As India hurtles towards having its own data protection law this year to join the league of countries, that have already instituted and implemented their data privacy and protection legislations, there are certain points on the horizon that the Indian enterprise need to deliberate. This can essentially mean privacy strategies, resourcing, and organisational controls to be revised. So, while, global organisations have already begun their journey to amplify their privacy controls in alliance with the upcoming legislation, let us look at what is in store for the Indian businesses on the occasion of Data Privacy Day 2019:
- Boardroom discussion: With the number of data breaches on the rise, it is important to ensure the basic security hygiene for a company that is a part of the cyber space in any way or form. The discussion needs to flow from the top and the top level management need to take responsibility for possible instances of data breach that in the past have brought down companies to their knees in the blink of an eye. Evidently, these cases could have been easily avoided by maintaining a vigilant eye and evaluating possible risks in advance.
- How the regulatory framework is shaping up in the country: Apart from the Personal Data Protection Bill and the ensuing debate over data localisation, towards the end of last year The Information Technology [Intermediaries Guidelines (Amendment) Rules] 2018 were published for public consultation. The said Rules proposed changes to how intermediaries, or various online platforms are to perform under section 79 (immunity to online platforms against legal claims on the content published on them) of the IT Act. Moreover, the Ministry of Home Affairs (“MHA”) on 20th December 2018 issued an order authorizing ten (10) Security and Intelligence Agencies for the purposes of interception, monitoring and decryption of any information generated, transmitted, received or stored in any computer resource.
- Need for Data Protection Impact Assessment (DPIA) in a world run by smart devices: The tenants of the Personal Data protection Bill (once it comes into effect) would be applicable to data fiduciaries/controllers and processors not present within the country, and this could exacerbate the threat already posed by the use of Internet of Things (IoT). AS IoT gains momentum amongst the Indian organisations, Companies that process personal and/or sensitive personal data must consider conducting a DPIA to ascertain a systematic description of the operations that involve data elements and their purpose, including the proportionality and necessity in relation to the purpose. This exercise would enable an entity to assess the risks and vulnerabilities associated with privacy and security of their IoT enabled products and processes.
- Salient features of The Draft Personal Data Protection Bill, 2018: The draft bill, which is yet to be tabled in the Parliament is essentially the basis of a data protection framework that prescribes conditions for how organizations should receive, handle, and process individuals’ personal data in India. As per the said draft bill, organizations would now be required to formulate policies and implement security controls by way of design which would govern the business processes. Moreover, there would be a requirement for organizations to ensure that at least one copy of personal data is stored on a server or data Centre located in India in case of any international transfer of data. The draft bill has also enshrined various rights for the individuals such as the right to access information and right to be forgotten, thereby shifting the onus on the organizations to not only protect the data of individuals but also recognize that the true ownership of the data lies with the individuals.
- Readiness approach for the Indian enterprise: In the wake of the ever evolving nature of the privacy landscape, the Indian enterprise must start working towards gaining an understanding of the flow of data in relation to collection and processing of personal data. The said understanding of the data flow would enable organizations to include privacy as a factor during assessing the risk to their business processes and vendor on-boarding and they would be able to update their contracts and policies accordingly. Moreover, organizations would have to implement adequate security controls to protect the data flowing within and through their systems and conduct regular privacy awareness and training sessions for the employees handling personal data
- Organization and Accountability: Enabling effective implementation of the privacy strategy requires a strong and multidisciplinary privacy organizational structure. This covers the structure of the privacy organization as well as the role and position of key players, such as the Data Protection officer. This layer also covers accountability and demonstration of compliance.
By Manish Sehgal, Partner, Deloitte India