 You let me know when you want to get started. I'm ready. Good evening. And as we enter into the new world, the data privacy, I can say, as they say, data is the new king. And what about data privacy? And how does the company effectively handle the privacy of its customers? Because as we all know that privacy is also a new fad or a new. In the hindsight, everybody feels that as to whether the privacy is actually handled in the right manner. This is what what we'll be discussing during the around 45 minutes to one hour session taken by Mr. Ghosh, a legal counsel in Cambium Networks. And when we connected with him before going live to the session, we shared few thoughts on few topics. But eventually we narrowed down all the data privacy. And how does the company effectively handle it? I'll ask Mr. Rukh to take over the button and we are obliged on behalf of Beyond Law CLC that he has acceded to our request. Thank you very much. Truly an immense pleasure to be with you, Vikasji. And I am completely enamoured to see quite a few people joining in on a Saturday evening onto the session. So let me get started with understanding of, I mean, before we get into the understanding of what data privacy, how do we handle what are the kind of practices which company needs to have in order to protect the privacy of its customers. I wanted to speak about one thing, which is the data being the being today called as the oil of the new economy. So most of the companies today would like to have gone on, gone ahead and would like to design their products utilizing data. There are tons of data which are being made available, considering that a large population of India specifically has got access to affordable internet, has gone on to social media, has gone on to utilise internet for receiving different kind of services. This has led to the situation where data is now amply available with the companies in order to design their products and also the consumer themselves would also want to give those data in order to receive certain services from these companies. So meaning to say that this is an extremely important piece. Now having said that, I wanted to talk about a very unique situation in United States, even though we haven't really faced such kind of a situation in India or we don't know. So far if we have faced such kind of a situation, it has not yet been documented still. I wanted to tell a bit of a story, but it's a true story. So what happens is in United States, one father barges into a shop, a shopping mall and says that what the hell is happening over here? My daughter, who is a minor, is receiving certain, I'm sorry, I think there is, is there an audio problem? Can someone? I think I will just tell, I will see who has written that chat. Okay, sorry. Yeah, Professor Chandrasekhar, probably you're not logged in through your audio, just log out and then reconnect or connect your audio. Yeah. Sorry. So this was the story I was telling, okay. So now the father barges into the shopping mall says that my daughter, who is a minor, is receiving some advertisements from your company. I don't want to name the company, but one is receiving certain advertisements from your company. With respect to maternity products, how is this possible? All right, my daughter is a minor. And this is unacceptable. The shopping mall people are perturbed. What is exactly happening over there? How is this essentially possible that, you know, there is such kind of an advertisements which are getting pushed to people who have no need of that kind and then such kind of a situation where disturbances have started happening. They go on to drill down. Then they figure out that they have designed a software where if they figure out that a certain female has not picked up sanitary products for a certain amount of time. They have designed the product in a manner that they automatically start sharing advertisements with respect to maternity products to those female. Imagine the situation. We are talking about a situation where the data is available with such kind of a shopping mall, which can such kind of a provider. And then they end up utilizing the data to profile the user and go ahead and provide such kind of advertisements, marketing kind of materials to the user without having any sort of consent from them. Now, this is the world that we live in, right? This is something which is a functionality of artificial intelligence, which goes on to look into the way that a person interacts with the product, a way that a person interacts with the system and goes on to give suggestions, basis, how they have interacted with the system. And all of us would have known that if we today go to and we want to say buy a certain product, we suddenly start seeing few of the e-commerce sites coming up with suggestions with respect to these products. So now having said that, so the other piece of discussion which has been other piece of merit which has been coming up more and more because of this is how should a company think of protecting the privacy of its user, right? Because this is becoming more and more critical. What I'm going to speak to you about is about the practice, about how that can be done, break it up, create a framework so that if someone wants to go ahead and implement that within their organization, they really know what all things that they need to do. This is not a legal advice. This is not a legal advice. I don't intend to give a legal advice because there are nuances which we will have to take care of. This is the actual working of the products. This is the actual working of how the data is being, what kind of data is being collected. And you should definitely speak to your lawyer in the know about this sort of designing of a privacy policy or privacy framework for your organization. But yes, this can definitely work as a framework for you. So with this, I want to start speaking about looking at it from the point of view of the user. So what are the rights that are there for a user which are existing today, which are present today, that should be taken care of by the companies, alright? So this is the first thing that I want to get started with. Now, if you look into the most recent DPDP Act, which has come up, come out in 2023, we are still waiting for the rules to