 So we have Ankita and Yashodra today from Frappe. They will be talking about their experiences and some challenges that they faced while Frappe was going through GDPR compliance. And yeah, over to you Ankita and Yashodra. Thank you so much Anvesha. Thank you for the introduction. So, as for starting, we want this presentation to be an interactive one. And that is why we don't have a presentation because we want to make it as interactive as possible. And we will actually introduce ourselves first. Yashodra, please. Yeah. Hi everyone, I am Yashodra. I am a graduate from HLEU Raipur and I have pursued my master's in technology. Currently I am working with Frappe as a legal associate. I have with me my colleague Ankita. She is the manager of the business and legal affairs at Frappe and as a graduate from SLS Hyderabad. In this presentation, we'll try to be very as interactive as possible and we'll cover the major challenges and the processes involved in the GDPR compliance of Frappe. So as a background, like as Frappe how we are actually doing compliances, I just want to explain to you like what business is Frappe in and how the business is actually complex for us to do GDPR compliance for. So ERP Next is an open source code which is actually hosted on GitHub. And as an open source code, we have various challenges which is put onto it in terms of GDPR compliances. And as our CEO's suggestion was always to have an open source code, we wanted to contribute back to the community as much as possible. So for us doing the GDPR compliance of our ERP Next software in terms of providing our cloud services and hosting our ERP Next software on cloud services became a very big challenge. So now, Yashodra will help you get an understanding of how we did the first trench of compliances in terms of GDPR. And then I'll walk you through a certain other challenges which we have faced and other compliances which we have taken into consideration over to Yashodra. Right, so starting with the most important, two most important documents that one needs for GDPR compliance, the privacy policy and the cookie policy. We know that privacy and cookie policy are the vital ingredients of data privacy compliance, and hence drafting a privacy policy that especially caters to the kind of product that you have and the kind of customer base that you have to make it as interactive and as comprehensive as possible is very important. While we were preparing the deliverable of the Hasgeek fellowship, we tried to list down the important considerations that we had regarding the privacy policy and the cookie policy. The first thing was legibility. We have to make sure that the privacy policy is readily accessible right on the website. It's not very tough to actually locate where it is and it has to list down everything in a very clear and concise manner as to what we cover, what we consider as data, what kind of data is covered and it actually should inform the users of their user rights under the privacy policy. Then again statutory obligations that we had to attend to like the data protection officer article 37 signifies particular conditions as to when a DPO is definitely required, but it does make a, it does necessitates under article 27 that if your organization is situated in the European Union or outside of the European economic area, you need an EU representative and for that we have Priter, which acts as our EU and UK representative. Again, the privacy policy also contains a brief of the GDPR principles on which the GDPR from which the GDPR derives its credibility. And then it covers the data collection and management. We have an account as to what data is collected the details regarding it and the retention period and the criteria used for such to justify such retention. Next to the cookie policy. The cookie policy also requires specific considerations as to its comprehensiveness and the manner of presentation. We first have to identify what cookies are we actually having on the website. There are primarily four to five kinds of cookies that are common throughout which are strictly necessary cookies performance based cookies analytics and marketing cookies. What is unique about our website is that we only use the strictly necessary cookies or functional cookies that are essential to the performance of functions that are user requests on the website for its proper functioning. We do not perform any analytics, or we do not have any marketing cookies on it. Thus, we have avoided the presence of the cookie banner on the website, and we give the give a detailed account to the user regarding the choices that they have to make regarding cookies. So the cookie law does not require that we list cookies one by one, but if we state that type and usage and purpose it's good to go. Secondly, I'll try to come to the proper backup policy that we adopted. Now, first I'll describe what we mean by data backup. So data backup is basically the act of keeping exact copies of data at a certain point in time so that it can be recovered or gone back to in case of any malware corruption or any other corruption of data that we have no control over. Now the data backup policy is a set of rules and procedures that describe a company strategy, while we make the backup backup of data. Coming to the Frappe Cloud website, the customer is eligible to download its backups and every backup consists of database backup, public files backup and private files backup. This makes end users accountable to take their own backups and saves time and effort for our team or technical team in performing recovery work. So it basically rests in the hand of the customer and the whole authority also rests with the customer as to how and when they want to schedule their backups. Now, the customer also has the right and the authority to trigger manual backups, in which case they can do by clicking on the schedule backup option provided in the website. Coming to the offside backups, so one out of every four automated backups is stored offside, which means the files are stored on a different server than the site. This ensures that customers can access their backups, even in the unfortunate event of a server downtime. So there are weekly, daily and monthly and yearly backups that we take and weekly backups are taken every Sunday monthly backups are taken every first day of the month, yearly backup backups are taken every first day of the year. So, this brings me to the very important discussion of what a data backup policy must cover. The data backup policy must cover the data that it intends to take the backup of. Ideally, it must be the backup of anything that an organization relies upon, or which can, which it can use at the time of any unwarranted data compromise situation. So, importantly, the issue with backups arises more due to the data that is backed up and not the backup process itself. So such problems often do not catch the eye of a person who's just starting out, but they still affect the overall data health of the organization. So, thus keeping a check on these errors can help the security mechanisms