Newsletter

2024
DATA PRIVACY

BDO IT CONSULTING
IT GOVERNANCE & CONSULTING
Contents
Data Privacy
Newsletter

20
24

Navigating the Uncover the intricacies of the dynamic relationship between Artificial Intelligence
intersection of AI and and Data Protection in our featured articles. Explore the benefits, challenges
Data Protection and tips when using AI.

Interview with the Gain exclusive insights into the emerging challenges surrounding AI inclusion
Data Protection in various industries. Discover how robust the Data Protection framework is
Commissioner in Mauritius amidst the surging trends in AI. Learn from the Commissioner’s
perspective on ensuring privacy in the face of technological advancements.

Compliance Stay ahead of the curve with our comprehensive regulatory landscape updates.
Alerts Navigate the ever-evolving world of data privacy regulations and compliance
requirements, ensuring your organisation stays informed and prepared.

Industry Dive into the latest developments in the data privacy arena. From groundbreaking
advancements to noteworthy trends, our Industry News section keeps you
News
informed about the pulse of the data protection landscape.

Spotlight on Keep yourself updated about the latest penalties and stay informed about the
Fines, and consequences of non-compliance. Our spotlight section provides opportunities
Upcoming Events for professional development and at the same time to have an insight on the
noteworthy events organised by BDO IT Consulting Ltd, in the data privacy
sphere.
Navigating the intersection of AI and Data Protection Lawfulness,

Newsletter
Data Privacy
fairness, and
transparency
In the ever-evolving landscape of technology, artificial intelligence (AI) stands out as AI algorithms lack
a transformative force, promising efficiency gains, innovation, and improved decision- 1 transparency, making it 20
24
difficult or impossible for
making across industries. As we embrace the advantages of AI, it becomes imperative businesses to
to carefully navigate its intersection with data protection, ensuring that the benefits understand how
don’t compromise individual privacy. This article explores the relationship between AI they make
and data protection, shedding light on both the benefits and challenges that arise. decisions.

Benefits of using AI
The use of AI offers numerous advantages, ranging from automating repetitive tasks to Purpose
providing essential insights that inform critical decisions. AI technology has demonstrated limitation
its value across different sectors, including healthcare, finance, and manufacturing, with The collection of
significant progress being made as detailed below. This progress shows that AI has the personal data may
2 evolve with the
potential to create a positive impact on society. development of self-
learning AI, as such the
purpose initially
defined may change
Healthcare Transportation E-Commerce over time.

Real Estate Travel Banking

Data
minimisation

Navigating the intersection of AI and Data Protection

Organisations should only
collect the minimum amount of
Challenges and Considerations data required for their day-to-day
operations to comply with the
As we embrace the integration of AI technology, we must recognise the challenges that MDPA. However, AI algorithms
come with it, particularly in the realm of data protection. Significant concerns include 3 typically require as much data as
biased algorithms, unauthorised access to sensitive information, and the potential erosion possible for learning. Businesses
of personal privacy. Striking a balance between innovation and safeguarding individual should always make sure that
preventive measures are taken
data is crucial to ensure responsible deployment of AI technologies. In addition, the against the risk of data
following three fundamental privacy principles of data accuracy, protection, and control leakage when handling
are challenged: such enormous volumes
of data.
Regulatory Landscape
Data Privacy
Newsletter

In response to the challenges posed by AI, countries around confusion. The U.S. takes a similar approach, with various federal
the world are diligently drafting regulatory frameworks to agencies developing sector-specific principles. A December
20
24 ensure the safety, security, and trustworthiness of AI systems. 2023 presidential directive detailing artificial intelligence (AI)
Key players, including leading technology firms, governments, safeguards was signed by US President Joe Biden.
and policymakers, are advocating for a standardised global
framework to guide the responsible development of advanced As the EU emerges as a global standard-bearer for AI regulation,
AI systems. The European Union (EU) stands at the forefront, firms’ readiness to comply, backed by a well-defined AI
finalising regulations set to be enforced by 2025, adopting workbench, becomes pivotal. The industry awaits collaborative
a centralised, broad, and prescriptive risk-based approach. efforts among policymakers, technology firms, and stakeholders
In contrast, the U.K embraces a decentralised model, relying to establish standardised global AI regulations, a call echoed by
on existing regulators for sector-specific regulations to avoid G7 leaders for responsible technology use.
Navigating the intersection of AI and Data Protection

Practical Data Protection Tips for AI Development

Developers and organisations engaged in AI projects should prioritise data protection as both a legal requirement and a moral imperative.
Here are practical tips, including the crucial concept of Privacy by Design:

Apply robust
Privacy by Maintain proper data governance Obtain explicit Anonymisation
Design data hygiene practices consent from techniques
Clearly communicate AI should be individuals before Conduct regular
how data is being developed by collecting and using privacy assessments
1 processed, ensuring
transparency about
3 developers using
representative,
5 their data for AI
purposes. Clearly
7 and audits to
identify and address
the purposes and equitable, and explain the scope potential risks and
Integrate privacy methods employed Data should only accurate data Put into practice and implications of Implement robust vulnerabilities in AI
considerations by AI systems. be gathered in the sets. strong data data usage. anonymisation systems.
into the entire forms required to governance methods to protect
AI development build the AI, and procedures, the identities of
process, from
conception to
2 it should only be
preserved for as 4 such as lifecycle
management,
6 individuals in datasets
used for AI training
8
deployment. Make long as is required to data mapping, and and testing.
privacy an essential Transparency achieve the goal and Make use classification.
component of the and keep it safe. User Regular
of quality Consent audits
initial design rather explainability data sets
than an add-on.
Newsletter
Data Privacy
20
24

Conclusion
The intersection of AI and data protection
is a rapidly evolving space that demands
decisive action and proactive measures.
As we pursue innovation with AI, we
must prioritise privacy and ensure that
it remains a top concern. By adopting
best practices, staying up-to-date with
regulatory developments, and fostering a
collaborative approach, we can confidently
navigate this intersection, establishing a
future where AI and data protection coexist
seamlessly for the benefit of all.
In conversation with
Data Privacy
Newsletter

20
Drudeisha Madhub
24
Data Protection Commissioner at
Data Protection Office Mauritius

Question 1
Describe how the Data Protection Office (DPO) drove operational change by educating organizations
in Mauritius about data protection laws. What are the initiatives undertaken by the DPO to influence the
understanding and implementation of a Data Protection Framework?
Mauritius data privacy framework has been recognized by UN as a leading example in the region. The Privacy Symposium of Africa
hosted by this office in November 2023 showcased the success of the data privacy framework Mauritius has implemented so far.
Master Classes at the PSA were delivered to participants with a deeper understanding of the latest developments and best practices in
the field of privacy and data protection. They were led by experienced privacy professionals and experts, and provided participants with
hands-on training and practical knowledge on a range of privacy-related topics. The Privacy Scorecard Report provided an overview of
the privacy and data protection regimes in Uganda, Kenya, and Mauritius. The panel discussions were an important part of the event, as
they provided a platform for participants to engage in thoughtful and insightful discussions on the latest developments and challenges
in the field of privacy and data protection.
The office undertakes a panoply of compliance and enforcement activities to ensure an effective application of the DPA as can be
demonstrated by some statistics below:
Appeals against decisions
Registration of Registration of Registration Investigation findings of Data Protection
controllers processors revenue (2022) Complaints delivered Commissioner

19,071 1013 Rs 2,736,500 450 73 7 (5 upheld)

Cases won at the Authorisations Notifications Data Impact Request for
Supreme Court of for data for personal Assessment data protection Certification
Mauritius transfer data breaches analysed certificate Awarded

2 345 150 19 6 1 private

company
Regular interventions are made by the Data Protection A self-learning training toolkit has been produced and is

Newsletter
Data Privacy
Commissioner (DPC) in press interviews, conferences, available on our website. The toolkit explains the basics of the
seminars and international online meetings Data Protection Act 2017.
The office participates in numerous international privacy The office has trained around 250 data protection officers 20
24
networks such as Association Francophone des Autorités de through in-house training.
Protection des Données Personnelles (AFAPDP), Réseau This office has published 19 guides on data protection which are
Africain des Autorités de Protection des Données available on our website.
Personnelles (RAPDP), Global Privacy Enforcement Network
(GPEN), Common Thread Network (CTN), Global Privacy Around 400 requests for legal advice are addressed each year
Assembly (GPA), Council of Europe and the United Nations, to assist controllers and processors in the implementation of the
amongst others DPA.
The Data Protection Office has implemented a new system, The Data Protection Commissioner has launched a networking
e-DPO, which is an Integrated System that enables Controllers forum of data protection officers to promote knowledge sharing,
and Processors to do their registration online on the website collaboration and cooperation, learning opportunities and
of the Data Protection Office. The e-service is available 24/7 professional development.
and provides for:
• Online registration and renewal of controllers and
processors with e-payment facility,
• Online search of registered controllers and processors
• Online lodging of complaints and submission of forms
(personal data breach notification form, data protection
impact assessment form, transfer of data form,
certification form and compliance audit form).
In conversation with (Contin’d)
Data Privacy
Newsletter