come out. The rights that are being talked about are number one, that every data principle, meaning I, who is giving the data to a product should have number one, I should always be having an access to the information, right? So essentially, I should have a summary of personal data and processing activity, identities of other data, fiduciaries and processors who are involved. And I'm going to come back to talk about these terminologies a little bit later. Second is, I should be able to correct or erase my data. So I should be in the control of the data. So I should have an access to the data. I should be in control of the data. Third is, I should have a grievance redressal mechanism. In the sense, I, if I figure out that there are some kind of an issue with the way that my data is getting handled, I should have a grievance redressal mechanism. And lastly, I should have a mechanism to nominate. If I do not exist at a certain point of time and I should be able to nominate someone who should get a control of the data. So keeping this in mind that these are the rights which are available to a person who is giving the data to say a product. There are certain practices that have to be made that have to be brought into picture. The first thing that is needed to be done is, which is at the core of any of the activities that will require to be done, is to create a data register and map how the data flows between the different parts of the organization. Now how does, what does a data register constitute? A data register essentially constitute considering that there are various departments within the organization. What are the headers of data which are getting collected? Now if I have to take an example, think of it, if there are information with respect to say an employee name is getting collected, an employee email address is getting collected, gender address, physical address and then pan number, family information, etc. These are getting collected. Then there has to be instituted a data register for a company which is working today, which is already processing a few of the data of their customers. They need to start from the point of getting a data register. Once you have set up a data register, then the second thing that you need to do is to figure out a data map. Now there are these various departments and if we break it into the way that they work with the data, it would generally fall into two parts. One part is where it is external facing, another part is where it is internal facing. When it is external facing, essentially what it does is say for example, sales function or a marketing function. What it does is it goes ahead and interacts outside the company. It works with the customers. It goes ahead and have the data of the customers, various sort of data. And then on the other side, there would be data which are internal facing. Now if the data comes into the organization, then the data might go into say a finance function. Data might go into say an HR function, so on and so forth. So there has to be a map of that particular data. First of all, depending on the kind of functions that are handling the data number one and second is also on the tools. Because each of these functions inadvertently go ahead and utilize some of the tools, various kinds of tools that are available today in the market. So imagine it this in a way that you are essentially creating a map where you know in front of you all the kind of data. Where is it flowing? Which are the software in? Is it going? And how that is being processed within that particular software? So that is the starting point. So an organization should start with getting a data register, creating a data register and then second is creating a data map. Once they have done that, these are the pieces that we are talking about internally what to do. Then the third thing that they need to do is they need to figure out how do they receive the data? This is what they are going to process that particular data. So here we are talking about receiving consent. Now bringing your attention to what majority of the laws, the privacy laws that talk across the globe. They talk about a free informed consent and preferably in a written form. What does it mean? It means that whosoever is providing the consent is essentially understanding the purpose for which they are giving the consent. Additionally, they know how do they take back that particular consent and essentially they have read through this whole process before they have given that consent. A very common way how companies essentially process disease, they have even before someone can go on and provide the data to the company, they go ahead and create a mechanism where people can read through the consent that they are providing and have an opt-in. Now a lot of companies would function on the other way where they would work on implied consent. Now progressively as we see, we are figuring out that most of the laws do not appreciate it to be informed consent. They appreciate it when it is an open and informed consent which is explicitly being provided. So the third thing that we talk about over here is how to capture the consent and how do we process that consent. The important piece over here is that a consent will be provided by a user for a specific purpose. The user is not really providing the consent for a generic purpose. So there has to be a track of what is the purpose for which that consent has been provided. And this is what is called as a consent tracking mechanism. A company should have a consent tracking mechanism where it knows that the purpose for which the consent of the user has been provided. The company continues to use the data for that specific purpose only and nothing beyond that. And in case they have a situation where they want to go ahead and utilize beyond the requirement of having, beyond for what they had received the consent for, they go back and receive additional consent there. Now coming to the, we spoke about the third point where essentially the company should go ahead and receive consent from the user. Now once the company has received consent, then a very important and interesting thing comes into picture. That is figuring out whether the product that is being built does it create high risk for the user or the