What is the work like in Data

Protection and privacy management?

Who can do this work?

Bootcamp on International Career in Data

Protection and Privacy Management

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction
shall attract suitable action under applicable la
 What is the work like in data protection and
privacy management? Who can do this
work?
Data protection and privacy management work is divided into 7 categories.

Let us see what the work is and who the best professionals suited to perform the work:

1. Development of software, apps and user interfaces to ensure that the principles for
data protection and privacy are implemented at the front end and backend

Engineers, developers, including UI/UX teams, product managers - many of them continue to
utilise privacy knowledge in their existing roles while others later branch out as privacy
engineers once the company sets up a dedicated privacy team

2. Privacy management work

This is the core work for compliance professionals, MBAs. Trained B.Com grads can do it too.

Organisations have a vertical called Governance, Risk and Compliance (GRC), Risk Advisory
or Risk Management which is involved in this work.

Privacy management and administrative work is the most resource-intensive work, involving
team members from various different teams.

This work involves strategy formation, planning, coordination, measurement, reporting and
management.

● Preparation of a business plan justifying the preparation, management and costs of a

privacy program
● Secure management approval and funding to develop the plan, based on the business
plan
● Developing the privacy program + establish a project plan with objectives, target dates
and actions
● Create an internal privacy team with representation from IT, legal, risk management,
business unit leaders and other appropriate members
● Creation of a team of external advisors with expertise in creating privacy programs
● Establish an annual schedule of privacy activities and a plan for rollout
● Develop a privacy risk management process and creation of incident-based, one-time
and annual reporting processes for senior management, regulatory and other
government agencies, if required

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P-1
shall attract suitable action under applicable law.
 ● Post-rollout evaluations, and progress reporting to management
● Creation of adequate data protection and privacy management systems and controls
are in place within the company - e.g. controls for differentiating between business and
personal information
● Creation of processes for reporting and dealing with breaches, such as incident
response and risk management, and reporting for senior management
● Testing the privacy plan, reviewing its effectiveness, identifying areas for improvement,
interviewing stakeholders and taking their feedback

This can be performed by a professional from any background, i.e. CAs, CS, MBAs, lawyers,
HR managers, commerce students and grads, etc. if they are trained in this work

3. Administrative work:

● Creation and administration of internal policies, privacy notices, cookie policies, data
retention policy, etc.
● Record-keeping and data mapping
● Dealing with data subject access requests and reporting the authorities about
contentious issues and DSR non - compliance register
● Executing standardised data protection addendums for transfer of data, local and
international transfers
● Conducting inspections of all physical locations + devices (especially vulnerable
locations) where employees access personal data - here are some red flags
● Mentioning customer details over a phone call from the office cafeteria where others
can overhear you
● Writing passwords on stickies/post-its pasted on your work desk
● Leaving the work laptop unattended at home in an unlocked state (if client data is
accessible)
● Execution of data protection impact assessments - this work involves understanding
data flow through the following:
● Identification of which data is collected at different stages in the user’s lifecycle of an
app - e.g. Uber
● Internal business functions and teams through which data is passed, e.g. from
marketing to sales, to finance & billing, to delivery, to upselling, and back to marketing
(e.g. for success stories), etc.
● Products and services (softwares,apps, third party APIs used in the process) that pull
and push data,
● This includes third parties that data is shared with-
● Record of physical location where such data is stored throughout the lifecycle, and who
has control over such physical + cloud locations - this is very important because
businesses have moved to the cloud
● Cyber Security Assessments from Tech teams

Anyone can do this work, for example, here is a simple data flow diagram that shows how
information flows to different parties when a book is ordered:

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P-2
shall attract suitable action under applicable law.
Is there any specific category of professionals who are best positioned to do this work? No,
anyone who learns this work can perform such tasks.

4. Privacy compliance work

● Ensuring compliance with various policies and legal requirements

● Checking that there is a valid basis for collection of user data and processing - either
contractual or otherwise under data protection law
● Compliance with data localization requirements
● Decision-making on fresh DPIAs when there is a new way in which data is being dealt
with Breach disclosures, Data mapping, Data discovery, Data transfer compliances and
permissions, Reassessment, Various kinds of data, privacy and ISO audits, Anyone
who learns this work can do it, and CAs, CS, lawyers and HR professionals who work
in payroll can take up this work as they are already performing compliance work
● Conducting trainings for relevant stakeholders in the organisation - commerce
students, HR professionals can also do it
● Establish and deploy an employee awareness and training program
● Conducting general and specific trainings for different categories of employees
● Tech teams need to be trained on data deletion within specific timelines from all
locations and databases
● Sales teams for example cannot reroute a customer to some other company or friend
or acquaintance
● HR teams cannot retain the CV details of candidates for an unlimited time Marketing
teams should be aware that they have to stop sending promotional messages once
they receive a request from the customer in that regard. They also have to respect the
jurisdictional Do Not Disturb (DND) Rules.
● In the absence of these specific training, the company might be fined for violating these
norms.
● Creating trainings for new hires
● Refresher trainings and updates for existing employees
● Record-keeping
● Ongoing reminders to all employees and third parties about the importance of
information privacy, issuing updates based on new developments and scenarios, etc.
● Administration of online tests, etc.

6. Routine drafting and negotiation work such as negotiating data processing

addendums - Anyone who is trained can do this work

7. Legal work - complex drafting, interventions during a negotiation, issuing a legal opinion,
working on disputes with third parties or regulators, arguing before regulatory authorities - this is
the only work that lawyers are specifically equipped to do

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P-3
shall attract suitable action under applicable law.