Data privacy for the future and the Indian story

Global order

A massive churn in the global supply chain, geo-political relationships, cross-border trade, data, and information processing, etc. is out there for us to witness. The speed at which we transact today aided by modern technology and advancements in telecommunication has made the world a unified marketplace.

Technology is driving businesses to do more at a lesser time. This has created an additional problem for organisations. Monitoring and managing enormous amounts of data that are being created and exchanged across multiple mediums is not easy. Piles of data sitting on the servers are waiting to get exposed to a host of cybersecurity attacks such as data breaches and ransomware incidents. Data privacy and protection have become critical, given the mountain of sensitive data out there in cyberspace.

What the statistics say

As per the market research firm, Statista, India is home to the second largest base of internet users in the world. In 2020, India had around 749 million internet users, of which 744 million were mobile users, with estimates suggesting that this figure could touch 1.5 billion by 2040, as reported by Statista. ¹

In terms of data breaches, globally a total of 108.9 million accounts were breached in the third quarter of 2022 (July-September), a 70% increase compared to the previous quarter. This roughly translates to 14 accounts getting leaked every second. India saw a total of 1.4 million accounts being leaked in this quarter ending September, which is about 1 breached Indian account for 1000 people, according to a report by the Netherlands-based cybersecurity firm, Surfshark VPN. ²

As per IBM’s most recent report, ‘Cost of a Data Breach Report 2022’, India ranked 14th globally in terms of the average cost of a data breach. In India, the average cost of a data breach grew to $2.32 million in 2022, up from $2.21 million last year.³

Beyond technology – Process, Compliance, and Legal aspects

While technology will continue to be the central focus in today’s day and age of managing information systems, data privacy and protection initiatives require a commitment from process and compliance angles as well. Data privacy and protection often used interchangeably complement each other in the framing of policies and having the necessary tools and processes in executing them for an effective outcome. A well-stitched data governance framework with processes in place for classifying data, collecting, and handling sensitive data is critical. Legal considerations also come into play when businesses deal with data across geographies. Varying legal clauses and interpretations for different markets have become a challenge for businesses operating globally. It thus becomes imperative for organisations to have legal expertise within their cyber teams to interpret and apply these provisions in the relevant jurisdictions of operations, well in advance.

Some leading practices to follow -

1. Privacy controls and data normalisation – The development of clean data and elimination of unstructured data by applying logical standardised formats will help gain deeper insights for making useful business decisions. The application of data normalisation to privacy controls will achieve data security objectives.
2. Unified privacy framework – Strategies to unlock the true potential of data start with reducing complexities in the management of data. Having a unified privacy framework across the board will help organisations negotiate through disparate data, models, and regulations across countries of presence or holding citizens’ data for managing it more effectively.
3. Controllers and Processors – Modern data protection regulations such as the EU’s GDPR (General Data Protection Regulation) lists down the obligations of data controllers and processors defining the purposes of personal/sensitive data and how it needs to be processed. This will get further regulated and stringent with monitoring/reporting responsibilities very likely to be followed by every country.
4. Need for regular assessments – Organisations need to be on continuous vigil and need to conduct the following –
   1. Data Protection impact assessment (DPIA) more from a security & cyber perspective covering technical and organisational measures
   2. Privacy Impact Assessments (PIA) – covers collection, usage, and sharing of PII/PHI/SPDI & more
   3. Transfer impact assessments (TIA) – focused more through the GDPR lens which governs transfer mechanism across borders – point of presence

India’s tryst with data protection laws

India needs inclusive data protection legislation that protects both consumers and businesses. The Personal Data Protection Bill primed to be India’s answer to the GDPR was withdrawn in August this year, because of a series of changes suggested-almost 81 in the bill containing 99 sections. India is now back to square one on protecting people’s data privacy, after years of debating privacy laws. The government has said that it will draft a new bill, a more comprehensive one plugging the gaps in the earlier version.

India’s current data privacy regime is limited to obtaining a data subject's prior consent. There is no independent data protection regulator, data subjects have limited rights, and there are almost zero histories of judicial enforcement of data privacy rights. Not just for protecting consumer rights, a comprehensive data protection law is essential for ease of doing business as well. Cross-border data flows are part of international trade and the absence of a framework can affect trade transactions. There are several regions such as the EU and APAC countries where you need to have adequate data protection laws to trade. The United Arab Emirates has also added a chapter on digital trade in India’s latest Free Trade Agreement.

India’s version of the bill ought to be one that guarantees market access while protecting users’ rights, one that strengthens domestic institutions and protects ordinary citizens’ rights. And while we wait for India to come up with the next version of the bill, it is important for organisations to set the ball rolling by investing in data protection and privacy programs and gearing themselves up with robust cybersecurity systems. You never know when the next data breach could happen.

References:

1. Mobile internet users in India 2010-2040 | Statista
2. Data breaches rise globally in Q3 of 2022 | Surfshark
3. Cost of Data Breach Report 2022 | IBM