Data Privacy

fundamentals
June 2021

1 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

Contents

Objectives of this training program

Overview of data privacy

Few privacy regulations around the world

Privacy at Virtusa

Personal data breach

Implications of non-compliance

Expectations from you

Social media and privacy

2 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

Objectives of this training program

By end of this training session, you will be able to...

1. Comprehend key privacy terms

2. Differentiate personal and sensitive personal data
3. Identify the key privacy principles
4. Know the key privacy regulations around the world
5. Protect data across data lifecycle
6. Respond to a privacy / personal data breach?
7. Identify the implications of privacy non-compliance
8. Learn about the organizations and employees' responsibilities to protect personal information

3 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

Overview of data privacy

4 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

Privacy at its core…

Promotes that individuals own their personal data and not organizations

Empowers an individual to take control of personal data

Aims to safeguard personal data and information that may establish (directly or indirectly) an
individual’s identify, preferences, activities etc.

Governs almost everything from data creation, processing, storing, and finally destroying

Mandates using individual’s data with consent, only for the defined purposes and duration

5 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

Key privacy terms

Data Subject An identified or identifiable natural person

Personally Identifiable
Any information relating to an identified or identifiable natural person (“data subject”)
Information (PII)

Sensitive Personally “Sensitive data” that can only be processed under strict limited exceptions, such as express consent or
Identifiable Information (SPII) necessity for vital interests of a data subject.

Processing Any operation or set of operations which is performed on personal data or on sets of personal data

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the
Data Controller
purposes and means of the processing of personal data

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the
Data Processor
controller

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or
Personal Data Breach
access to, personal data transmitted, stored or otherwise processed;

Data Protection Officer

A person with expert knowledge of data protection law and practices
(DPO)

Data Protection Authority Independent public authority which is established by a Member State, monitors compliance with data
(DPA) protection laws on a national level.

6 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

Personal data (Personally Identifiable Information)

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable
natural person is one who can be identified, directly or indirectly,

Personal data can be in any media or format, including computerized or electronic records as well as paper-based files.

Examples of personal data:

Address
Name Email address Phone number
(Home / Business)

Identification numbers
Date of birth Gender Bank account number (Government /
Organization)

IP address Location data Nationality / Citizenship Marital status

7 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

Sensitive personal data (Special categories of personal data)

Sensitive Personal data is a subset of personal data, which due to its nature, has been classified by law or by policy, as
deserving additional security and privacy protections.

Examples of sensitive personal data:

Religious or philosophical
Racial or ethnic origin Political opinions Trade union membership
beliefs

Sexual life or sexual

Genetic data Biometric data Health data
orientation

8 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

The principles of privacy

Privacy Principles largely focus on the following:

Lawfulness, fairness & transparency Purpose Limitation Data Minimization

• Identify valid grounds for • Collect data for specified, explicit • Personal data shall be adequate,
collecting and using personal and legitimate purposes. relevant and limited to what is
data • Data shall not be processed necessary
• Processing should be fair, clear, further in a manner that is • Should not collect or hold more
open and honest to the data incompatible with the defined information than required
subject purposes

Accuracy Storage Limitation Integrity and Confidentiality

• Ensure that the personal data • Personal data must not be kept • Appropriate security measures
you hold is not incorrect or no longer than it is necessary should be in place to protect the
misleading • The data should be periodically personal data
• If the data is incorrect, take reviewed and erased / • Encrypt or pseudonymize
reasonable steps to correct or anonymized post the retention personal data wherever possible.
erase period

9 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

Few privacy regulations
around the world

10 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

Few privacy regulations around the world
Privacy has come a long way since the late 1980s. Today all the talk in the media is around Privacy laws and regulations.
EU - GDPR
• General Data Protection Regulation
• Effective from 25th May 2018 Draft Indian PDPB,2019
• Applicable for 28 member countries • Indian Personal Data Protection Bill
EU • Draft bill released in 2019
GDPR Draft
Canada’s Indian • Not in force, will be enacted soon
Canada’s PIPEDA PIPEDA PDPB,
• The Personal Information Protection 2019
and Electronic Documents Act
• Effective from 2000, amended in 2015
Hong Singapore
Kong’s PDPA, Singapore’s PDPA, 2012
PDPO 2012 • Personal Data Protection Act,2012
Hong Kong’s PDPO • Enforced in phases
• Personal Data (Privacy) Ordinance
• First Asian jurisdiction to enact US
CCPA,
comprehensive privacy legislation COPPA, CCPA, 2018
US 2018
1998 • The California Consumer Privacy Act
HIPAA, • Effective from 1st January 2020
1996
US COPPA, 1998
• Children’s Online Privacy Protection Act of 1998
US HIPAA, 1996
for US
• Health Insurance Portability and Accountability Act of 1996
• Applicable while collecting personal information
of children under 13 years of age • For safeguarding medical information

11 Copyright © 2021 Virtusa Corporation. All Rights Reserved. 11

General Data Protection Regulation (GDPR)

The General Data Protection Regulation, which was finally adopted in April 2016 in the European Parliament, represents
a Big Bang in terms of the regulation of personal data protection in Europe.

