Digital transformation, which involves harnessing the potential of new technologies to enhance operational processes and products, demands a fundamental shift in how we approach and manage data. This becomes particularly imminent as IT evolves from on-premises infrastructure to hybrid, private, and public cloud environments and services. In a data-driven world, information security and data privacy is a huge responsibility.
BUT WHO SHOULD BE HELD ACCOUNTABLE OR RESPONSIBLE FOR PROTECTING THIS DATA?
• Is it the CEO or Owner of the organization?
• Or is it the Chief Information Security Officer (CISO) or perhaps the CIO?
• Is it the cloud provider then (AWS, Microsoft or Google)?
• Is it the software developer?
• Or the Data Protection Officer?
• Or the legal department?
• Last but not the least, is it the consumer, since it is their data that we are talking about motly?
The answer is: Data privacy is a responsibility that is shared with everyone, both inside and outside of an organization.
Period!
A shared responsibility between organizations and individuals for data security is thus becoming crucial to this shift. Protecting personal information requires active involvement from both ends.
Traditionally, the responsibility for security was placed on the shoulders of the CIOs and CISOs alone, but this is no longer a viable approach. Organizations now have a larger attack surface due to the rise of remote work, cloud computing, and mobile devices, making them more susceptible to cyber threats. Additionally, organizations can no longer rely on a universal security solution due to the evolving nature of cyber threats. Instead, they must take an approach that includes every organization member.
There are several reasons why security should be a shared responsibility. First, no single person or team possesses all the knowledge and expertise needed to defend an organization against every cyber threat. Second, security is everyone's responsibility; each individual within an organization plays a part in safeguarding its assets. Lastly, by distributing the responsibility for security, organizations can foster a security culture that is more resilient to attacks.
Cyber threats and attacks have become more sophisticated and frequent and security has become a critical concern for every organization. While businesses must secure systems through encryption, regulations, and employee training, users must adopt safe habits like strong passwords and avoiding phishing scams. Many data breaches result from human error, not just technical flaws, highlighting why privacy cannot rely on one side alone.
An AI and ML-driven approach can help protect against AI based privacy breaches
DR HARSHA THENNARASU
CHIEF IT & CYBER SECURITY ADVISOR, HKIT SECURITY SOLUTIONS
“Privacy legislation is the major threat for any business today, as there are huge penalties and legal consequences directly or indirectly involved. Hence classification of data into critical and non-critical categories along with Personally Identifiable Information is most essential and then securing them with strong encryptions along with MFA-Multi Factor Authentication processes.
PREVENTING COMMON HUMAN ERRORS
Re-structuring the entire organization by “Security by Design” and “Security by Culture” would mitigate maximum security threats and attacks followed by regular cyber security training with case studies. In most of the organization, they have set cyber security training cycles annually, which is not going to help anymore as there are emerging daily-basis threats and attacks using AI and ML. How can organizations mitigate human errors even after state of art cyber technologies are being deployed? The training should be applicable from MD to entry level employees.
SHARED RESPONSIBILITY IN DATA PRIVACY
The shared responsibilities are the biggest threat for any organization. To overcome these challenges, by adhering to strict legal agreements and controls, one can put more pressure and make third parties more vigilant on other processors and sub processors, and of course sub controllers too. The need of the hour is for more technology driven systems and solutions in the next five years. More AI and ML driven approaches can help to defend from AI based privacy compromises and sophisticated attacks.”
Compliance with privacy regulations proves essential to avoid legal liabilities
DR. HAROLD D'COSTA
PRESIDENT - CYBER SECURITY CORPORATION
“Ensuring compliance with key privacy regulations is essential to protect sensitive data and avoid legal liabilities. The Digital Personal Data Protection Act (DPDPA), 2023, is the cornerstone regulation governing data privacy in India. It mandates strict rules on data collection, processing, and storage, with a strong emphasis on obtaining explicit user consent. For businesses handling financial data, compliance with Reserve Bank of India (RBI) guidelines is critical. Regulations such as RBI’s Data Localization Mandate require financial institutions and payment processors to store customer data within India. Additionally, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) outline obligations for protecting sensitive personal data, including implementing security measures and ensuring data confidentiality.
In the healthcare sector, organizations must adhere to the Clinical Establishments Act and Health Data Management Policy under the National Digital Health Mission (NDHM), which mandate strict data protection protocols for health records. Additionally, businesses managing payment data must comply with PCI DSS standards to ensure secure handling of cardholder information.
MAINTAINING USER PRIVACY
For maintaining user privacy, companies should adopt a privacy-by-design framework, ensuring data protection is integrated into every stage of data collection and processing. By embedding these best practices, companies can responsibly collect and utilize data while maintaining compliance with Indian privacy laws and strengthening customer trust.”
