If Pandora’s box could be opened in the 21st Century, do you know what would crawl out? Data. Data has definitely become the myth, bringing along with it a mystifying question: How do we deal with something so intricate and valuable but intangible? The threads of data have become so entangled with our lives that, oftentimes, it is hard to discern the difference between the real and the virtual. However, the enemy you cannot see is also the one who can do the most harm. Apprehensions of data privacy protection have arisen as the primary concern of individuals and organizations alike in today’s world. Across the board there is recognition of how valuable data is and that it must be protected to ensure that vital and sensitive information doesn’t leak out causing harm and loss to individuals or businesses.
The To-and-Fro
The elementary ideas of data are so ingrained in everyone’s mind that we sometimes forget to take into account it’s value and the sensitivity of data privacy becomes the cost we pay. Take Facebook for example. Seemingly everyone has an account on Facebook these days. People do not have to deliberate much before providing their full names, mobile phone numbers, email addresses, birth dates and other such sensitive information to an online platform. They are less inclined to think about how this data will be used by the platform and its associating organizations in the future. Every transaction in today’s world generates data. Whether it is online shopping, using GPS to get from your home to your place of work, or even looking up anything on Google, the digitization of every interaction has made data a crucial commodity everyone deals with. Therefore, it is not surprising that more and more people are becoming aware of the risks that are inherently present in the sharing of data, and now organizations have been tasked with creating data protection policies that are impervious to attacks of any kind.
The Dangers: Handle data with care else pay hefty compensations
No one will willingly share their credit card information with millions of strangers. The probability that the information will be misused and you will be robbed of all your money is high. The same can be said for any data collected by processors online like names, birth dates, addresses, a person’s location. The danger posed to data privacy is essentially the possibility of the data being misused. It need not necessarily be a third party, for example a hacker, misusing the information. It can even be the processor themselves who are at fault by not creating a tighter data protection policy.
US-based Heartland Payment Systems suffered a data breach in 2008 that affected its customers and the company had to pay an estimated $145 million in compensation for fraudulent payments. The breach was a result of Heartland not complying with the Data Security Standards and failing to correct a known vulnerability in their data protection policy. Similarly, Yahoo announced in 2016, that it had suffered what came to be the biggest data breach in history in 2013-2014 when hackers compromised the real names, email addresses, date of birth and telephone numbers of 500 million users. Yahoo revised that estimate in October 2017 to include all of its 3 billion user accounts.
The Way Forward: - To ensure data protection in your organization
Thus, it is imperative that organizations who collect and process data adopt a data protection policy that categorically addresses every loophole through which a data breach may be caused. Such a policy should not only be restricted to the internal workings of the organization itself but also extend to its customers and third party suppliers. Every transaction should be so insulated so as to protect the customer data privacy. While drafting a perfect data policy the following must be kept in mind:
1.The law that is applicable. Data security is an international and national concern as data is truly trans-national. Therefore, organizations dealing with the collection or processing of data must keep in mind international and national laws governing data security. Perhaps the most comprehensive of data protection laws is the General Data Protection Regulation, or the GDPR, the core of the EU’s data privacy legislation. The GDPR has become the model law as far as data protection is concerned because of its detailed enumeration of provisions that govern organizations in the EU or organizations dealing with data of citizens of the EU. The GDPR lays down a definition of personal data that includes identifiers such as genetics, cultural, social identity, economic and mental aspects related to an individual. All personal data should be obtained by the informed and freely given consent of individuals. The GDPR grants data subjects the right to be forgotten as well as the right to request a copy of their data from the organization collecting and processing it. It imposes certain obligations on organizations like:
i) The appointment of Data Protection Officers is mandatory for organizations that process high volumes of personal data.
ii) The reporting of data breaches must be done within 72 hours to the supervising authority.
iii) Organizations have a mandatory obligation to map the data flow within and outside their organization and conduct Privacy Impact Assessments that consist of systematic monitoring of the data policy of the organization and the impact the failings of it can have on the organization and its customers.
iv) It imposes tough penalties of fines up to 4% or 20 Million Euros whichever is greater on organizations that fail to comply with its provisions.
Other laws in other parts of the world impose similar obligations and thus, companies should be aware of these laws when they make their own data protection policies to ensure compliance.
2. Establishing primary principles. The data protection policy should work on primary principles like giving notices to customers of how data shall be collected, used, retained and disclosed. It must give the data subjects these choices and obtain their consent regarding the same. The data subjects should have the right to withdraw their consent along with rights to access, modify, erase, restrict and object to certain uses of their information. The collection and processing of data should be for a lawful and identified purpose. These measures, if identified at the outset, resolve any confusion that may arise later.
3. Ensuring accountability. Organizations have an obligation to ensure that their IT staff and their workforce, as a whole, are aware of the responsibility they have to protect their customer’s data privacy. This responsibly extends to third-party vendors that the company may have to disclose the customer’s information to. Thus, the organization must hire experienced professionals to draft its data policies and to regularly upgrade them. The workforce should also be provided with regular training sessions to ensure that they are able to efficiently handle the systems engaged in the data protection policy.
4. Identifying vulnerabilities. Organizations must constantly be on the lookout for the loopholes in their systems. It is only when the system is routinely assessed that the vulnerabilities can be identified and addressed. This means that there must be frequent check-ups of the data protection policy of the organization to assess whether the policy is functioning perfectly.
5. Auditing. Auditing is an important process to check the financial health of the organization. Auditing in data protection can be used to assess whether the organization has complied with all the legal obligations imposed on it by data protection laws. Conducting audits on a regular schedule ensures that breaches are detected immediately and brings to the notice of the organization where the staffs and employees might be lagging in compliance. It helps them address these issues immediately so as to reduce increasing fines.
6. Quick and effective response to data breaches. When a data policy turns out insufficient, it is only a good and effective response to it that can save the day. A good and effective response starts with first, the identification of the data breach and secondly, immediately reporting it to the internal authorities. These authorities must take appropriate steps to contain the breach and must further report it to any responsible legal authority if the law directs so. The organization also has a fiduciary responsibility to report a breach to its customers. The reparations must begin immediately so as to stop the breach from enlarging and causing further damage to customers of the organization and the source of the breach must accordingly be identified and restrained.
These are a few preliminary concepts that must be kept in mind when drafting a data policy to ensure complete and thorough protection of the data privacy of customers. Other categories like access management and monitoring, and acceptable user policies are also adopted by organizations while constructing their data protection policy. It is through continued and effective monitoring that data can be truly protected.
They say a watched pot never boils but data and its ensuing protection is that pot that needs constant surveillance to stop it from boiling over.
By CA Nikhil Mahajan (Managing Partner) and Rubina Singh (Legal Associate), NSKT & Co LLP (Chartered Accountants)