data provider there. In order to figure out GDPR actually came up with this kind of a concept which is called as data privacy or data protection impact assessment. Now interestingly this concept has also been brought into but only for significant data fiduciary under the DPDP Act that we have seen in India, that we have in India now. Now what is a DPIA? DPIA is a mechanism to first understand how the data will be processed. So we figure out that how the data will be collected, we will figure out how the data will be processed. Then additionally we will figure out what are the kind of risks in processing the data in order to, against the kind of rights that are available to the user. A simple example is that if a user, if say a certain society wants on to install CCTV camera in order to prevent burglary in that society. Now the specific purpose for the installation of that CCTV camera is to prevent burglary in that society. But the CCTV camera is not designed in a way or the software behind that CCTV camera is not designed in a way to only pick up situations where there are burglary. It's going to pick up anything and everything. So what is the limit to which the software has to be designed such that it does not go beyond this specific purpose for which it has been utilized? So there that is the determination which happens during the stage when a product is being developed and where a DPIA is being conducted. And in this particular case itself if we go ahead and see that a particular CCTV camera can capture information about anything and everything which is there in front of it. So then the software will have to be designed in a manner such that first of all the CCTV camera, the installation of the CCTV camera will have to happen on specific places and not in all places. The second is that the software will have to be designed in a manner that these kind of specific places where unless the data is being collected for the specific purpose for which it has been agreed by the residents. Otherwise the data is either purged or the data is blurred so that there is no processing of the data that happens. So this is an example of a sequence of what kind of what would happen when a product development happens. So just a small recap of what we talked about. The first bit that we talked about is that there has to be a data map, a data register within the organization knowing what the data is. The second is there has to be a constant mechanism where you basically pick up know how the data is being brought into the organization. The third thing that we talked about is when designing a product conducting a DPIA. Yes, there are certain situations where a DPIA is not needed. Specifically if we go through article 35 of GDPR and also section 10-1C of DP-DPA, there are only specific cases where DPIA is necessary. Now the specific cases at least from the EU perspective they talk about a white list or black list which have been published by these specific countries. We are yet to see the specific situations where data fiduciary will be considered at significant data fiduciary and then a DPIA will be needed from the Indian perspective. But the concept is pretty much prevalent and this is what flows into what is called as privacy by design. So that by design privacy is built into the system. Now after a DPIA has been done and which could also include a public consultation as it is required in some of the cases in the European Union. Then these security measures with respect to how to handle the data has to be built in. So there is a particular requirement to minimize the utilization of the data more than what it is minimizing to the extent so that the data collection and the use of the data is not more than what it is anticipated for. So two key aspects actually come into picture which are called as anonymization and pseudonymization of this data. Which essentially makes sure that whosoever is handling the data even within the organization only have limited information to the extent they need it to process the data. In some cases it is inadvertent. It is impossible to process the data and give actionable results to the user without having the complete data. But except for those kind of situations anonymization and pseudonymization is the process to go. Data security measures are extremely important beyond that. Data security measures meaning that having proper security measures, technical control, security control over the data where the data is getting stored. Understanding whether if it is getting stored in a say a cloud server then in that kind of a situation figuring out whether the cloud server has adequate control, security control over there. So that after the data has come into the company and while it is getting processed the chances of it getting accessed by someone from outside by say a threat actor. By someone who wants to actually take out the data that gets minimized to the extent possible. So now after we have done this we have done the TPIA the product is in market and then we know that the product is being accessed by the user who have been who have given the consent for utilizing that product. And we have limited it we now know what the data map is what we now know that what the data register is. Then we need to know that there is there is a requirement of an appointment of a person who is called a data protection officer within the organization again. Bringing your attention to the DPDP act a data protection officer is envisaged only for a significant data fiduciary meaning a person who essentially I mean entity which essentially will be considered to be a significant data fiduciary will need to appoint a DPO otherwise not. But it is found out that it is a good practice even if it is not legally mandated to have a DPO. But having a DPO does not harm the reason is the person who is a DPO is at the center of the compliance understands the process understand the flow because the other departments have other responsibilities and this is not at the center of the responsibilities. So it is a recommended role to have within the organization to have a data protection officer. The data protection officer specifically for data for DPDP a would essentially would also need to be registered with the data protection board. We don't need to get