 30 customers updated their address details and 20 updated their contact preferences stating that they do not want to receive any electronic version of the document or the account statement due to a staff change there was a manual error human error the spreadsheet was not updated for the last quarter and 30 customers missed out on their statement with further 20 receiving a physical version which they clearly said they didn't want to receive accuracy right so this is a clear case of an accuracy error the correct data is not getting and it's also leading to a data breach in terms of uh the availability is getting question year the the data should have been available to the data subject which is not available and also people receiving a version which is not as per their preference right so the principle which is getting violated is accuracy let's go to the next case an IT company saves the candidate information who got rejected during interview they do this for the legitimate interest for of not allowing candidates to appear for the same position within six months period the company retained this information more than six months and used it for black testing purposes answer is storage limitation purpose limitation and data minimization right because you have stored the data more than the actual purpose which is ideally six months beyond the retention period second purpose limitation is because you use the data for uh for onset purpose when you collect the data from the candidates the third is you didn't collect uh you didn't follow the data minimization principle because you are using it for blacklisting purposes which is not uh which is not actually accepted as a legal sorry ethical practice as per gdpr you can never do blacklisting for uh for reasons like candidates failing in an interview right so the three principle which is getting affected a storage limitation purpose limitation and data minimization next case e-commerce company in its website use dark patterns by tricking the uses to give consent for marketing cookies so what is dark patterns uh you would have seen websites where accept is in a very bold and bright colors and uh uh and there is a reject or deny in a very small or it's not even visible in a website right so there are multiple dark patterns it's an interesting study where they are trying to trick a user right uh so to give a consent so this is called Dark patterns there is a lot of study uh which has been going on how the users have been tricked uh visually to to go and compulsory click accept all so this is called Dark patterns and if you use a dark pattern to trick a data subject or give a consent which particular principle are we violating answer is fairness because it is definitely violating the fairness principle when the personal data is collected to uh assess there is another point right uh fairness also speaks when the processing is negatively gonna affect a data subject it's said to be unfair processing but there are certain exhibitions for example a bank collect uh your tax liability right and it shares that information to the income tax department but this particular processing it can have a negative impact because you might be getting a tax liability from the tax authorities right or for example if you are doing us you are getting a speed challan when you are traveling in a motorbike right you will getting a you get a first Challenge and in the in next two to three days if you again do over speeding you may later aggregated challenge like for example they would have seen your past behavior and you may get a x this penalty in this case right so even in this case such processing activity can have a negative impact on you but these are exemptions when it comes to fairness right so fairness you need to look at if it is a negatively affecting the data subject or tricking a data subject to do an activity it's said to be a unfair processing okay Hospital stores Patients health information in its database in plain text it also provides telemedicine services where patient can interact online with their doctors and the medicines are prescribed over email Hospital network was hacked and patient health information was altered to cause reputational damage for the hospital so in this case what principle is getting violated answer is Right integrity and confidentiality principle that's great so this is all about the different principles of gdpr and these are the exam simulation questions which you can definitely expect such similar questions in the exam so exam will have four different option not exactly in this model but a similar context and similar way it will put you to think what exact principle is getting violated instead of just one answer here they will give you four different principles and you need to select the right principle that will be the exact exam question which you can expect all right so any questions on this if you have any doubts please uh what is difference between ISO 27701 pims and Cape so pims is a standard uh like ISO 27001 cap is a study of legal requirement right so there is a law called gdpr from Article 1 to 99 it's a mandate if you are if you are an organization established in EU you need to follow this requirement as an obligation for controller and processor whereas twenty seven thousand one or twenty seven seven zero one is a standard it it prescribes you a set of controls and if you fulfill those requirements then you get a certification if you you for following gdpr you don't get a certification if you don't follow you get a penalty it can even completely stop your organization from doing the business as well so that's the difference uh see your standards help you to fulfill legal and regulatory requirements right so that is the key difference so 27701 is actually trying to ensure all the components of the law is getting covered in terms of obligations of a controller and processor that's the major difference go for Cape instead of 