| Article |
Outline/summary
|
Section
|
Outline/summary
|
Control Area
|
| GDPR's Chapter I - General provisions
|
| 1 |
Subject-matter and objectives - This article outlines the objectives of the GDPR, which include protecting the fundamental rights and freedoms of natural persons, particularly their right to the protection of personal data.
|
CHAPTER I - Introduction
|
An Act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
|
1.10 - Human - Cybersecurity Awareness Training
1.11 - Human - Separation of Duties (with ARCSIK Matrix)
1.17 - Human - Non Disclosure Agreement (NDA)
|
| 2 |
Material scope - This article defines the scope of the GDPR, specifying the types of data processing activities that fall under its regulations.
|
CHAPTER I - Section 1
|
An Act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
|
| 3 |
Territorial scope - This article explains the territorial applicability of the GDPR, indicating that it applies to data processing activities conducted within the EU, as well as those related to offering goods or services to, or monitoring the behavior of, individuals within the EU.
|
CHAPTER I -
Section 3
CHAPTER IV -
Section 16 and 17
|
Similar scope, applies to digital personal data processed within India and to entities outside India if they process data of individuals within India
|
| 4 |
Definitions - This article provides definitions for key terms used throughout the GDPR, such as "personal data," "data subject," "processing," and "controller".
|
CHAPTER I - Section 2
CHAPTER V
|
DPDP privacy-related terms are formally defined here.
|
| GDPR's Chapter II - The core principles for processing personal data
|
| 5 |
Principles relating to processing of personal data - Personal data must be: (a) processed lawfully, fairly and transparently; (b) collected for specified, explicit and legitimate purposes only; (c) adequate, relevant and limited; (d) accurate; (e) kept no longer than needed; (f) processed securely to ensure its integrity and confidentiality. The “controller” is accountable for all that.
|
CHAPTER II -
Section 4 to 10
|
Reflects similar principles such as purpose limitation, data minimization, and accuracy.
|
1.11 - Human - Separation of Duties (with ARCSIK Matrix)
1.17 - Human - Non Disclosure Agreement (NDA)
Concent Form while personal data collection of Employees and Stakeholders
|
| 6 |
Lawfulness of processing - Lawful processing must be: (a) consented to by the subject for the stated purpose; (b) required by a contract; (c) necessary for other compliance reasons; (d) necessary to protect someone’s vital interests; (e) required for public interest or an official authority; and/or (f) limited if the subject is a child. Note: there are several detailed and explicit requirements concerning lawful processing - see GDPR! Note also that EU member states may impose additional rules.
|
Primarily consent-based processing, with limited grounds for processing without consent
|
| 7 |
Conditions for consent - The data subject’s consent must be informed, freely given and they can withdraw it easily at any time.
|
Emphasizes explicit, informed, and specific consent, which can be withdrawn.
|
| 8 |
Conditions applicable to child's consent - Special restrictions apply to consent by/for children.
|
Sets the age of consent at 18, requiring verifiable parental consent for processing children's data.
|
| 9 |
Special restrictions apply to particularly sensitive data concerning a person’s race, political opinions, religion, sexuality, genetic info and other biometrics etc. Processing of such info is prohibited by default unless consent is given and processing is necessary (as defined in the Article).
|
Many restrictions may apply.
|
| 10 |
Special restrictions also apply to personal data concerning criminal convictions and offenses.
|
Many restrictions may apply.
|
| 11 |
Some restrictions don’t apply if a person cannot be identified from the data held.
|
Many restrictions may apply.
|
| GDPR's Chapter III - Rights of the data subject
|
| 12 |
Communications with data subjects must be transparent, clear and easily understood.
|
CHAPTER III -
Section 11 to 15
|
A data subject in GDPR, is known as ‘data principal’ under the DPDPA – who is the individual to whom the data relates. Grants similar rights to data principals, including access, correction, and erasure. There is provision for appeal and alternate dispute resolution.
|
1.11 - Human - Separation of Duties (with ARCSIK Matrix)
1.17 - Human - Non Disclosure Agreement (NDA)
Concent Form while personal data collection of Employees and Stakeholders
|
| 13 |
When personal data are collected, people must be given (or already possess) several specific items of information such as details of the data “controller” and “data protection officer”, whether their info will be exported (especially outside the EU), how long the info will be held, their rights and how to enquire/complain etc.
|
| 14 |
Similar notification requirements to Article 13 apply if personal info is obtained indirectly (e.g. a commercial mailing list?): people must be informed within a month and on the first communication with them.
|
| 15 |
People have the right to find out whether the organisation holds their personal info, what it is being used for, to whom it may be disclosed etc., and be informed of the right to complain, get it corrected, insist on it being erased etc. People have rights to obtain a copy of their personal information.
|
| 16 |
People have the right to get their personal info corrected, completed, clarified etc.
|
| 17 |
People have a right to be forgotten i.e. to have their personal info erased and no longer used.
|
| 18 |
People have a right to restrict processing of their personal info.
|
| 19 |
People have a right to know the outcome of requests to have their personal info corrected, completed, erased, restricted etc.