into the details of it we will wait for the rules to come in and then figure out what are the kind of requirements for the data protection officer comes on to me. Now after we have got the team in place being headed by the data protection officer then one thing that we have to prepare for the organizations have to prepare for that is an inadvertent situation where a data breach happens. Understanding that data breach is a truth of today whether we like it whether we not like it all the organizations at one time or the other will face a data breach that is the truth of the situation. Now when a data breach happens it is the responsibility of the company to take care of some of the aspects. It is the responsibility of the company which is which is processing the data on behalf of the user. When the rules of course come up the Indian Act says that there has to be a notification to two places. The first notification it has to happen to the data protection board. The second notification will have to happen to the user from whom the data was collected. Now in GDPR parlance they have set up set up a certain time limit within which the notification has to happen. And additionally there are specific requirements for different regulated parts of the country parts of the industries. For example if there is a financial institution if there are if there are telecommunication institutions there are specific requirements which come in from the with respect to those specific areas in the industry. Now generally speaking this is what is going to come up when a data breach happens. But let's be aware let's understand that this is not the only thing it's not limited to only notifying these people that a data breach has happened. As soon as the data breach has happened in most of the situation it is a business stop a business disruption at that point of time. And this leads to continuous revenue being depleted. So the faster that the business can get back on its feet and get back doing what it does is what is best for it. A very key situation which happens in most of these cases are institutions face companies face what is called as a ransomware attack. Where a threat actor someone from outside approaches accesses the system and encrypts the system and asks for a ransom. And in most of the situations the ask for the ransom is in the form of crypto. And then this request for those kind of they ask for those kind of ransom in return of the keys to that particular system and only when they have received those kind of money. They essentially go ahead and give back those kind of keys or otherwise if the money has not been paid in that kind of a situation they inadvertently go ahead and release the kind of data that they have into dark web. And that is the reason that is one of the primary reason why we today see a lot of the information we end up figuring out or finding on the dark web. So whenever we see such kind of a news happening it plays on my mind very clearly that at some point of time there must have been some kind of ransomware attack some kind of a cyber threat which was not complied with no one really wanted to hit to it and therefore the data has landed up on the dark web. Not going into not going into further details of it but from my experience paying a ransom is not really a key a key strategy I would say not really a good strategy. The reason is as soon as a threat actor realizes that there are system vulnerabilities which are there and second is that there is essentially this target is likely to pay a ransom. It has been found that such kind of a target has been subsequent targets of ransomware attacks again and again. So therefore the primary strategy cannot be to pay a ransom. So what do we do if we don't pay the ransom then the system remains encrypted we don't have access to the system and the situation of unauthorized access continues. So in that kind of a situation having if you now go back to the initial piece that I talked about of having a data map and a data register comes really handy because when you are hit with an accident then you essentially have one option of cutting up the carcinogenic part right and letting the other part of the organism to survive. But that cannot be done unless the information with respect to the data the information with respect to the processes are crystal clear in front of someone. So this is something which works as a really good practice even in the situation where someone might have inadvertently faced such kind of a data breach. And would have to at that point of time take a decision to let go of a certain part of the data but still knowing that they will have to come back to business. Additionally it is a good practice to have a cyber security insurance at this point of time. This short of an insurance has is becoming extremely prevalent as well as extremely accessible. Now key things which comes up if a company of an organization faces a data breach they would in some situations be required to get themselves audited by a third party. There are certain organizations which become which are proficient in such kind of an auditing to come up and say if there were an initial or say an existential issue with the system itself which has led to such kind of a data breach. But in any case having such kind of an insurance works best because there are chances of even if there are damages which might not be required to be paid. There could be but in that kind of a situation having a protection through an insurance definitely works really best. The last bit of it is when facing such kind of a data breach after we have notified after we have figured out how to rectify brought back to business and we have been able to recover some bit of it from the insurance. It becomes pertinent to look into the contract. More often than not today and especially in the it it is sectors. Most of the it it is providers essentially go ahead and provide a representation that their system is not vulnerable to external party threats and therefore they weren't that they will not be such kind of a threat which will affect the system. Now such kind of representation and warranty needs to be done it should be provided using caveats because like I mentioned that it is at this point of time absolutely improbable to estimate