27701 27701 you can always uh do it in the future when your organization is going to implement it or if you are going to look for a lead auditor or lead implementer role then you can go for CA 27701 acapm syllabus also going to change every year there is a routine change that happens for cap and capm so don't worry about it for the fees part you can reach out to the team okay Bill Gate recording says you will get what is a data retention applicable for Education sector on a conditional basis because they may have certain retail students so you need to look at the HR human resource department when it comes to education institution as I said your retention period gets affected by the legal Regulatory and uh other contractual requirement as well so you need to look at that perspective before you define your retention limit can a beginner to a security field take this trading and exam absolutely yes many candidates fresh out of college from your engineering or from legal have cleared exam with me pims is a standard cap is about studying a law which is uh which is your legal requirement and ISO facilitates your fulfillment of legal obligation so standard helps you to uh ensure you have your best practices implemented and one of the first requirements you fulfill part of any standard is complying with your legal regulatory requirement and that is all you study in cappe so cipp is non-negotiable which means if you're an organization operating within gdpr territorial scope you need to fulfill cippe so Capp requirements sorry which is gdpr requirements but ISO standards are optional right you don't need to actually every organization doesn't have a mandate to do a standard like ISO but it's a best practice many many governments or many laws in fact now recommend to have some baseline standards so that helps you to fulfill your legal and regulatory requirements all right uh hope that answers all your questions let me move to the next chapter which is which is your lawful basis okay so there are six lawful bases uh for processing personal data in your gdpr material scope so the six lawful bases are first is consent second is contract third is legal obligation fourth is vital interest proof this public inter public interest or public task and six this legitimate interest let me explain them one by one uh what is consent so consent is a foundation for any data Privacy Law which was empowering the data subject to take his own decision when he can understand the processing activity and agree to a processing activity that is called consent so if you are collecting a personal data from a individual you need to provide notice in terms of making them understand what is this processing activity about and then collect their consent in a affirmative way right so this is called consent uh individual gets the right to decide to give the data or not there are import certain attributes when it comes to consent you cannot force a person to give us consent that is the reason enduring employee employment scenario we never consider consent as a law of valid lawful ground okay and we generally rely on contract as a lawful ground and that is something which is very very important for you to understand concern cannot be forced concern should always have a reversible option consent should be a informed consent consent should be not bundled there are a lot of attributes which you need to fulfill when you are using consent as a lawful basis okay the second is contract contract is very simple whenever you go to a grocery shop you're gonna buy some uh products and in this uh in this session sorry uh in this case you are trying to uh pay for the goods which you purchased and the and the seller is actually trying to collect your information to do the transaction successfully right part of this your personal information is getting transacted maybe you're you're paying by your card or you're asking for a home delivery so this is a classical example of a very basic level of contract contract exists both verbally as well as written not only it is it is not only that you should think of a return contract right uh so contract generally is predominantly used for goods and services and also employment perspective and it is the most prevalently used lawful basis for processing personal data right the third is legal obligations whenever the law mandates you to process as personal data collect the personal data you can use legal obligation classical example like Banks need to collect and share the information about your earnings and your credit information and debit information to uh the authorities this is a legal obligation similarly there are so many legal obligations which which is mandated by the law and it is it needs to be fulfilled that is legal obligation fourth is vital interest so vital interest is one of the least used a lawful basis it is used only at times of Crisis right Whenever there is a life and death situation only in that situation you can use a vital interest let me give you an example so if I have uh if I am being injured in an accident I my leg is injured in this case can I use vital interest answer is no if I'm able to speak I can speak for myself then you should not use vital interest but in a situation a person is in is in coma or is in a state where he is not able to speak for himself then you can look his personal data like like getting his a blood group in taking his ID card looking for the contact information informing his company or for the close relative relatives especially in hospital scenario all these things are accepted under vital interest the next lawful basis is public task so again this is predominantly used by government agencies so government collects uh sensex during covert situation lot of information was collected about Health Data so for fulfilling all the different Services which you Avail under government schemes you need to share your personal information right so that is done under