|
| 20 |
People have a right to obtain a usable ‘portable’ electronic copy of their personal data to pass to a different controller.
|
| 21 |
People have a right to object to their information being used for profiling and marketing purposes.
|
CHAPTER III -
Section 11 to 15
CHAPTER VII
|
| 22 |
People have a right to insist that key decisions arising from automatic processing of their personal info are manually reviewed/reconsidered.
|
| 23 |
National laws may modify or override various rights and restrictions for national security and other purposes.
|
CHAPTER III -
Section 11 to 15
|
| GDPR's Chapter IV Controller and processor
|
| 24 |
The “controller” (generally the organisation that owns and benefits from processing of personal info) is responsible for implementing appropriate privacy controls (including policies and codes of conduct) considering the risks, rights and other requirements within and perhaps beyond GDPR.
|
CHAPTER II -
Section 8
|
The DPDPA follows broadly similar principles to those set out in the GDPR and specifies rules for data fiduciaries (equivalent to “controllers” under the GDPR) and data processors, and rights for data principals (equivalent to “data subjects” under the GDPR).
|
1.1 - Host/Endpoint - Less Permission to Use
1.2 - Host/Endpoint - Endpoint Protection - Anti-Virus
1.3 - Host/Endpoint - Licensed Operating System (OS)
1.4 - Host/Endpoint - Block File Transfers
1.5 - Data - Encryption
1.6 - Data - Access control
1.7 - Data - Backup
1.8 - Data - Data Loss Prevention
1.9 - Data - Secure Deletion
1.10 - Human - Cybersecurity Awareness Training
1.11 - Human - Separation of Duties
1.12 - Human - Service Level Agreement (SLA)
1.13 - Human - Employee Background Check
1.14 - Human - Review Access Rights
1.15 - Human - Cyber Threat Alert Notifications
1.16 - Human - Cybersecurity Banners / Posters
1.17 - Human - Non Disclosure Agreement (NDA)
2.1 - Network - Network Firewall
2.2 - Network - Network Access Control
2.3 - Network - Remote Access VPN
2.4 - Network - Instruction Detection & Prevention Systems (IDPS)
2.5 - Application - OWASP Coding Practices
2.6 - Application - Application Hardening
3.1 - Physical Perimeter - Locked and Dead-Bolted Steel Doors
3.2 - Physical Perimeter - Closed-Circuit Surveillance Cameras (CCTV)
3.3 - Physical Perimeter - Picture IDs
3.4 - Physical Perimeter - Security Guards / Proper Lighting / Biometrics / Environmental Control
3.5 - Governance - Incident Response Process
3.6 - Governance – Business Continuity Plan (BCP)
3.7 - Governance - Periodic Audit
|
| 25 |
Data protection by design and by default - Taking account of risks, costs and benefits, there should be adequate protection for personal info by design, and by default.
|
CHAPTER II -
Section 10
CHAPTER III -
Section 11 to 17
CHAPTER VI -
Section 27
CHAPTER IX -
Section 37
Section 40
|
It encourages data fiduciaries to implement appropriate technical and organizational measures.
|
| 26 |
Where organisations are jointly responsible for determining and fulfilling privacy requirements collaboratively, they must clarify and fulfil their respective roles and responsibilities.
|
| 27 |
Organisations outside Europe must formally nominate privacy representatives inside Europe if they meet certain conditions (e.g. they routinely supply goods and services to, or monitor, Europeans).
|
| 28 |
If an organisation uses one or more third parties to process personal info (‘processors’), it must ensure they too are compliant with GDPR.
|
| 29 |
Processors must only process personal info in accordance with instructions from the controller and applicable laws.
|
| 30 |
Controllers must maintain documentation concerning privacy e.g. the purposes for which personal info is gathered and processed, ‘categories’ of data subjects and personal data etc.
|
CHAPTER II -
Section 9
Section 10
CHAPTER III -
Section 11
Section 13
Section 17
CHAPTER IX -
Section 40
|
It encourages data fiduciaries to implement appropriate technical and organizational measures. Requires all data breaches to be reported to the Data Protection Board and data principals.
|
| 31 |
Organisations must cooperate with the authorities e.g. privacy or data protection ombudsmen.
|
| 32 |
Organisations must implement, operate and maintain appropriate technical and organisational security measures for personal info, addressing the information risks.
|
| 33 |
Notification of a personal data breach to the supervisory authority - Privacy breaches that have exposed or harmed personal info must be notified to the authorities promptly (within 3 days of becoming aware of them unless delays are justified).
|
| 34 |
Privacy breaches that have exposed or harmed personal info and hence are likely to harm their interests must be notified to the people so affected ‘without undue delay.
|
| 35 |
Privacy risks including potential impacts must be assessed, particularly where new technologies, systems or arrangements are being considered, or otherwise where risks may be significant (e.g. ‘profiling’). ‘Significantly risky situations’ are to be defined by the national privacy authorities, apparently.
|
| 36 |
Privacy risks assessed as “high” [undefined] should be notified to the authorities, giving them the chance to comment.