Cybersecurity must take a proactive approach with AI-powered risk mitigation
RITESH BHATIA
DIRECTOR, V4WEB CYBERSECURITY
“If data breaches are happening due to human errors, organizations have failed to implement even basic security controls. Security should be built into systems, not dependent on user behavior. Administrators must enforce strict security policies, disabling password storage in browsers, implementing MFA, and using password managers. Blaming users is an outdated approach; instead, organizations should ensure phishing-resistant authentication, endpoint security, and automated threat detection. Cybersecurity must be proactive, not reactive, with continuous monitoring and AI-driven risk mitigation.
BALANCING USER PRIVACY WHILE COLLECTING DATA
Data minimization should be the foundation of any data strategy. Companies should only collect what is absolutely necessary and use privacy-preserving techniques such as data masking, anonymization, and synthetic data. For example, to analyze product sales trends, organizations don’t need users’ names, dates
of birth, or genders. Privacy-enhancing technologies (PETs) like differential privacy can enable insights without exposing individual data. Organizations must move away from invasive data collection and prioritize ethical, transparent, and secure data handling practices.
FUTURE OF SHARED RESPONSIBILITY IN DATA PRIVACY
Data privacy requires a holistic shift in mindset—from users who share data to organizations that collect, process, and protect it. In India, where trust and open information-sharing are cultural norms, this transition will take time. As cyber threats rise, businesses must embed privacy into every process, ensure transparency, and empower users with control over their data.”
Privacy will be more than compliance and will be the foundation of trust
RAVI MUNDRA
VICE PRESIDENT & CO-OWNER FOR PRODUCT DEVELOPMENT (CYBER), TECHNOCRACY PRIVATE LIMITED
“Cybersecurity awareness must be an ongoing, integrated process embedded into an organization’s culture rather than a one-time initiative. As cyber threats evolve, human error remains the weakest link, often leading to phishing attacks, data breaches, and insider threats. To cultivate a truly cyber-resilient workforce, organizations must adopt a multi-layered approach combining education, technology, and proactive security strategies.
PRIORITIZING PRIVACY REGULATIONS
In today’s evolving cybersecurity landscape, organizations must prioritize stringent privacy regulations to safeguard data and maintain compliance. I firmly believe in adhering to the key global frameworks -
• GDPR enforces strict data handling, user consent, and the right to be forgotten.
• India’s DPDP Act mandates data localization, consent management, and accountability.
• CCPA enhances consumer data rights and transparency.
• ISO 27001 & NIST establish best practices for risk management and security governance.
A strategic compliance approach involves Privacy by Design, AI-driven automated compliance, dedicated DPO governance, and robust data audits. Organizations that integrate privacy regulations with cybersecurity strategies will foster trust, enhance legal compliance, and strengthen data protection in an increasingly regulated digital environment.”
Collective effort between organizations, regulators, and individuals to shape a privacy-conscious ecosystem
NEELESH KRIPALANI
CTO, CLOVER INFOTECH
“Organizations must prioritize continuous user education through regular cybersecurity awareness training, phishing simulations, and clear policies on data handling. Encouraging a security-first mindset, implementing multi-factor authentication (MFA), and using real-world case studies can help employees and users recognize threats. In addition, organizations should have active internal red teams that simulate cyberattacks to identify vulnerabilities.
MINDFUL OF USER PRIVACY
Companies must ensure transparency by clearly informing users about what data is being collected and how it will be used. Providing granular consent options empowers users to control their data-sharing preferences. Additionally, businesses should adopt a ‘data minimization’ approach—collecting only the data necessary for improving services and ensuring it is securely stored and used ethically.
GROWING CRITICALITY OF SHARED RESPONSIBILITY
The concept of shared responsibility in data privacy will become even more critical as cyber threats evolve and data regulations tighten. Companies will need to invest in stronger security frameworks, AI-driven threat detection, and user education, while users must stay vigilant about their own digital hygiene. Over the next five years, collaboration between organizations, regulators, and individuals will shape a more secure and privacy-conscious digital ecosystem.”
A proactive, multi-layered approach to alleviate human errors
JAYDEEP SINGH
GENERAL MANAGER FOR INDIA REGION, KASPERSKY
“Organizations must adopt a proactive, multi-layered approach to cybersecurity education to mitigate human errors that often lead to data breaches and other forms of consequences. As cyber threats, including phishing attacks, grow more sophisticated, empowering employees with the right knowledge and tools is essential. In 2024, Kaspersky blocked nearly 900 million phishing attempts worldwide, a 26% increase compared to 2023. In India alone, Kaspersky intercepted almost 200,000 financial phishing attacks targeting businesses, leveraging fake banking websites and payment systems.
BALANCING DATA PRIVACY WITH DATA COLLECTION
Kaspersky addresses this balance through a framework emphasizing transparency, user consent, data minimization, anonymization, and robust security measures.