• Aim: To harmonize Data Protection directive & strengthen citizens’ fundamental rights to personal data protection.
• Enforcement date: 25th May 2018
• Applicability: Every entity that holds or uses European personal data both inside and outside Europe.

8 Core individual 72 Hours given to £250m Cost of

rights afforded under 4% fine for a typical
report a data breach. FTSE 100 company.
the GDPR.

4% Potential fines of
190+ Countries 80+ New global turnover as it
potentially in scope of requirements in the applies to cross border
the regulation. GDPR. organisations, which
have access to EU PII

12
12 Copyright © 2021 Virtusa Corporation. All Rights Reserved.
Is GDPR applicable to you?

Does the EU GDPR impact organizations outside EU?

Yes! This law has a profound impact on the operational and

control environment of the organisations, not only within EU but
also within the organisations based outside the EU having:

Operations Third parties Serving EU

within the EU operating customers
in the EU

This is a border less and sector neutral legislation. It goes beyond

EU to ‘organisations offering goods or services to customers in
EU’, ‘organisations that monitor the (online) behavior of the EU
customers’ and during these services such organisations
access/process/host/store “personal data” of EU data subjects. In force since
25 May 2018

13 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

Privacy at Virtusa

14 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

Privacy at Virtusa

Virtusa collects personal data of employee (and family), prospective candidates, suppliers, customers and visitors.

Employees and candidates Suppliers Clients Visitors

• Concerns personal data • Concerns personal data • Includes personal data of • Visitor’s personal data
of the employees and of individuals working clients or end users are stored in visitor’s
employment candidates with the suppliers • Should not be shared database / logbook,
• Privacy notice is shared • Does not include with third parties / CCTV cameras.
with all employees / information about their contractors without • Personal data of visitors
candidates company / organization client’s approval are collected to ensure
• Employees can access • All supplier contracts • Should not store / the physical security.
the personal information should have data transfer personal • Only authorized
that Virtusa keeps about protection clauses information to Virtusa or employees and security
them at Velocity embedded in it. personal computer, personnel have access
• Unless required for a unless otherwise to the database.
legal / regulatory specified.
purpose, the records will • Report privacy breaches,
be archived after the if any, to the client
retention period. immediately

15 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

 Data protection across data life cycle
We need to protect personal information across data life cycle
Create or collect Store or process Analyze and use Share or transfer Retain and destroy
Personal data is Collected data is stored Data is processed to Data is transmitted for Data is retained or
created or collected across multiple solutions fulfill the defined processing by internal destroyed as per
/ locations for further use purpose. or third parties business / regulatory
Data lifecycle

requirements.
Ex: Collecting PII/ Ex: Storing hard copy files Ex: Sharing employee
documents while in cabinets, soft copies in Ex: Use bank account details with payroll/ Ex: Disposing client’s PII
onboarding a new cloud via OneDrive, number of employees to insurance service post contract term,
employee, creating Backup documents to pay salary, use client provider, background disposing unsuccessful
employee number for removable storage email id to send them a verification vendor to candidate details post 6
new joiners, etc. devices. mail / deliver service. conduct checks, etc. months, etc.

• Only collect PII that • Use encryption • Ensure that the data • Don’t disclose • PII should only be
is adequate, techniques to store is used in personal data to retained till there is
relevant, & limited data accordance with unauthorized third business or legal
Best practices

• Issue privacy notice • Data must not be legal and parties requirement
and obtain consent kept no longer than international • Have a contract / • Dispose off hard
while collecting PII necessary regulations data transfer copy or electronic
• Restrict PII access • Processing shall be • Do not over process agreement with the personal information
to few resources conducted with due the data third parties / data securely
only regards to the • Processing should sub-processors
privacy, dignity, and be fair, clear, and
equality of individuals open
16

16 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

Personal data breach

17 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

Personal data breach

A personal data breach is any incident in which personal data controlled by Virtusa is lost, or subject to unauthorized
access, use, modification, disclosure or unlawful processing.

