In today’s extended digital world, individual and organisational boundaries are becoming virtual, blurring the distinction between the internal and the external.
Sensitive and personal data moves across the web encompassing multiple geographies and third parties. This has resulted in newer concerns around risk and compliances to privacy requirements for personal and organisational information.
Examples of such sensitive data include customer or individual private information, financial data and intellectual property information.
Often, organisations do not have a good understanding of the movement, proliferation and evolution of their data.
Privacy perspective While most of the data is being created by individuals, the responsibility of managing it resides with organisations in most cases. Personally identifiable information or PII is any information relating to an identified or identifiable living individual.
While processing such information, individuals and entities must take privacy issues into account. Data processing activities include collecting, receiving, holding, examining, altering, transferring, archiving and destroying of information. This is regardless of what media this data is stored on, or what channels it flows through. This includes face-to-face conversations, telephone, fax, postal mail, e-mail, web, etc.
Privacy and data protection requirements vary from organisation to organisation and country to country. As sensitive data is transferred across boundaries, these requirements follow the data, creating a patchwork of compliance and legal requirements that businesses are required to meet. With time, such requirements only seem to be increasing given the higher awareness of privacy concerns among individuals and the Government.
Currently, privacy-related regulations exist in several countries (see table).
For India, key privacy requirements stem from IT Act 2000 (amended in 2008) through Section 43-A (compensation for failure to protect data) and Section 72-A (punishment for disclosure of information in breach of lawful contract). Further, a set of rules relating to Sensitive Personal Information and Reasonable Security Practices (mentioned in section 43A of the amended Act) was released in April 2011. These rules require an organisation to have a data privacy programme along with information security programmes.
Examples of activities where non-compliance led to enforcement actions, lawsuits, or monetary fines:
Failure to comply with the organisation’s privacy andincident management policies
Misrepresenting the purpose for collecting personal data
Failure to disclose the means used to collect data
Disclosing , sharing, or selling personal data to third parties contrary to privacy policy
Export of personaldata not in compliance with privacy laws of the originating country
Misrepresenting the security protection of personal data
Organisations that do not adequately manage the risk of compliance with laws and regulations may face a series of setbacks.
These include, brand damage, loss of shareholder value, fines, confiscation of “means to commit the offense” (databases), criminal penalties, private lawsuits, loss of confidence with data protection authorities, joint and severe liability for supplier failures, stoppages and delays imposed by regulatory bodies
The benefits of implementing a well-defined privacy framework far outweighs the cost of such implementation. Typically, such framework should cover areas such as documented privacy policy, standards and procedures, privacy organisation and governance structure.
It also includes PII and classification, risk assessment, privacy incident and breach management, privacy awareness and training, conformance with regulatory requirements, communication to individuals, along with key areas such as access control, inquiry, complaint, dispute resolution and recourse, periodic audits of privacy programme, and ongoing monitoring.
(The author is Director, Deloitte Touche Tohmatsu India Private Limited)
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.