- Transparency and User Consent - Users should be well-informed about data collection practices by providing detailed information on the types of data collected and their intended use.
2. Data Minimization and Purpose Limitation - Only data necessary for specific, legitimate purposes is collected, aligning with privacy best practices and reducing potential risks.
3. Data Anonymization and Pseudonymization - To protect user identities, Kaspersky implements techniques such as anonymization and pseudonymization, ensuring personal data cannot be attributed to specific individuals without additional information.
4. Robust Security Measures - Advanced security protocols, including encryption, are employed to protect data from unauthorized access, breaches, or leaks, thereby maintaining user trust."
Blockchain technology to play a key role in advancing data privacy
ALANKAR SAXENA
CO-FOUNDER & CTO, MUDREX
“Organizations need a proactive approach to cybersecurity education. Regular training, phishing simulations, and gamified learning can improve awareness. Clear policies on password security and multi- factor authentication should be reinforced. A security-first culture led by leadership ensures employees take responsibility for data protection. AI-driven threat detection tools can also help by spotting suspicious activities early, reducing reliance on human vigilance.
STRIKING A BALANCE BETWEEN DATA PRIVACY AND DATA COLLECTION
Companies must approach by implementing anonymization, differential privacy, and data minimization. Clear communication about what’s collected and why builds trust. Opt-in features give users control while still allowing valuable insights. Decentralized storage adds security. The key is ethical, consent-driven data practices that improve services without compromising privacy.
A MOVE TO STRENGTHEN COMPLIANCE FRAMEWORKS
Governments across the globe will continue tightening data privacy regulations, compelling businesses to strengthen compliance frameworks to mitigate risks of fines and reputational harm. Companies that prioritize data privacy will stand out, as consumers increasingly seek privacy-focused services. Furthermore, Blockchain technology is set to play a key role in advancing data privacy, leveraging its decentralized and secure architecture.”
Compliance with the applicable norms and regulations necessary to ensure data privacy
PARTHA PROTIM MONDAL
CIO, BERGER PAINTS INDIA
“Ensuring data privacy and compliance with relevant regulations involves implementing a combination of technical, administrative, and procedural measures. We at Berger Paints have taken few measures to ensure that have strengthen our security postures and are compliant with the applicable norms and regulations -
• Periodic Audits and Compliance Checks: Conducting regular audits and compliance checksby independent entities to ensure we are fully compliant with applicable norms & governance.
• Empowering Workforce: Providing specially curated training to our employees regularly on various modern-age security threats and its preventive measures, various aspects of data privacy & data security, industry best practices to remain vigilant and safe - professionally and personally, and the importance of compliance and security measures and many other topics to empower our colleagues with adequate knowledge.
• Implement ‘Best-In’ Class Security Technologies: We have implemented a modernized SIEM (System
Information and Event Management System) platform which uses latest AI & ML technology to proactively warn us any potential threats in our threat landscape, the Zero Trust framework vouches for the secure internet and cloud facing applications and ensures safe data transmission through P2P channels.
• Preventive Layers of Threat Management: Firewalls, Proxies, segregation of network (militarized | demilitarized zone, VLANsetc.) and other network security controls can act as preventive layers in threat management. Advanced security measures - Multifactor authentication, UEBA (User and Entity Behaviour Analysis) can put an additional layer of security in the preventive threat management layer which can further be strengthened using DevSecOps, Native AI in network encryption and effective patch management.
• Access Controls: Implemented robust identity and access management (IAM) systems to ensure that only authorized personnel can access sensitive data.”
Focus should extend beyond compliance and towards enhancing real-time protection
PRINCE JOSEPH
GROUP CHIEF INFORMATION OFFICER, SFO TECHNOLOGIES PVT. LTD. (NEST GROUP)
“There has been enormous progress made in addressing evolving threats, but despite that gaps evolve. Even organizations that comply with audits and regulations often experience breaches due to vulnerabilities in attack surfaces. We ensure compliance with strict regulations through continuous audits, data encryption, and multi-layered access control. Periodic VAPT and red teaming exercises are conducted to uncover vulnerabilities. However, the focus extends beyond compliance—toward meaningful actions that enhance real-time protection and adapt to threats in hybrid and cloud environments.
AI/ML TOOLS TO ENHANCE CYBERSECURITY DEFENSES
AI/ML technologies are pivotal in detecting and neutralizing threats faster than traditional methods. These tools analyze vast datasets for anomalies, predict vulnerabilities, and strengthen threat intelligence. For example, machine learning algorithms monitor user behaviors and flag suspicious activities, while AI enhances automation in threat response. However, we recognize that AI/ML solutions must evolve in tandem with attackers' sophistication, necessitating constant updates and human oversight for maximum efficacy.”
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