when such kind of a database could happen and how that could database could happen. So therefore having such kind of a caveats in the contract is important. Now in case such kind of a caveat has not been built in you are essentially looking at a breach of the contract at that point of time. So having such kind of some similar kind of some kind of protection in the form of and having a determined liquidated damages in some of the cases or in some of the cases having a mechanism or a resolution mechanism of bringing it back for your customer works best. So it is good to remember that while we are designing our contracts today for the customer let's build in such kind of a clause and let's build in such kind of a contractual provision to protect us when such kind of a data breach happens knowing that it is almost possible that during the lifetime of the contract this might happen. So now we talked about a situation where such kind of a data breach could have happened. So now again a small recap we started from a data map we created a data register we talked about the consent mechanism how the consent should come then we talked about how the DPIA should be done in order to when to protect in order to create the product. Then we talked about even after doing all of this if a data breach happens what to do. Then additionally we need to talk about some of the external facing documents and the internal facing documents. The external facing documents that we are talking about here are privacy policies, terms and conditions and cookie policy. Now these three have become bare minimum a normal for any of the companies to start speaking with their customers. And it is fairly at this point of time visible that the trustworthiness of a company I as a user would find it really difficult to trust a company which does not go ahead and showcase its terms and conditions privacy policy and cookie policy. The reason being that it means that they have not put in their thought in order to protect my privacy. So essentially for a company these are necessary required documents which are external facing but then that's not enough. There have to be internal facing documents as well. Internal facing documents like the first thing that comes to my mind is having a data retention register. So we talked about a data register. We talked about a data map which essentially tracks all the data or the personal information which comes in within the organization. Now we are talking about how long with that personal information will be stored within the organization. This is something where there are two parts how it is needed to be broken. Part one is it something where by law there has to be certain retention of the data which has to be done. Example, if we go to go to a bank and share our information the bank is mandated to store the data even if we have stopped taking services from the bank. The bank is mandated to retain the data for 10 years after the purpose of that particular data sharing has been completed. But in some other cases where it is not regulated it is pertinent for the organization to create their own data retention register stating to the extent the timeline to the extent to which the data will be retained within the organization. And keeping in mind that this data retention register has to be duly being followed. It is not sufficient to create a data retention register. Say that the data will be retained for say X number of days after the person has actually opted out of the service. But after that time period has crossed to actually go ahead and delete the data. Now it works really well with respect to the cost that is involved in storing the data. Because if you think about it, storing the data in today's cloud driven world, the large amount of data that you push to the cloud you are essentially spending money in order to push that kind of data. It is pertinent that if you keep on circulating reducing the amount of data that you keep on sending to the cloud basis your data retention register it works well. It's a cost benefit for the organization. Now after the data retention register what comes to my mind is having a business continuity plan or a disaster recovery plan which could also be a mechanism to figure out what happens if a situation like a data breach happens. If a situation where there is no other way to pursue other than stopping the business there and there but you do not really want to stop the business there. So essentially that is another bit where the organizations will have to take care of having a business continuity plan or a disaster recovery plan. The last bit that comes to my mind with respect to protection of the privacy all of these designs are meant thinking about the privacy of the user who have interested the data with the organization. And taking back the listeners to the initial thought that I had about the rights of the user who has given the data. Number one is they should have access to the information. Second is they should be able to correct or erase their information. The third is they should have a grievance redressal mechanism. And third and the fourth is they should be able to nominate someone in their absence to handle the data or at least recover the data. So all the systems and structures that we talked about is with respect to protecting the data. But how do they access the data? So there has to be a mechanism. There has to be two mechanisms. What is called as data subject or data principle access requests. So there has to be a system of accepting the request from the users about what is the data that is being stored at the organization. Giving a complete details of how the data is being utilized, whether it is being processed in a similar manner in a manner in which it was envisaged when the consent was taken. And if there have been any kind of changes. So in that kind of a situation, the user themselves should be able to go ahead and push that kind of a change with it. So they are given complete control of it. The second bit is that when the requirement of such kind of a data has been exhausted, there has to be a mechanism of deletion of that particular data. So there has to be a mechanism of data deletion which can be processed by the organization. So these are two things which are important