20
Drudeisha Madhub
24
Data Protection Commissioner at
Data Protection Office Mauritius

Question 2
What are your views on the emerging challenges and inclusion of Artificial Intelligence in different industries?
How robust is the Data Protection framework in Mauritius, in respect of the surging trends on Artificial
Intelligence?
Emerging digital technologies and services including Artificial Additionally, adopting a risk-based approach to AI is of paramount
Intelligence (AI) creates an unprecedented promise to the world importance. Robust data security measures and the use of
with limitless benefits in terms of enhanced efficiency, accuracy pseudonymisation and anonymisation techniques should be
and timeliness. advocated to prevent personal data from being easily linked to
However, AI presents significant challenges and concerns in the specific individuals. Since AI systems process huge amounts
realm of privacy and data protection. of data, they are often the target of cyber threats. Therefore,
deploying the necessary organisational and technical measures
AI is not just about technology but delves into fundamental and will prevent data control from falling into the wrong hands. Regular
interdisciplinary human rights and freedoms. Not only does AI audits and assessments are also necessary to identify and
force us to better understand its impact on human rights and mitigate data privacy and security issues. Privacy design should
fundamental freedoms, but it also entails in-depth reflection on be embedded at the heart of technology development.
who is responsible for its harmful consequences.
The essence of all technological developments, including AI,
The foundational principles of any AI system should rely on should be based on user consent and control. Users should have
transparency, fairness and accountability. This will ensure that the right to understand and control how their data is used in AI
processing operations are not opaque to individuals and that they systems. This perspective strengthens the idea that individuals
are informed of the identity of the AI institutions
​​ processing their should be active participants in the data-driven AI ecosystem. The
data as well as how their data is used, decisions that are made caution line in this environment is: “If it is not you who control the
on this basis and the logic behind those decisions to prevent any parameters of your data, then it’s someone else controlling you!”
unfair bias against them. AI institutions must ensure the good
provenance of data and ensure the quality and relevance of the The rapid development of AI has transformed the current business
data entered into the algorithms. landscape. Businesses leverage AI solutions for a variety of
purposes, including automating customer service, improving Special categories of personal data (section 29)

Newsletter
Data Privacy
business intelligence, and facilitating strategic decision-making. Security of processing (section 31)
While AI has the potential to drive innovation by automating many
digital tasks, it is also seen as a potential threat that requires Data protection impact assessment (section 34)
20
regulation. Right of access (section 37) 24
The European Union introduced a groundbreaking initiative by the Rectification, erasure or restriction of processing (section 39)
formulation of the EU AI Act and paved the way for comprehensive
Right to object (section 40)
AI regulation. It is the first legislation of its kind in the world, which
regulates the use of AI in Europe, respects the values and rules, Setting up the right data governance, legal and ethical framework is
and harnesses the potential of AI for industry. The gist of the AI crucial to contain the risks associated with AI. This requires a multi-
Act is a classification system that determines the level of risk an faceted approach to AI, including robust data governance, privacy-
AI technology could pose to the health and safety or fundamental preserving AI techniques, responsible AI development practices,
rights of a person. The framework incorporates four risk tiers: transparency in AI decision-making, and adherence to relevant
unacceptable, high, limited and minimal. legal and ethical frameworks. AI organisations and policymakers
need to collaborate to strike a balance between harnessing the
Our Mauritius Data Protection Act 2017 (DPA) caters for strong and
potential of AI and safeguarding individuals’ rights and interests
robust principles applicable in the AI sphere, covering amongst
regarding their data.
others:
Principles relating to processing of personal data (section 21)
Automated individual decision making (section 38)
Duties of controller (section 22)
Collection of personal data (section 23)
Notification of personal data breach (section 25)
Duty to destroy personal data (section 27)
Lawful processing (section 28)
Compliance Alerts
Data Privacy
Newsletter

20 (Regulatory landscape)
24

Introduction
The importance of privacy laws has increased significantly in today’s globalized world, where data flows across borders. With more than
120 jurisdictions having data privacy laws and continuous evolution in data protection legislation worldwide, businesses that operate
online and internationally must anticipate significant changes in the requirements they need to comply with.

In 2023, there were major changes to data privacy laws and regulations around the world. We highlight some of these changes in the
diagram below. If your business operates on a global scale, it is essential to stay informed about potential changes and adjust your
practices accordingly to avoid penalties.

Country Year Major Changes

Jamaica November 30, The Data Protection Act (DPA) in Jamaica, introduced in December 2021,
Data Protection Act (DPA) 2023 mandates organisations to obtain consent from individuals, ensure data
access, implement security measures, report data breaches, and conduct
Data Protection Impact Assessments before processing sensitive or high-
risk data.