concerning data backups and thus, it is in the best interest of the organization as has been observed by us, when we were performing these compliance is for frappe. I'll come to data portability. So the data portability portability is the act of ensuring smooth data transfers within different software applications, platforms, services and computing environments and also outside of the organization. The right to data portability, as we all know, is enshrined under Article 20 of the GDPR and it takes into its purview only personal data. Thus, in our data, in our manner of ensuring right to data portability, we under our privacy policy have provided users to the right to data portability and we also have a procedure in place to provide customers of their personal data in a machine readable format. Frappe also provides cloud services to the customers via Frappe cloud and where Frappe hosted instance is utilized by the customer. Thus, we start acting as the data processes and it becomes a mandate to provide the right to data portability to our customers and there are situations where customers migrate from a Frappe hosted instance to a self hosted instance, where in such situations Frappe provides migration support to the customers also. Now customers can raise data portability requests either via our EU representative or directly mailing to us through the provided email address. We try and attend all the data subject requests within the mandated time of 72 hours. We do secure methods to transmit personal data. So Frappe anonymize and pseudonymize the data while transmitting the data from one server to another. Now, my colleague Ankita will walk you through the ISO 27000 compliance that we performed and also the data retention practices at Frappe. Over to you Ankita. Before I jump into the ISO requirements and how it helps in terms of GDPR compliance, I would like to actually first tell the challenges of implementing GDPR. So one of the first challenge as Frappe which we faced is that ERP next is a very complex and data heavy software which we are doing compliance of and because of which the compliance of GDPR becomes equally important and it becomes equally challenging for us because we are handling heavy levels of data and very sensitive personal data of companies. So that is the first challenge. Second challenge. Second, what I would like to say is that GDPR actually requires two ideas to be implemented, data security and data privacy. So many people actually confuse these two ideas and they consider they consider it to be used interchangeably, which is not because what might be the data data security can be taken as a subset of data privacy, but we cannot interchangeably use it. That is the core factor which we need to take into consideration. Third thing is that the procedural alignment which we need to do in terms of GDPR compliance within a company becomes equally challenging. And especially as a company like Frappe where we promote democracy and we provide transparency to all our employees. So having procedural alignment and approving processes becomes a very big challenge for us, but we don't want to hamper the democracy and transparency of our employees as well. So that also needs to be taken into consideration. Fourth, I think my colleague has already mentioned about the absence of EU presence in of our company as well and Indian companies basically for compliance of Indian companies. If you don't have any EU presence or don't have a standard physical office in EU, then you have additional compliances which you need to do. And especially in terms of data transfers outside the EU region. So when you're actually transferring the data from the EU region, then those kinds of data which you are actually taking away from the EU region, what additional compliances are required for providing better security practices. So in Frappe what we have done is that we have provided data localization. In data localization what we have done is that we have put different servers at different regions. So the customers can choose a region where they want their data to be stored. So like for us we have actually separate servers at different regions. So for example an EU customer might actually want the data to be stored in the EU region itself. So we give the opportunity to them to actually keep the data in EU. So if in furtherance of this, if we are having the PDB bill also enacted where there are strict data localization, if it comes into consideration, then those laws, those procedural activities can also be helpful in terms of the PDB bill also if it gets enacted. Also as my colleague also mentioned that I will walk you through the ISO certification and the data retention policies which we are following in our company. So Frappe has been recently considered to be an ISO certified 2701 and 9001 certified company which is information security practices, ISMS and quality management systems. So we have got two certifications and under the certification we have drafted several policies which we follow as part of the procedure policies which we have in our company, one is the access use policy. So in our company we have an infra team which actually has drafted this access use policy and this access use policy becomes very critical for us because we have to standardize the access of each individual or employee in the company. So how are we categorizing these individuals or employees in the company and also where we are having third parties who are having access to our data, having access to our system where they're implementing or developing European next for our customers. So we actually have third parties also who are implementing and developing on our cloud servers. So what kind of rights they should have and how much right of accessibility they should have. So these are actually categorized under the access use policy. Once the access use policy is drafted we are drafting the associated risk also with the access use policy and how what level of information security risk is associated if this access use policy is not followed. So once we actually check the information security risk which is associated with it we actually map the existing control with the risk itself. So which gives us an outline of how much information security risk can be associated within the company. And we also want if a customer actually requires this kind of access use policy if they wish to check what kind of access use policy we've followed at back end. We are also providing the same because as per our standard contractual clauses under GDPR which is the new amendment which is the recent amendment which has come in GDPR which makes that data processing activity should be mapped and it should be actually communicated to customers if they require so. So these things have to be the proper documentation of these documents if in future if the customers require these kind of documents then you can provide the same. Okay. Next is data retention policy. Data retention policy as we are into cloud services also. Data retention policy becomes very critical because ERP