to give the right to privacy to the users from an organization perspective. Then the last two pieces we talked about the DPO. We talked about the data protection officer being required to be appointed in some of the cases, but are good to have in for most of the companies. So in that kind of a situation, the data protection officer should be empowered to take decisions without influence from the other departments which are actually processing the data to make sure that the privacy of the users are essentially taken care of. They are protected. So to give a round up, this is what are the required activities which have to be taken in order to protect the privacy of the individuals by an organization. Now there is one another small bit that I would want to touch upon. Each of these organizations are also likely to work with other organizations. I kept on talking about a cloud service provider. So a cloud service provider is essentially a third party, is a vendor for the organization. So that cloud service provider, how do they go ahead and manage the data on your behalf, on the organization's behalf becomes extremely important. Extremely important for the reason that any kind of a mistake, any kind of a situation which arises because of their lacuna is going to create legal liability on the organization itself. So now how to protect oneself? The mechanism of protecting oneself comes from what is called as an agreement and which is generally being called as a data processing agreement. So this is an extremely required necessary sort of an agreement which should be entered into when a company goes on to select and goes on to work with a vendor. And specifically when the company knows that the vendor is going to process data on behalf of the company. So in that kind of a situation, a data processing agreement is absolutely necessary. I want to speak about something which is a very GDPR-ish concept, which is the transfer of data outside of Europe just to bring in a similar kind of a thing from an Indian perspective. The Indian DPDP Act essentially does not talk about data localization unless there are some specific countries which will be notified where the data cannot be transferred. So it has a negative connotation, which we still have to wait and watch and see how the government of India essentially comes up with such kind of a rule. Where it goes on to say which are the countries where this kind of data cannot be transferred but otherwise data localization has not found its place within the Indian Act. But Europe has got a requirement of processing the data within Europe. So essentially this is pertinent. Why do we speak about it? A lot of Indian companies essentially today go on to make their products which essentially sell in Europe. So when they sell in Europe and they have significant amount of processing happening in Europe. So they also need to look into this. They also need to follow these procedures over there. So when they are essentially processing the data in Europe but then they figure out the cost of processing the data within Europe is very high. Or they are processing the data across the globe. They are processing the data in Europe. They are basically taking data from Europe. They are taking data from US. They are taking data from Africa, Middle East, India, so on and so forth. And they want to have a centralized data processing. So in that kind of a situation GDPR requires to do what is called as a transfer impact assessment. And there are four mechanisms through which GDPR today allows for the transfer of the data. Mechanism number one is there are certain countries which have been white listed. Where GDPR, the EU authorities, the GDPB considers these countries to have equivalent protection of privacy with respect to privacy as it is in Europe. The second mechanism is what is called as body corporate rules. So essentially companies can design their rules and submit in front of the European data protection board. So to go on to say that yes basis these rules we are going to transfer the data. It's an extremely lengthy as well as a costly process basis my experience to have such kind of a body corporate rules getting accepted with the European data protection board. The third is having standard contractual clauses. So there are these template clauses which have been provided by the European Union where there are two parties which is one in Europe and other is not in Europe. Have to entered into base of course depending on some of the conditions of course this is not the first fallback option which cannot can be utilized. And the last is to transfer to a country which has got privacy shield protection with respect to the data that is being transferred from Europe. But all in all for transferring such kind of a data outside of Europe there is a transfer impact assessment which has to be done which has to be taken care of. So from an Indian perspective I would assume that if there are once the government comes up and talks about the black history countries to which the data will cannot be transferred. So there will be a practice which has to be brought into by the organizations if they inadvertently have to go ahead and transfer the data there to undertake what is called as a transfer impact assessment. So to bring this to a conclusion looking at this whole practice from the point of view of the user is absolutely necessary. Understanding what are the rights what are the privileges which have been provided which have been afforded afforded by the Constitution of India by the laws which are there in India is absolutely important. And similarly similar kind of protection which have been given by laws of the other countries are important. And then bringing in the measures to receive the consent to have data map data register to conduct DPIS to have the security protocols in place to protect the data not to utilize the data for a time longer than what it is required to for the purpose of giving the service. Giving these kind of provisions in the hand of the user so that they can access they can access for deletion they can request for deletion and then the data actually gets deleted when such kind of thing has happened. And when in case there is a data reach which has happened then going ahead and notifying the