Switzerland September 1, The FADP is a stringent data protection law based on GDPR, requiring
Federal Act on Data Protection (FADP) 2023 organisations to obtain consent, provide access to personal data, and
report breaches within 72 hours. It also mandates the appointment of a
Data Protection Officer for high-risk data processing or large amounts of
sensitive data.
Country Year Major Changes

Newsletter
Data Privacy
United States
20
24
The Virginia Consumer January 1, 2023 By the end of 2023, America has passed new data compliance laws,
Data Protection Act (VCDPA) including the Virginia Consumer Data Protection Act, Colorado Privacy
The Colorado Privacy Act Act, and Utah Consumer Privacy Act. These laws provide individuals with
July 1, 2023
(CPA) new rights over their personal data, including access, correction, deletion,
and opt-out of targeted advertising.
The Utah Consumer Privacy Act December 31,
(UCPA) 2023

Singapore July 18, 2023 Singapore’s Personal Data Protection Commission (PDPC) has issued
Personal Data Protection Act advisory guidelines for AI use, focusing on transparency, fairness, and
accountability. These guidelines aim to ensure organisations remain
compliant with PDPA when using AI/ML technologies, while not being
legally binding.

India November 30, India’s data protection law mandates consent from individuals before
The Digital Personal Data 2023 processing sensitive personal data and establishes a Data Protection
Protection Act (DPDP) Authority to enforce the law, imposing penalties on violators.

South Korea September 15, The law passed in 2022, underwent amendments in March 2023, requiring
The South Korean Personal 2023 explicit consent for processing sensitive personal data, providing portable
Information Protection Act (PIPA) data copies, notifying individuals of automated decision-making, and
reporting data breaches to the Personal Information Protection Commission
(PIPC) within 72 hours.

Australia November 30, The Australian Privacy Act of 1998 has been updated to include expanded
Privacy Amendment Act 2023 scope for offshore entities collecting or disclosing personal information,
increased penalties for serious breaches, updated consent obligations,
reasonable steps for de-identified information, and DPIAs for high-risk
data processing activities.
Data Privacy
Newsletter

Country Year Major Changes

20 EU-U.S. July 11, The EU and US have agreed on the EU-U.S. Data Privacy Framework,
24 Data Privacy Framework 2023 ensuring data protection in international data transfers. The framework
consists of seven core principles: notice, choice, accountability, security,
data integrity, access, and recourse mechanisms. It requires data subjects
to have access to their data and consent for processing.

California September 15, The California Age-Appropriate Design Code Act, passed in 2022, applies
Age-Appropriate Design Code Act 2022, to take to products and services geared towards children, those accessed by a
(CAADCA) effect July 1, significant number, those with common children’s interests, and those with
2024 similar features.

Indonesia October 17, The Indonesian Personal Data Protection Law (PDPL) was passed in 2022
Indonesian Personal Data 2022 and will take effect in 2024. Similar to the EU GDPR, it sets data processing
Protection Law (PDPL) standards, grants data subjects’ rights, and imposes penalties on non-
compliant entities. Key requirements include obtaining consent, providing
privacy notices, responding to data subject requests, conducting data
protection assessments, notifying authorities, complying with overseas
data transfer standards, and appointing a Data Protection Officer.
Industry News

Newsletter
Data Privacy
20
24
Introduction
This section examines some of the significant occurrences and news events that have moulded the data protection landscape and
impacted the course of procedures and policies.

5 years of the GDPR Facebook fined a record €1.2 billion

The General Data Protection Regulation (GDPR) Meta Ireland was fined the highest GDPR fine ever
celebrated its fifth anniversary on May 25, 2023. It is by the Irish Data Protection Commission on May 22,
one of the world’s strictest privacy laws, establishing 2023. The penalties, the fourth of the year, prompted
a uniform framework for data flow across the EU’s tech giants to comply with data protection laws. Meta
digital single market. The Federal Data Protection plans to appeal and has not yet paid the fine. They
Act (BDSG) in Germany and the Organic Law on Data were mandated to stop using Standard Contractual
Protection (LOPD) in Spain have also been updated to Clauses by October 12, 2023. On September 7, 2023,
align with GDPR. Many of the recently enacted laws Meta released an update announcing that they will be
in Switzerland and South Korea are similar to those in using the new EU-US DPF for data transfers.
the GDPR.