a valid a lawful basis called public task the next one is legitimate interest so legitimate interest which is uh which is a very tricky area when it comes to lawful basis so companies can use legitimate interest as well lawful basis for selectively or narrowly interpreting certain certain processing activity let me give you an example whenever a candidate joins a company during the enrollment process you will see there is a background check initiated on the employees right so that is an example of your legitimate interest uh companies installing CCTV cameras uh companies actually uh having employment monitoring schemes like for example they monitor your website actions or login logout time there is a lot of things they do part of your employment monitoring correct so these things can fall under legitimate interest even direct marketing activities fall under legitimate interest so under this particular lawful basis you should do a clear documentation which is called legitimate interest assessment we call it as lia lia is clearly needed to demonstrate that you are not misusing this particular lawful basis and you should the the data subject should not overpower the legitimate interest using their data subject rights it's a complicated statement which I said it's very simple when you when you exercise your data subject rights uh we will have this dedicated chapter in the upcoming sessions uh data subject right one of the one of the right says right to object right to object can be used if it is based on certain legitimate interests like direct marketing and you need to ensure that you are using legitimate interest in a clearly appropriate way you need to fulfill necessity relevancy and adequacy elements when it comes to legitimate interest all right so uh so let's move on to the last topic which is information provision obligation so whenever uh so this particular chapter covers around five to eight uh questions minimum 5 and maximum eight questions so this chapter speaks about whenever you are gonna give information uh uh under uh your data subject rights or whenever the information is getting collected you're gonna provide this information through your notice how do you provide this information how do you ensure transparency and what are the exemptions which is there in terms of provision providing this obligation and what are the intersection when it comes to e-privacy directives I'll not be able to cover all these topics let me try whatever topics is there so whenever you are collecting such information you need to look at the the mode of collection are we collecting the data directly are we collecting the data indirectly right so when the data is directly collected from the data subject these are the typical information which you need to provide and when the data is getting collected indirectly you need to provide all this information plus you need to provide two more additional information which is what is the source of data and what are the data categories of data you collected all right so uh let's look at the details which needs to be provided whenever you collect information directly from a data subject which is your identity and contact details of your data Protection Officer or a concern Authority in Indian scenario you may say a concern Authority or a grievance officer who will be responsible for answering your questions second what is the purpose for processing including the law powerful basis we studied there are six lawful bases so uh mentioned under which lawful basis you are collecting this data is it a contract or is it a legitimate interest or is it a consent you need to mention that legitimate interest of your company if it is based on a legitimate interest you clearly need to mention is it based on legitimate interest and you need to further specify why it is legitimate interest categories of personal data collected are we are we collecting sensitive personal data are we collecting children's data we need to clearly mention categories of personal data uh sorry I what I mentioned is categories of data subject categories of sorry this correct personal data sensitive personal datas are categories of personal data categories of data subject is also important which means it could be of children's or if it could be of uh people like elderly people so not necessary in gdpr but certain regulations are trying to see are you collecting people vulnerable people's data and recipients or categories of recipients of this personal data for example the data is getting transferred to a processor or the data is getting transferred for any third party in your own environment then try to list it down where are the where is the data is getting transferred and if the data is Bound for any international data transfer you need to mention that part of the transfer what are the security safeguards you have uh you have implemented in your organization and how long you will maintain this data which is the retention period existence of data subject rights what are the different rights which is available for the data subjects and right through withdrawal consent were relevant for example if the processing is based on consent you need to mention that you can withdraw your consent at any point of time right to launch a complaint with the supervisory Authority this is specific to the European Union scenario so so uh you always have a right that you feel something is wrong you can go to the supervisory Authority and inform him this is not right and data source what is the data source for example is this indirectly collected then you mentioned that statutory and contractual obligation and consequence uh for example if it is like uh what are the obligations of the controller regarding this particular processing activity so these are the certain information which you need to provide it so there are different mode of providing this information so okay so uh if you see the information has to be structured