We have seen extraordinary challenges in the year 2020—not only in terms of the global pandemic but also concerning the increase in data breaches and penalties—a direct fall-out of not complying with data protection regulations.

The pandemic of data breaches was as far-reaching and devastating for businesses as it was non-discriminatory. No business was spared. Teleconferencing platform Zoom that zoomed the popularity charts during the pandemic was targeted by hackers as were giants such as Twitter and Marriot.

At the same time, data protection authorities across the globe are pressurizing organizations for implementing security controls to protect personal data and also comply with other data privacy requirements.

Few examples are as follows:

• British Airways and Marriot Inc. were fined £20 million and £18.4 million respectively by Information Commissioner’s Office in the UK for failing to keep their customer’s data secure.

• Multinational cloth retailer H&M was fined €35.3 million by the German data protection authority for unlawful employee-monitoring practices.

• Lifespan Health System in the USA agreed to pay a HIPAA penalty worth $1.04 million for a data breach.

India is not far behind in terms of data breaches. The new year started with news about Amazon and Swiggy’s payment partner JustPay’s data being available on the dark web. And even more recently, the revised privacy policy and the terms of services’ of Whatsapp has become the most read and debated content in recent history. This has thrown the spotlight on the ‘consent’ and ‘data sharing’ practices of organizations.

What we have yet to catch up with are effective data protection laws in India. Under section 43A in the current Information Technology Act, the body corporate is liable to pay damages for negligence in maintaining reasonable security to protect sensitive personal data or information.

Reporting of data breaches and penalties is not currently India’s forte. However, this may change once the upcoming Personal Data Protection Bill is passed and enforced by the parliament. It introduces several obligations for the organizations as well as heavy penalties: up to Rs 15 crore or 4 percent of their global turnover if found violating norms.

This bill will also bring certain other challenges to the businesses in India such as localization of critical personal data. The bill enables the transfer of personal data outside India, with the sub-category of sensitive personal data having to be mirrored in the country—that is, a copy will have to must be maintained in the destination country). Organizations will however be barred from transferring critical personal data (a category that the government can notify at a subsequent stage) outside the country.

In short, organizations catering to clients in India as well as other countries will have to tackle various data protection challenges including:

• Increasing cyber-attacks
• Stringent data protection regulations across the globe
• Remote working in a regulated environment such as HIPAA or PCI-DSS
• The need for a single set of policies & procedures to comply with various regulations

The future is not as bleak as it sounds though. Every problem comes with a solution and in this case, the solution may lie in a robust privacy framework that can give us tools to tackle these challenges.

DSCI (Data Security Council of India) Privacy Framework (DPF©) is one such framework that comes with a layered data privacy approach. Three layers elaborated in this framework are as follows:

• Layer 1: Privacy Strategy and Processes:

1. This is the layer that helps in establishing the strategic elements for privacy.
2. It talks about 5 practice areas: Visibility over personal information (VPI), Privacy Organization & Relations (POR), Privacy Policy & Processes (PPP), Regulatory Compliance Intelligence (RCI), and Privacy Contract Management (PCM)

• Layer 2: Information Usage, Access, Monitoring & Training:

1. This layer ensures that an adequate level of awareness exists in an organization. A significant level of measures is deployed to limit information usage and access as well as privacy monitoring and managing incidents compromising data privacy.
2.  Practice areas in this layer include Information Usage & Access (IUA), Privacy Monitoring & Incident Management (MIM), Privacy Awareness & Training (PAT)

• Layer 3: Personal Information Security:
  1. This layer derives strength from an organization’s security initiatives and demands a focus on data security.

The DPF© provides various checklists and industry best practices to implement practice areas in each layer.

Other frameworks in the market:

• ISO/IEC 27701: 2019 provides Privacy Information Management System (PIMS) framework for managing privacy – especially the GDPR requirements.

• ISO/IEC 27018:2019 is another framework that provides a code of practice for protecting personal data in the cloud environment.

• ENISA (European Union Agency for cybersecurity is working on an emerging EU framework for the ICT certification of products and services 

How is DSCI Privacy Framework different?

What is unique about the DSCI Privacy Framework is that it does not restrict itself to a management system, a specific technology environment, or a specific regulation. It is intended to provide an approach and detailed guidance that will help establish a mature privacy function.

“How To’s” of key requirements such as ‘Maintenance of records’, ‘Consent’, ‘Data protection officer’, ‘Data protection impact assessment’, ‘Privacy in design’ ‘Data breach reporting’, and such in India’s upcoming Personal Data Protection Bill are addressed in detail in DPF©.

Also, importantly, while the DPF© methodology provides the right pathways to deal with data privacy challenges, organizations have an option to get certified by DSCI for this framework or obtain a Privacy Seal for their products/services. This certification or seal will enable organizations to demonstrate their compliance with the legal requirements of a particular geography, thus providing them an edge in their business endeavors.

In the coming months, it will be our attempt to, through a series of articles, de-mystify these layers to help tackle data privacy challenges.

By Sucheta V. Upendra

Senior Vice President – Information Security & Risk Advisory

Email - Sucheta.Upendra@riskpro.in