Data Privacy, arguably, has not been an area of primary attention for several Indian enterprises. This is clear from the number of unsolicited phone calls and text messages you receive from bank, credit card, telecom, insurance and other such companies, about some new “offer” or “deal”. The calls and messages arrive at your phone, even if you have absolutely no association with these companies. You are left wondering how the sales agents have access to your personally identifiable information, including name and contact numbers, without your knowledge and consent.
Data Privacy – A Global Outlook
Many countries have already implemented specific data protection regulations that require organizations to safeguard sensitive and personally identifiable information of citizens that they collect, store and process. In fact, the scope of some of these laws extends well beyond data privacy, to include provisions for data minimization, data residency, clear definition and articulation of purpose for gathering/storing data, seeking explicit consent from citizens when gathering data, and special measures for safeguarding data of children.
Data Privacy in India – Winds of change
Data privacy in India began to get prominence after 2017, when the Supreme Court ruled that privacy is a fundamental right. A regulation focused on citizen data protection is in the works in India. A draft of the bill for the proposed “Personal Data Protection Act, 2018” has been published in the public domain. This bill is expected to be tabled in Parliament for debate, in 2019. The draft bill proposes citizens’ financial, health, biometric, and genetic information and official identifiers as some sensitive data categories.
Key Measures for Indian Enterprises
Recognizing that it is only a matter of time before India gets a formal data protection law, Indian organizations can proactively start implementing basic data privacy practices. Some key data privacy measures are described below. These should not be seen as exhaustive, but as some basic steps that Indian companies might have to implement, when they embark on their data privacy compliance program.
· Data Privacy Governing Body: Enterprises could institutionalize data privacy as a formal program under the aegis of a dedicated governing body. This body could be cross-functional, with representation from units such as legal, marketing, IT operations and business, and headed by a Chief Privacy Officer reporting to the CEO/CIO. The Data Privacy Governing Body could be entrusted with the responsibility of defining, planning, executing and monitoring the enterprise’s overall data privacy program.
· Sensitive Data Attribute Discovery: Before ‘How’ comes ‘What’ and ‘Where’. Enterprises must determine the type of business information that must be protected. The upcoming data protection law is likely to identify broader categories of sensitive and personally identifiable information (e.g., health, citizens’ unique identifiers, personal data such as address etc.). Enterprises must then figure out the data stores, and data fields within those data stores, where such categories of sensitive information are housed. Importantly, sensitive data attribute discovery is not a one-time activity, because IT systems keep evolving, and new data stores and data fields may get added to the business application. A software-driven approach to sensitive data attribute discovery can substantially reduce the effort needed for this.
· Privacy-Safe Data Provisioning: If there is a business need to share data either internally or externally, it must be done with a clearly defined recipient, and for a clearly defined purpose and duration. Nothing more than what is required should be shared. Enterprises can explore the option of masking data, prior to sharing, to reduce the risk of a privacy breach.
· Privacy-Safe Data Access: Data privacy can be further strengthened by creating role-based access to information. This is especially pertinent for IT operations, in which support personnel often end up “seeing” a lot more information than is required. This approach can even benefit in-house organization functions such as HR and Administration, where personnel should be given access to only the employee information that is required to execute their defined responsibilities.
· Data Privacy Metrics and Reporting: A Data Privacy Governing Body would need instruments such as progress reports, visualization and metrics to monitor the effectiveness of a data privacy program. The Chief Privacy Officer, for example, might wish to know the completeness of a data masking activity through a score, the extent of data privacy compliance across business units through charts and reporting, and variation of key parameters over time through trend analysis.
Data Privacy – A Business Must Have
Hefty penalties for non-compliance are the proverbial ‘stick’ that will initially drive companies to ensure data privacy. However, as awareness of data privacy increases among customers and they become willing to switch loyalties to service providers with higher data-privacy maturity, data privacy measures will become a business differentiator. Thus, while data privacy measures might typically begin as an exercise in compliance, these soon would become a business need.
What are your thoughts about initial data privacy measures that Indian organizations could start taking?