The AI Safety Summit The UK-US ‘data-bridge’

The AI Safety Summit in Bletchley Park, UK, resulted in The UK-US “data-bridge” was approved on September
the Bletchley Declaration, a first-of-its-kind agreement 21, 2023, allowing UK-based companies to send
between 28 countries, including the US, China, and personal data to US organisations without additional
EU, addressing AI risks, bias, and privacy. However, security measures. However, it has been criticised for
opponents argue for a lack of specifics and practical privacy erosion and increased US surveillance.
suggestions for a strong regulatory framework.
DSIT published AI Skills for Business 3rd party cookies in Chrome
Data Privacy
Newsletter

Competency Framework to be disabled

The Department of Science, Innovation, and Starting in the first quarter of 2024, Google intends
20 Technology’s (DSIT) Office for Artificial Intelligence to gradually remove third-party cookies from its
24 released the AI Skills for Business Competency Chrome browser. This is a component of the larger
Framework in November 2023, aiming to guide Privacy Sandbox project, which aims to limit cross-site
workers in understanding AI upskilling needs and tracking while maintaining the ability to maintain open
creating relevant training programs for businesses. access to online content and services.

Be in the Loop
Spotlight on biggest data breaches and fines

In 2023, the landscape of digital security experienced a tumultuous trend marked by a significant focus on cyber incidents. Particularly
alarming was the emphasis on the sheer magnitude of data breaches, revealing an unprecedented scale of unauthorised access to vast
volumes of personal data.
The depicted diagram provides insights into the most significant data breaches within the context of data protection cases. A shared
element across all these incidents is the non-compliance with the provisions of the GDPR. Specifically, these breaches underscore:

Deficiencies in safeguarding children’s rights

A demand for increased transparency
A need for clear and unambiguous consent mechanisms
Newsletter
Data Privacy
DarkBeam META Platforms
3.8 billion Ireland Ltd.
records leaked (EUR 1.2 billion)
20
Data leaks involving login 1. Transferring EU user data 24
pairs containing an email to the US without adequate
or username and an safeguards
associated password 2. Processing children’s
data without valid
parental consent

TIKTOK (EUR
345 million) Data TikTok (GBP
12.7 million)
1. Public-by-default settings; Protection 1. Unsecured access for
potentially exposing children’s
data to a wider audience
Cases: underage users

2. Ineffective “Family Biggest data 2. Lax data collection

and use
Pairing” feature
breaches 3. Inadequate

of 2023
3. Inadequate data security
transparency for
child users

Criteo (EUR TIM SpA

40 million) (EUR 7.6million)
Italian
This case underscores the telecommunications giant
crucial need for: 1. Inadequate security
1. Clear and unambiguous measures
consent mechanisms 2. Lack of data breach
2. Increased transparency notifications
3. Empowering 3. Insufficient
user control transparency
Events and Webinars
Data Privacy
Newsletter

20
24 BDO IT Consulting Ltd organised two successful compliance days covering topics on AML and Data Protection, along with a well-
received breakfast session on Data Protection. These events provided valuable learning opportunities for professionals, fostering a
platform for networking and knowledge exchange.

Business Breakfast at Le Suffren Hotel

15 March 2023
Compliance Conference at The Ravenala Attitude Hotel

Newsletter
Data Privacy
31 May 2023
20
24
Automation and Al Horizons: Unveiling Future Business Success in Mauritius at The Ravenala Attitude Hotel
Data Privacy
Newsletter

31 October 2023
20
24
Upcoming Workshop

Newsletter
Data Privacy
Click here to register

The Half-Day Workshop on Navigating Privacy in the Era of AI, which will be hosted by BDO IT Consulting Ltd on March 1, 2024, aims to delve 20
into the complexities of privacy in the era of artificial intelligence (AI). Attendees will have the opportunity to gain valuable insights into the 24
challenges and opportunities presented by AI and its impact on privacy, including discussions on privacy by design and data protection audits.
By learning from leading professionals in the field, participants can stay ahead in the ever-evolving landscape of technology and privacy.

Navigating Data Protection

Workshop
BDO IT CONSULTING

P R I VinAtheCEraYof
IT GOVERNANCE & CONSULTING

Friday, 1st March 2024 9am - 3pm

Hennessy Park Hotel, Ebene
Rs 9,000/p
For more information:
Essar Building, 10 Frère Felix De Valois St, Port Louis 260 58 35/47
bdoitc_training@[Link]
For more information, contact us:

Sylvie Greco Deepshi Hujoory

Partner Manager
T: +230 260 5889 T: +230 260 5839
M: +230 5497 9578 M: +230 5964 0469
E: [Link]@[Link] E: [Link]@[Link]

Get in touch
with us!
Essar Building, 10 Frère Felix
De Valois St, Port Louis
+230 260 78 00
[Link]@[Link]

BDO IT Consulting