In today’s extended digital world, individual and organisational boundaries are becoming virtual, blurring the distinction between the internal and the external.

Sensitive and personal data moves across the web encompassing multiple geographies and third parties. This has resulted in newer concerns around risk and compliances to privacy requirements for personal and organisational information.

Examples of such sensitive data include customer or individual private information, financial data and intellectual property information.

Often, organisations do not have a good understanding of the movement, proliferation and evolution of their data.

Privacy perspective While most of the data is being created by individuals, the responsibility of managing it resides with organisations in most cases. Personally identifiable information or PII is any information relating to an identified or identifiable living individual.

While processing such information, individuals and entities must take privacy issues into account. Data processing activities include collecting, receiving, holding, examining, altering, transferring, archiving and destroying of information. This is regardless of what media this data is stored on, or what channels it flows through. This includes face-to-face conversations, telephone, fax, postal mail, e-mail, web, etc.

Privacy and data protection requirements vary from organisation to organisation and country to country. As sensitive data is transferred across boundaries, these requirements follow the data, creating a patchwork of compliance and legal requirements that businesses are required to meet. With time, such requirements only seem to be increasing given the higher awareness of privacy concerns among individuals and the Government.

Currently, privacy-related regulations exist in several countries (see table).

For India, key privacy requirements stem from IT Act 2000 (amended in 2008) through Section 43-A (compensation for failure to protect data) and Section 72-A (punishment for disclosure of information in breach of lawful contract). Further, a set of rules relating to Sensitive Personal Information and Reasonable Security Practices (mentioned in section 43A of the amended Act) was released in April 2011. These rules require an organisation to have a data privacy programme along with information security programmes.

Examples of activities where non-compliance led to enforcement actions, lawsuits, or monetary fines:

Failure to comply with the organisation’s privacy andincident management policies

Misrepresenting the purpose for collecting personal data

Failure to disclose the means used to collect data

Disclosing , sharing, or selling personal data to third parties contrary to privacy policy

Export of personaldata not in compliance with privacy laws of the originating country

Misrepresenting the security protection of personal data

Organisations that do not adequately manage the risk of compliance with laws and regulations may face a series of setbacks.

These include, brand damage, loss of shareholder value, fines, confiscation of “means to commit the offense” (databases), criminal penalties, private lawsuits, loss of confidence with data protection authorities, joint and severe liability for supplier failures, stoppages and delays imposed by regulatory bodies

The benefits of implementing a well-defined privacy framework far outweighs the cost of such implementation. Typically, such framework should cover areas such as documented privacy policy, standards and procedures, privacy organisation and governance structure.

It also includes PII and classification, risk assessment, privacy incident and breach management, privacy awareness and training, conformance with regulatory requirements, communication to individuals, along with key areas such as access control, inquiry, complaint, dispute resolution and recourse, periodic audits of privacy programme, and ongoing monitoring.

(The author is Director, Deloitte Touche Tohmatsu India Private Limited)

Related Topics
comment COMMENT NOW