in a privacy notice and there is a classical problem when it comes to privacy notice being very very legal and heavy worded right so that's a challenge and gdpr has understood this Challenge and said that whenever you are developing such notice you need to ensure that the reader are able to understand such privacy notice like they have they have suggested like you can offer a layered notice which is like dividing the content of the Privacy notice into a high level first layer which is the purpose of processing and the contact details of the controller and then move on to the next sections which is like the uh the the the purpose for example the data disclosures in terms of the controls the retention period and then finally go into the fine prints of the requirements which is mentioned in this table right so this is called layered notice you can also go to other innovative ways for example if you go to I think Twitter or Facebook they have a come up with gamification for privacy notice you can you can actually play it as a game to understand how do they process your personal data so these are some of the innovative ways you can do privacy notice if especially when you are collecting children's personal data you need to be aware that uh that the children are able to understand their processing activity right so your terms should be very simple word it and it should be clear instead of making it a legal jargons right so this is something which you need to be mindful and look at different formats for example if you're presenting a privacy notice in a mobile you need to look at this innovative ways for example in the diagram which is mentioned icos suggested uh bring your icons to demonstrate majority of the information along with a a tag Lane so whenever the user is interested in any particular section let let them go in detail but don't dump them with all the information like 10 to 15 page privacy notice no one will be interested to read such detailed privacy notice correct except the lawyer friends who are there in the session so this is something which we should be absolutely mindful so this is consent I am borrowing it by privacy by Design training uh Institute so uh so consent attributes we discussed already that uh consent should be freely given informed uh it should be specific and random requests and uh there is active concern versus passive consent which I told you like there should be uh like ticking a box saying yes confirming with email passive consent is your implicit consent right uh plastic consent is not accepted in gdpr we should be we should be clear about and look into deceptive and manipulate this is the dark patterns which I uh which I mentioned you uh during those topics when we discussed psychological techniques to nudge and manipulate or cause or otherwise claim that permission has been obtained just example is like when you log into website you're just by scrolling it people say that you're consented right so that's a clear deceptive pattern a supervisory Authority is an independent body it is a legal independent body it is a point it is appointed based on the law law that uh the every member states in the European Union have a super easy Authority they are supervised by a body called edtb European data protection board these these we will discuss in the exclusive Charter in the section one and in India also we are setting up a separate uh uh supervisory Authority concerned explicit concern implicit concerned and implied concern explicit concern is when a user takes an affirmative action implicit concern is like we understand uh when you for example when you came into the session you gave your personal detail it is an uh it is a sort of an implied consent and implicit concern was also very close to it uh so implicit concern is uh involves affirmative action on the part of grantor but heavily influenced by the context right for example uploading a picture of themselves to a forum for a free stock of photos and also implicit consent is uh implied consent is when you passively grant uh your permission uh part of this activity just because you you are part of that particular action right celebrity walking on the red carpet to a premiere of a movie is obviously you are implied that they're gonna be people taking photos right so it's an implied consent that when you do this activity you're part of that you understand that there are uh there are certain personal information is going to be away so for example when I gave this particular webinar I gave out a lot of personal information about me so that is understood that I I have given an implied concern for this particular activity right opt-in versus opt-out opt-in versus opted is very clear which I explained to you by doing a clear action and opt out is you need to remove the tick mark which is there in the check box right that is the opt-out concern uh double opt-in is not applicable in gdpr so double opt-in is like you need to do a two set of actions to uh confirm to give a opt-in and uh there are other uh ways for example the right hand side of this particular image shows you what is a valid concern and what is the invalid concern for example giving a write both options of declining and accepting and and also uh taking uh audit trail of consetting which is I understood uh so for example even there is majority of the website in the European Union still have problems when it's designing uh uh a cookie Banner you need to provide all possible uh different style different cookies which are getting collected there are different categories of cookies like analytical cookies marketing cookies you need to list what are the different categories of cookies which are there in the website and then give option for the user to for selectively uh give preference for each of the category all right so these These are something which is essentially required by gdpr but there is a lot of things which are going in that particular uh domain