VAR Panchayat

Strengthening Data Protection

by VARINDIA 2017-04-13

Globally there are strong regulations in place to ensure consumer’s data is protected and safe from breaches whereas data protection legislation in India is still evolving

A strong drive has been initiated by the Government of India towards making it a global manufacturing hub through the “Make in India” programme. It has also a powerful vision of transforming the country into a digitally-empowered society and knowledge economy through its “Digital India” programme. While India is throttling towards “Digitization”, there are several impediments at hand that can slow down India’s “Digital Transformation”.

A few such impediments include the lack of awareness and sensitivity towards data privacy, data protection, data destruction and the lack of a well-defined legal infrastructure to protect individuals and enterprises from data breaches. While there are organizations such as DSCI which attempts to make cyber space secure and trusted, there is perhaps little penetration of its efforts in educating citizens of their right to privacy. Citizens and enterprises lack the awareness of data lifecycle and the various points from which privacy and confidentiality can be compromised. End of life devices are an easy target for private and confidential information theft. The lack of awareness leads to laxity in preparedness for data breaches.

In the absence of a legal guideline or a standard policy, individuals and enterprises apply their own discretion in following policies and procedures to protect their data from breaches, which may be ineffective. While large enterprises may have deployed the most advanced technology to safeguard their business from hacks, malware infections, virus attacks and cyber-attacks, there are still cases witnessed today which involve information security compromises through end of life stage IT products and through returned leased IT assets.

BFSI, defence, healthcare IT and ITeS, government and telecom verticals amongst many others are vulnerable to such information security breaches if they use old and obsolete methods of disposing of old IT assets. There are known cases of enterprises simply formatting their devices before disposal. Such data removal methods are ineffective, unsafe and inefficient as data can be easily recovered through widely available data recovery software. If this residual data falls in the wrong hands, it could impact business continuity.

An easy fix to this seemingly innocuous problem is to use professional data erasure software before returning leased IT assets or disposing of old IT assets. These tools assure secure, complete and permanent data disposal, thereby ensuring that privacy is maintained. This is often not practised by organizations due to the absence of legal guidelines. This leads to organizations not deploying “failsafe” methods to plug such information security gaps, perhaps due to “bottom-line” considerations as professional erasure software come at a cost.

In India, there is a broad legal framework which exists that sets accountability in the form of Information Technology Act, 2000, Section 43A, which states that a body corporate who is possessing, dealing or handling any sensitive personal data or information and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, then such body corporate may be held liable to pay damages to the person so affected. The requirement is to have a more effective, well-defined legislative framework which provisions for monitoring, protecting from, preventing and setting a defined liability in case of data security breaches.

In 2006, “The Personal Data Protection Bill” was introduced in Parliament, built along the lines of the “European Union

Data Privacy Directive”, 1996, it aimed at governing the processing, collection and distribution of personal data in private enterprises as well as in the government sectors. It even had a provision to impose penalties on offenders in case of nonconformance. Though this Bill would have served as a tailor-made solution for strengthening data protection and safeguarding people from information security breaches, it is yet to see the light of day.

While data protection legislation in India is still evolving, globally, there are strong regulations in place to ensure consumer’s data is protected and safe from breaches.

Regulations like SOX, HIPAA and GDPR exist in developed markets which provide provisions for protecting citizen’s sensitive personal information from information security breaches. General Data Protection Regulation (GDPR), for example, aims at establishing responsibility and accountability for maintaining privacy of citizen's private data. Data protection officers have to be appointed by law and are responsible for maintaining documentation, assessing risky processing activities and implementing data protection. GDPR imposes a severe penalty of either Euro 20 million or up to 4 per cent of an organization’s global turnover (whichever is higher) in case of a data breach.

Such regulations, if implemented in India, will not only help facilitate a secure business environment but will also help strengthen citizens’ as well as an organization’s right to privacy.