|
| 37 |
A data protection officer must be formally identified under specified circumstances e.g. public bodies, organisations regularly and systematically monitoring people on a large scale, or those performing large-scale processing of sensitive personal info relating to criminal records.
|
| 38 |
[If formally designated] the data protection officer must be supported by the organisation and engaged in privacy matters.
|
| 39 |
[If formally designated] the data protection officer must offer advice on privacy matters, monitor compliance, liaise with the authorities, act as a contact point, address privacy risks etc.
|
| 40 |
Various authorities, associations and industry bodies are anticipated to draw up codes of conduct elaborating on GDPR and privacy, offer them to be formally approved (by an unspecified mechanism) and (where appropriate) to implement their own (member) compliance mechanisms.
|
| 41 |
The bodies behind codes of conduct are required to monitor compliance (by their members), independently and without prejudice to the legal and regulatory compliance monitoring conducted by the national authorities.
|
| 42 |
Voluntary data protection certification schemes offering compliance seals and marks (valid for 3 years) are to be developed and registered.
|
| 43 |
Certification bodies that award compliance seals and marks should be competent and accredited for this purpose. The European Commission may impose technical standards for certification schemes.
|
| GDPR's Chapter V - Transfers of personal data to third countries or international organisations
|
| 44 |
International transfers and processing of personal info must fulfil requirements laid down in subsequent Articles.
|
CHAPTER IV -
Section 16 and 17
|
Permits transfers except to blacklisted countries
|
1.1 - Host/Endpoint - Less Permission to Use
1.4 - Host/Endpoint - Block File Transfers
1.6 - Data - Access control
1.7 - Data - Backup
1.8 - Data - Data Loss Prevention
1.9 - Data - Secure Deletion
1.10 - Human - Cybersecurity Awareness Training
1.11 - Human - Separation of Duties (with ARCSIK Matrix)
1.14 - Human - Review Access Rights
1.16 - Human - Cybersecurity Banners / Posters
1.17 - Human - Non Disclosure Agreement (NDA)
3.7 - Governance - Periodic Audit
|
| 45 |
Data transfers to countries whose privacy arrangements (laws, regulations, official compliance mechanisms ...) are deemed adequate by the European Commission (i.e. compliant with GDPR) do not require official authorisation or specific additional safeguards.
|
| 46 |
Addresses the transfer of personal data to third countries or international organizations when there is no adequacy decision in place.
|
| 47 |
National authorities may approve legally-binding privacy rules permitting transfers to non-approved countries.
|
| 48 |
Requirements on European organisations from authorities outside Europe to disclose personal data may be invalid unless covered by international agreements or treaties.
|
| 49 |
Yet more conditions apply to personal info transfers to nonapproved countries e.g. explicit consent by the data subjects.
|
| GDPR's Chapter VIII - Remedies, liability and penalties
|
| 83 |
Administrative fines imposed by supervisory authorities shall be “effective, proportionate and dissuasive”. Various criteria are defined. Depending on the infringements and circumstances, fines may reach 20 million Euros or up to 4% of total worldwide annual turnover for the previous year if greater.
|
CHAPTER VIII -
Section 33 and 34
|
Specifies penalties ranging from INR 500 million to INR 2.5 billion
|
3.5 - Governance - Incident Response Process
3.6 - Governance – Business Continuity Plan (BCP)
3.7 - Governance - Periodic Audit
|
| 84 |
Other penalties may be imposed. They too must be “effective, proportionate and dissuasive”.
|
| GDPR's Chapter IX - Provisions relating to specific processing situations
|
| 85 |
Countries must balance privacy/data protection rights against freedom of expression, journalism, academic research etc. through suitable laws.
|
CHAPTER IV -
Section 16 and 17
CHAPTER IX
|
Permits transfers except to blacklisted countries as well as covers various MISCELLANEOUS clauses.
|
1.1 - Host/Endpoint - Less Permission to Use
1.4 - Host/Endpoint - Block File Transfers
1.6 - Data - Access control
1.7 - Data - Backup
1.8 - Data - Data Loss Prevention
1.9 - Data - Secure Deletion
1.10 - Human - Cybersecurity Awareness Training
1.11 - Human - Separation of Duties (with ARCSIK Matrix)
1.14 - Human - Review Access Rights
1.16 - Human - Cybersecurity Banners / Posters
1.17 - Human - Non Disclosure Agreement (NDA)
3.5 - Governance - Incident Response Process
3.6 - Governance – Business Continuity Plan (BCP)
3.7 - Governance - Periodic Audit.
|
| 86 |
Other penalties may be imposed. They too must be “effective, proportionate and dissuasive”.
|
| 87 |
Countries may impose further privacy controls for national ID numbers.
|
| 88 |
Countries may impose further constraints on corporate processing and use of personal information about employees e.g. to safeguard human dignity and fundamental rights.
|
| 89 |
Where personal data are to be archived e.g. for research and statistical purposes, the privacy risks should be addressed through suitable controls such as pseudonymisation and data minimisation where feasible.
|
| 90 |
Countries may enact additional laws concerning workers’ secrecy and privacy obligations.
|