of cookie concert and cookie monitoring it's it's an evolving domain again there's a lot of design factors involved there companies are now streamlining uh in terms of how a cookie Banner is being designed all right that sums up this chapter the Final Chapter which we are going to discuss today uh is data subject rights so data subject rights uh there are minimum of eight questions and maximum of 11 questions so so there are uh eight data subject rights we will look at them ah one by one the first is write to information under right to information on for any processing activity you can get a sort of a confirmation whether you are processing my personal data or not right to access is very simple you you can get a copy of your personal data whichever is getting processed by the organization right to rectification is whenever you are requesting your personal data to be changed uh that that is related to the accuracy principle that is a rectification uh right to Erasure is a very uh interesting data subject rights that you want the personal data to be deleted from the organization understand that right to Erasure is not an absolute right you need to look at for example the right hand side table uh gives you the interplay between data subject rights with the lawful basis right you cannot uh use Erasure for all the lawful bases you can use it when it when it's based off consent and contract or like determined interest or vital interest you cannot use Erasure when it based on legal obligation or public task okay so these interplays are very very important when it comes to the exam we will discuss them in detail during my course write to restrict processing whenever an accuracy of processing is contested or when there is a lawful basis is not accurate you you are not you are demanding the company to not further process my personal data Till There is a clarification right you you have you have a disputed case and you are awaiting a judgment right so in that case you can ask the company to put a pause in processing uh that is called Write a restriction write to portability for example you are under with the one insurance company and you want to transfer the personal data when you are moving to another insurance company so instead of creating one more digital footprint you can ask the existing company to share your kyc form to the next company right this is called Data portability so uh very rarely used so now people are aware about this particular uh right so the intention is to reduce the digital Footprints of your personal data right to objection is for certain categories which is like public interest uh legitimate interest you can use uh your right to objection which is objecting for the personal uh for the personal data processing and it is the responsibility of the organization to prove that it is a legitimate valid legitimate interest and it's a valid public task right uh basically it has to overpower the data subject right of objection so then only it will it will stand valid so you need to do appropriate documentation and you need to give a justification whenever data subject raises right to objection the fine the final uh is in terms of uh right against automated decision making what is automated decision making for example if you apply for a bank loan or a credit card there could be a automated system to measure your credit worthiness right the system measures based on the input details provide and it could give you a grid score and the credit score can be used to give a take a decision in terms of giving you a loan or a credit card so this is called automated decision making when there is a decision making which is done purely by a system and it has a legal impact on the data subject then this is called uh then there is a write under gdpr that you ask the company to not subject it subject you to such automated decision making all right so this needs to be clearly informed during the notice that you mentioned there is a processing activity that involves automated decision making right so this interplay between your data subject rights and the different lawful basis is a very important some question so kindly pay attention to it and understand it very clearly when it is based on consent you cannot exercise right to objection because you gave the permission for the processing activity you cannot object it later right it doesn't make sense that's the reason you cannot raise right to objection Windows based on consent but what you can simply do is remove your consent right that's the easiest way to object it uh in the contract again you understood the terms and conditions then you entered the contract so you cannot object it later and the third is legal obligation under legal application it's a big No-No because it's a legal requirement you don't have option for any of these rights vital interest you can ask for eraser of the data once you are well you don't want the data to be played with the hospitals then you can obviously erase this request but the hospitals will be again Bound by certain regulatory requirement and finally you cannot actually use it for data portability or right to objection it's not even a valid possibility public task again you have a very limited right you cannot raise Erasure or portability but you can object to certain public tasks for example certain public task needs to be demonstrated during covet situation uh there's a lot of personal information was used by the authorities certain level of such activities you could object that you are not comfortable to provide such information for certain uh like your genome related activity uh personal data you might be not comfortable right so you can object to certain activities and it is the responsibility of the government to demonstrate why it is a vital or important public task and the last is legitimate interest you cannot quote a data under legitimate interest but you can always request for Erasure and objection