What’s the Difference Between a Data Protection Policy and a Privacy Policy?

A privacy policy is a document that explains to customers how the organization collects and processes their data. It is
made available to the public by organizations required to comply with privacy regulations.

A data protection policy is an internal document created for the purpose of establishing data protection policies
within the organization. It is made available to company employees, as well as third parties, responsible for handling
or processing sensitive data.

Data protection and privacy are often used interchangeably, but they have some key differences:
• Data privacy: Defines who has access to data.
• Data protection: Provides tools and policies to restrict access to data.

• Data privacy
Data privacy is the right to control who gets to see your personal information like credit card numbers and bank
account balances. Focus on how data is collected, used, and shared, and the rights of individuals regarding their
personal information. Data privacy is concerned with policies and regulations that dictate how institutions handle
data.
• Data security
Focuses on protecting data from unauthorized access, use, disclosure, loss, disruption, modification or
corruption. Data security involves security protocols and defensive mechanisms, such as encryption, hashing, and
tokenization.

Key Elements to Include in Your Data Protection Policy

Scope

Definitions

GDPR Principles

• Lawfulness, fairness, and transparency:

• Purpose limitation:

• Data minimization:

• Accuracy:

• Storage limitation:

• Integrity and confidentiality:

• Accountability:

Lawful Processing of Data: Policy should clearly outline the lawful bases for

How We Collect and Use Your Personal Data

Data Breach Notification Procedures: Article 33 of GDPR mandates that controller notify the relevant supervisory
authority within 72 hours. If notification is not made within 72 hours, it must be accompanied by reasons for the
delay /, contact without delay the data protection officer (DPO), relevant partner/ customer/vendor/ line manager
in your office.

Rights of Data Subjects : Chapter 3(Articles 12-23)

• Right to be informed: Data subjects have the right to know what personal data is being collected, how it's
being used, and how long it will be kept.

• Right of access: Data subjects can request a copy of their personal data and other information about it.

• Right to rectification: Data subjects can request that inaccurate or outdated personal information be
 corrected.

• Right to erasure: Data subjects can request that their personal data be deleted.

• Right to restrict processing: Data subjects can restrict how their personal data is processed.

• Right to data portability: Data subjects can have their personal data transferred to another entity.

• Right to object: Data subjects can object to how their personal data is being processed.

• Right to withdraw consent: Data subjects can withdraw their consent to the processing of their personal
data at any time

File Storage and Security

Duration of Storage
Use of Cookies and Other Trackers
Personal Data Collected From Third Parties
Transfer of Personal Data to Third Countries
Cross-border data transfer in GDPR: Chapter 5 (Art 44-50)
• Adequacy decisions
The European Commission can decide that a third country offers an adequate level of protection for
personal data. This means that data can be transferred to that country without additional conditions or
safeguards for the data exporter.
• Safeguards
If there is no adequacy decision, the data exporter can transfer data if they provide appropriate
safeguards. These safeguards can include:
• Standard contractual clauses (SCCs)
• Binding corporate rules (BCRs) : Binding corporate rules (BCR) are data protection policies
adhered to by companies established in the EU for transfers of personal data outside the
EU within a group of undertakings or enterprises.
BCRs are legally binding and enforceable internal rules and policies for data transfers
within multinational group companies and work in a way somewhat similar to an internal
code of conduct. They allow multinational companies to transfer personal data
internationally within the same corporate group to countries that do not provide an
adequate level of protection for personal data as required under the GDPR.
• Codes of conduct
• Certification of data processing procedures

Duties of a GDPR Data Controller (Article 24)

• Take into account the purpose, nature, context, and scope of any data processing activities.
• Consider the likelihood of any severe risk to the freedoms and rights of any natural persons.
• Implement appropriate organizational and technical measures and security measures that
demonstrate that the data processing activities have been performed in accordance with GDPR
regulation.
• Review and update these measures where necessary.
• They must demonstrate fairness, lawfulness and transparency, accuracy, data minimization,
integrity and storage, and full confidentiality of personal data.
Data privacy impact assessments (DPIAs) (article 35)
A DPIA is a risk assessment audit designed to help organizations identify, analyze, and minimize the
privacy risks that come with collecting, processing, using, storing, and sharing user data.
It is required when processing personal data is likely to result in a high risk to the rights and freedoms of
individuals.
• Step 1: identify the need for a DPIA : Any major project that involves the use of personal data
/ whether your processing is on the list of types of processing that automatically require a
DPIA / new data processing technology is introduced
• Step 2: describe the processing : Collection/storage/usage/access/retention period/
• Step 3: consider consultation
• Step 4: assess necessity and proportionality
• Step 5: identify and assess risks
• Step 6: identify measures to mitigate the risks
• Step 7: sign off and record outcomes

Penalties

The General Data Protection Regulation (GDPR) has two levels of penalties for violations:

• Less severe violations

Up to €10 million or 2% of the organization's annual revenue, whichever is greater

• More severe violations

Up to €20 million or 4% of the organization's annual revenue, whichever is greater

The maximum fine is imposed for violations that cause serious harm to the affected individual's rights and freedom.

Cyber Laws In India with relevant Sections.

https://www.linkedin.com/feed/update/urn:li:activity:7261379453337931776/