authorities the regulators and then notifying the subject from whom the data has been collected. Are the practices and then additionally working out the contracts with the vendors the DPS that we talked about and then additionally doing a transfer impact assessment if the data is transferred outside the country. Are the practices that we talk about in order to protect the privacy of the users within an organization. Thank you very much that's all that I had for today. So you took us to a journey and I'm quite sure that on this channel that since we have taken very few topics in respect of data privacy etc. Though it is a need of the art. I'm quite seeing on the YouTube that a lot of people have actually liked it. I'll just check it out as to whether there is any question about the way you have spoken it out. So this route it was quite an engaging session and I'm quite sure that people would like it and love it the way you have taken things forward. We will stay connected and take more sessions forward. Yeah one question is done. This is by Amadas. How do see how to see our data is protected. I would I would maybe try to I would try to rephrase the question. So from the point of view of say user. If there is an user. How can you check whether there is your data is protected is someone listening to you is something which is essentially what you are trying to understand. So like I told you the organizations are supposed to go ahead and have a designated person within their organization. To listen to you to listen to a user and say that yes your data is something which is with me is it is something which is with respect to how I am going to protect that kind of I'm protecting the data I'm processing the data so on and so forth. And the proof of the pudding is to ask to them to send an access request tell them ask them what is the kind of data that you have what you are holding with with yourself. What are you doing with that kind of data. And in case you know that I mean we end up seeing a lot of emails coming to us where we might have accessed a website long back. And then we haven't gone ahead and access such kind of a website or a service in in a long while. But we keep on getting emails we keep on getting information from them. So why don't you go ahead and ask them that you know why do I need to get such kind of an email such kind of an information continuously. And this is what we talked about as the data subject access request and data subject deletion request. If they are serious about protecting your data they are supposed to answer you. But if but if they are not in that kind of a situation you will not find any kind of an answer. What this new DP DP act brings to four is being able to put such kind of situations where an organization has not brought hit to such kind of a request from a data subject. And we and we met responsible and we met liable and there have been penalties which have been designed of course to speak about some of the penalties which have been designed here. So there is a penalty which has been designed of up to INR 250 CR 50 crores in case a data fiduciary which is the organization that we are talking about hasn't taken reasonable security safeguard to prevent personal data breach. In case they don't comply with the rules they have penalties going from somewhere around INR 10,000 to going up to INR 200 CR with respect to when they fail to give the notification to data protection board when they do not comply with the requirements of processing personal data of children so on and so forth. So what I would like to stress upon is the first step for us to know whether the data is protected is to ask. Thank you. Yeah, the last question is tell us about dark web. Well dark web is a fascinating concept to understand understand dark web the simplest way to understand dark web is that we have a portion of the internet which is accessible by the likes of Google which goes ahead and accesses the parts of the internet where where they can actually pull up the data from and they can actually showcase as part of the results and that's a big part of the internet. Okay, but then there is a much larger part of the internet that we are talking about which is not listed which is not really accessible by the likes of Google by the likes of Bing by the likes of these kind of search engines. Colloquially such part of the internet is called dark web a simple example think of it like if you work in an organization law firm anywhere there would be an internal system right and there would be tons of data within that internal system itself. Now that internal system I cannot go to Google and search that hey for a law firm A and B or say for a company and B what was the discussion between two people. Right, so this kind of this kind of a space is something which is not accessible. Now, how did it go on to get this name dark web is that there are there are these spaces within this kind of hidden part of the internet where people have unfortunately taken to illegal immoral activities. And this kind of things I do not really want to speak about this in this forum. This is not really the forum for it. And I do not really want to even speak about how to access dark web because this is something again something which is not suitable for this forum, but understand this that there are two things which essentially happens in the piece in the place which is not accessible which is not open to the public which is not accessible to us generally one part of it is which is a lot of illegally moral unethical kind of activities including selling off such kind of a data. And of course the other part are like like I told information with respect to say within an organization which is not listed which cannot really be accessed through say a Google search or a Bing search I hope I answer your question. In anticipation only, and there's a comment that thanks for sharing your knowledge. And thank you for sharing your knowledge. And tomorrow we discuss a very simple but a deeper meaning of the difference between a guarantee and indemnity. That is by S. Mokant who has done various sessions with us and who's also a resource person for a lot of traditional pre preparing students so do stay connected with us tomorrow at 6pm. Thank you everyone stay safe.