as a software we are having various personally identified data and also financial data of companies where if it gets leaked out it might also lead to insider trading. So that cannot be taken into consideration where we where we might be in breach of other applicable Indian laws. So we have to have a proper data retention policy within the organization. And because of which we have the data or retention will be done only for 180 days after the customer has given us a deletion request of that account where it includes that there is a data also with the sales team, partner team. Inside the organization you also have different endpoints where the data is actually mapped and where the customer details are shared. So every end point we have to have a data retention policy where data after the customer has requested for a deletion of account and removal of the backups then all these data also needs to be removed because these are also personally identified data if you are storing any. Exceptions can be made in terms of if you're using such data for tax purposes or you're retaining these data for tax purposes, but any data if you're retaining without any reason that you cannot retain so you have to have legitimate reasons why you're retaining that data. Next is log management policy. As per as per the ISO requirements we also have a log management policy where in terms of our self hosted instance which we do for our customers like for example ERP-NET gets hosted on self hosted instance as well as frappe hosted instance for frappe hosted instance we have frappe cloud for self hosted instance is on the customers servers itself. So in that circumstances where we are giving support services to our customers we are giving we are having an SSH access and then we are providing the support services. So in terms of when we are exhibiting or having access to the self hosted instance we are actually acting as a data processor. But when we are having the complete control of the data where we are taking the decision of how their data should be managed is when we are being a data controller. So when you're taking decisions for the data it that's when you become a data controller and when another party is making the decision for their own data and you're just processing the data then you become a data processor. So but in these two circumstances the logs needs to be done of these servers. So a proper log management has to be made and a procedure has to be set. So this procedure actually manages of the logs which we have in our system and how we have accessibility and all of that. So this is part of our log management policy. Now password management policy. So within the organization we have double authentication within our frappe IO websites and also frappe cloud. So now the double authentication also becomes important because since as I mentioned already we are handling heavy levels of data. So password management and changing your passwords and also come employees passwords how frequently it's getting changed. So those things are also managed under this. So like for example employee for three or four months cannot have the same password. So we have to change regularly our password and also our login details and all of that that also gets tracked and we are having different partners in our organization which are frappe partners who have access to our system as well. And our partners also become partner members as per the access policy and these acts as per the access policy they are given partner managers roles. Now these partner manager partner members they actually have password management policy separately for their IDs. So these password management policy is divided into depending on the roles which you have under the data access policy. So these are interdependent on each other basically. So this is kind of what we are following in ISO as part of ISO which is helping us in terms of GDPR compliance. So GDPR compliance where we are looking at GDPR is actually the laws which which is there but what you are doing with the laws and how you're interpreting the law is the most important part. Now once you're interpreting the law you are actually providing you are actually mapping out the compliances as per the company you are in or which company you're doing compliance for. And after you're mapping the compliances then you will able to understand that what security practices are you actually looking at or what additional policy or procedural activities you need to map within the organization. So these things become very very important as part of GDPR. So I'd just like to highlight another challenge that we faced and which can be attributed to attributed to the nature of frappe that sometimes we are the data controller and it is when we are actually determining the means and processes of date like how the data has to be processed and when we are acting as data processors that is when we act as customers instructions on as to how we have to process the data. So that is all I wanted to highlight at the end. And because this has actually been in our consideration while drafting several documents and policy several policy documents of the ISO procedures, as well as the data processing agreement and related GDPR compliances. So that's about it. Thank you. That was very in depth and was a nice overview of the legal challenges that you're faced in compliance. We have two questions one from some question. So which stakeholders or roles in the organization becomes sponsors and drive or fund these efforts. Any of the speakers today can take this up. If this question can be more elaborated maybe or I think this question was for our earlier speakers. Yeah, maybe okay. Yeah, I can. I can talk from into perspective right. So in into it you know we have multiple business lines and multiple groups, you know, that provides various offering to our customers right. But this is a you know cross cutting concern right complains is important it's one of the basis for you know every offering that into it provides. So it is generally it is centrally funded, not by an individual business unit but you know we do have a compliance office you know that kinds of you know gets its budgets and then funds such initiatives because this is a more generic capability that we provide you know across you know different. Thank you. We have one more question from other. He asks, are there any document or guidelines which one can follow while implementing controls for privacy. I think the basic guideline which you has already given us is GDPR, but like but the basic for data security which you can look at is ISO, you can actually follow ISO completely because it will help you in aspects of data security. And in terms of data privacy I think what you can look at is on the, once you cover the data security, as I mentioned that it's just a kind of a subset to data privacy. So once you achieve that I think if you achieve the data mapping and at every endpoint if you can provide a good security practices or build good security practices, then it can help you in terms of data privacy as well.