Examples of data breaches:

1. Lost or stolen encrypted devices and removeable storage devices, or physical records containing personal data

2. Databases containing personal data being hacked or otherwise illegally accessed by unauthorized individuals

3. Virtusa employees, contracted staffs, or suppliers processing personal data outside of the requirements or
authorization of their employment / engagement; and

4. Personal data being accidentally provided to the wrong person (e.g., by sending details out to the wrong email
address or sending personal data that is not adequately protected)

18 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

What to do in case of a privacy / personal data breach?
If you discover potential unauthorized access to or disclosure of personal information,

Report it immediately to DPO office at

[email protected]

• Even a few hours delay can make a big difference in terms of compliance with legal and regulatory obligations and in protecting the
Virtusa brand.

• But the most important thing is staying vigilant. This way, we keep personal information safe and protect / preserve the Virtusa brand
and reputation.

19 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

Implications of
non-compliance

20 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

Implications of non-compliance

Increased cost of
Regulatory action Loss of market value
compliance

Trust, brand &

Litigation Direct financial loss
reputation damage

Company Employee

• Virtusa’s reputation, goodwill, and brand image may be • You may face disciplinary action, which can even lead to
damaged. termination of employment.
• Virtusa may be held responsible for the breach of obligations • You may be subject to civil and criminal penalties.
to clients.
• Virtusa could lose one or more clients.
• Virtusa could be subject to civil and criminal penalties.
• Might receive administrative fines from the data protection
authority

21 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

Expectations from you

22 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

Dos and Don’ts in order to protect Personal Data

Dos Don’ts

• Ensure that consent is obtained before collecting personal • Transfer personal data to team members / third parties, unless
data necessary
• Use personal data only for business purpose for which it was • Don’t leave sensitive data unattended
collected • Do not disclose personal information unless authorized
• Secure personal data in the office and while traveling or • Don't reply or click any links embedded in unexpected emails
working in other locations
• Don’t breach policy and standards that protect personal
• Encrypt the Personal Data if required information
• Retain personal information only if needed • Don’t process any personal data without appropriate consents
• Classify and protect information in your possession or without confirming that we have appropriate safeguards in
• Familiarize yourself with the respective privacy regulation / place
act • Don’t store personal data in multiple locations or unauthorized
• Be careful when handling personal data devices

• Always adhere to the security practices • Don’t take hard copies of personal data unless it is necessary

• Enroll and attend privacy-related trainings when scheduled • Don’t keep any personal data for a duration longer than lawfully
required.
• Report any breaches to your manager or Data Protection
Officer
• Give access only to authorized individuals

23 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

Social media and privacy

24 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

How your privacy can be invaded ?

Your private information can be exposed by online ads, by websites that track your online behavior, or by massive data
breaches.

Advertisements Tracking Data breaches

While browsing, you will see ads of Remember, if you are not paying for
relevant products or services. But the product like Gmail, Twitter, and Several internet services fail to
these ads can also be used for Facebook, then most likely you are implement basic security measures. a
privacy-invading purposes, including: the product. hacker can:

• Tracking what you do online For example, social networking sites • Access your social media
already know: accounts
• Spreading malware
• What you are sending in direct • Recover your password and
• Influencing your product choice access your bank account
messages
• Which websites you visit • Trick your family or friends into
sending money or documents
• What you are reading / watching
• Steal your identity
• What user information you share
while signing in.

25 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

How to protect your personal information in social media

It is important to protect your online privacy before you share anything on social media platform

1. Read and understand the privacy policies

• Before signing into any website and registering an account, read and understand the privacy and cookie policies.

26 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

How to protect your personal information in social media (Continued..)

2. Adjust your privacy settings

• Always check the default privacy settings on the website

• Adjust the default privacy setting to limit the site sharing your personal information with others

27 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

How to protect your personal information in social media (Continued..)

3. Be careful about posting photos online

• Before sharing any photos, think twice.

• Consider where it will be saved, who can see it and how long will it be there on the website

I shouldn’t have
shared it

28 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

How to protect your personal information in social media (Continued..)

4. Avoid clickbait

• No social media / website will take responsibility for third-party apps.

• When prompted to ‘comment below to see magic’ or ‘check which celebrity you share a birthday with,’ avoid clicking
these baits as they try to capture and misuse your personal information
• Examples:

29 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

How to protect your personal information in social media (Continued..)

5. Turn off your location

• While adjusting your privacy settings, don’t forget to turn off your gadget’s location sharing.

30 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

How to protect your personal information in social media (Continued..)

Use different passwords on

Change your passwords Avoid logging into public
Create strong passwords all your different social
frequently computers
media accounts

Don’t use public wi-fi to

Beware of phishing Select better default
access social media Validate the site / URL
attempts settings on apps
accounts

31 Copyright © 2021 Virtusa Corporation. All Rights Reserved.

 Thank-You

www.virtusa.com

32 Copyright © 2021 Virtusa Corporation. All Rights Reserved.