BACKGROUND
Privacy as a
fundamental right is recognised by all the democratic countries. This right
stems from recognition of a need to uphold individual dignity in a free world. Right to privacy flows from right to life and personal liberty given to every
citizen by our Constitution. The first law in the world about privacy data
protection was enacted in Sweden in 1973. Subsequently, the European nations
adopted Data Protection Directive (95/46/EC) in 1995 about protection of
processing of personal data which later became known as the General Data Protection Regulation (GDPR) in April,
2016 and has become enforceable on 25th May, 2018. Similarly, in the
US, the federal law of Health Insurance Portability and Accountability Act
(HIPPA) was passed in 1996 which mandated strict protection of personally
identifiable information processed by the healthcare and healthcare insurance
industry. A similar law in Canada called Personal Information Protection and Electronic
Documents Act (PIPEDA) was made effective from April, 2020.
India has awakened
to the fact that in view of the fast-paced growth in every field, be it
technology, trade, medical science or sport, the interaction with the world has
impacted our eco-systems and the way we do business and adopt technology. Since
technology will form part of everything we do, we will need to formally protect
the personal information of citizens from abuse and manipulation. A new law
through the Personal Data Protection Bill of 2019 is likely to be enacted soon.
In the wake of the
recognition of the need to protect personal data by law, business enterprises
in many Western and Far Eastern countries are looking for solutions to
implement the regulations and save on huge penalties that are levied for
non-compliance.
This has opened
up new avenues of opportunity for the professionals in India to expand into
providing valuable solutions to these enterprises.
An attempt has
been made here to provide broad guidelines and a roadmap to implement the
regulations on personal data protection which will help our professionals and
IT service industries to provide value-added service to their customers.
WHAT DATA
IS SUBJECT TO PROTECTION?
It is important to
understand what is ‘data’ and what are the activities that are subjected to
protection. With little variations, most of the prevailing laws define
‘Personal Data’ as ‘data about or relating to a natural person who is
directly or indirectly identifiable, having regard to any characteristic,
trait, attribute or any other feature of the identity of such natural person,
whether online or offline, or any combination of such features with any other
information, and shall include any inference drawn from such data for the
purpose of profiling.’
Thus, all the
information like birth date, name, address, contact number, email address,
personal image, ID card No., payment card Nos., health details, financial
information, political and religious affiliation, biometric data and data about
the individual on the basis of which inference can be drawn is also subject of
the regulations, e.g., membership of clubs, religious, political or social
groups.
After considering
the scope of the privacy regulations in developed countries, it is found that
in general the scope of the activities and entities to which the privacy
regulations apply is as follows:
(a) the processing of personal data where such data
has been collected, disclosed, shared or otherwise processed within the
jurisdiction,
(b) the processing of personal data by any
enterprise, company, body of persons operating within the jurisdiction,
(c) to entities outside the territory of the
regulations but processing personal data of the citizens residing in the
jurisdiction; e.g., GDPR applies to the enterprises outside the European Union
but processing and collecting data of the citizens of the European Union.
DRIVERS
FOR IMPLEMENTING DATA PRIVACY REGULATIONS
(A) Legal obligation:
Business enterprises take the initiative to implement the regulations about
protection of personal data primarily as a legal compliance requirement.
However, few organisations have taken proactive decisions as a good governance
practice.
(B) Risk arising out of Data breach: Damage to reputation and uncalled publicity due to incidents like
data breach is a single good reason for management to take up data protection with
priority. One can refer to the incidents of data theft at the Marriott group,
the Target group, the SBI Card data breach which left
these companies struggling to answer the media and regulators.
(C) Governance: It is
now widely accepted in the capital market that the companies which have good
practices in governance and have implemented data security framework, are
valued more than the enterprises which do not have such practices. The
companies with good governance practices will be less likely to be victim of
data breaches.
(D) Punishment:
Punitive provisions of the law are a great driver for a majority of the
enterprises. In case of Personal Data Protection provisions, the penalty for
violations of the provisions could result in penalty up to Rs. 5 crores or 2%
of global turnover, whichever is higher. In case of more grave violations like
transfer of personal data outside India or children’s data in violation, may
attract penalty of Rs. 15 crores or 4% of global turnover, whichever may be
higher. This is in tune with European regulations (GDPR) where the penalty is
Euro 20 million or 4% of the global turnover of the enterprise.
(E) Customer: Another
important driver for adoption of early implementation of personal data
protection by the enterprise is the customer. Where the customer obliges (or
insists on) the vendor enterprise that there should be policies and procedures
about personal data protection, the enterprise in a move to win over the
customer resorts to quick compliance.
It becomes
imperative, therefore, and has become an important agenda for boards to take up
implementation of personal data protection as a strategy. Chartered Accountants
with IT security skills are often roped into audit committee discussions for
ways to comply with and implement the personal data protection policies. If one
has adequate knowledge and plans for implementation one may add great value to
the governance and provide leadership in data protection.
IMPLEMENTATION
ROAD MAP
1. Board level initiative
A move to implement
PDP (personal data protection) should flow from the governing body. It is seen
that PDP is more effectively implemented where the board drives the
implementation and monitors its progress.
2. Set up framework for the PDP
Framework for PDP
would include:
(a) Identification of Personal Data
Personal data
qualifying for protection as per the regulations may be part of databases
e-residing on owned database or data may be uploaded in cloud environment which
may be outside the territory of India but subject to control from India. The
Procedure needs to be defined as to how to obtain inventory of database
instances and identify personal data qualifying within the definition of
personal data.
(b) Governance policies and procedures
For effective
implementation of compliance, policies and SOPs for acquiring, identifying,
classifying and storing for processing need to be defined and documented.
Policies for personal data protection should be based on the following
principles:
(i) Objective of adopting organisational, business
practices, processes and technical system to anticipate, identify and prevent
harm to the privacy data principal. ‘Data principal’ means an individual whose
data is processed by the data fiduciary;
(ii) Policy to include the declaration that
processing of personal data shall adopt the commercially accepted, or
certified, standards;
(iii) Processing of data should be in transparent
manner and capable of easy identification;
(iv) Protection shall be offered throughout the data
life cycle, from collection, processing, storage, to deletion or disposal;
(v) Policy should demonstrate that the manner of
collecting, processing and disposing personal data shall be transparent, fair
and lawful.
(c) Data fiduciary and Data protection officer
Data fiduciary
means any person, including the State, a company, any
– juristic entity
or any individual who alone or in conjunction with others determines the
– purpose and means
of processing of personal data who is also known as Data Controller.
Thus, an entity
like a company, firm, association, or proprietary firm which acquires the data
and is responsible for protecting it is termed as data fiduciary.
A Data protection
officer needs to be appointed and be responsible for
* providing
information and advice to the data fiduciary on matters relating to fulfilling
obligations under the regulations;
* monitoring
personal data processing activities of the data fiduciary to ensure that such
processing does not violate the provisions of the regulations;
* providing advice
to the data fiduciary on carrying out the data protection impact assessments,
and carry out its review;
* providing advice
to the data fiduciary on carrying out the data protection activities;
* act as the point
of contact for the data principal for the purpose of grievance redressal.
(d) Set up mechanism for data breach or incident
response management
A procedure needs
to be documented for reporting responsibility, escalation of data breach and
prompt reporting of incident of data breach should be defined. This would also
include notifying the authority within reasonable time about data breach.
(e) Maintenance of records
The backbone of the
framework for privacy data protection is maintenance and organisation of
records or electronic data sets. As most of the information is collected,
stored and processed through IT systems, it is inevitable that how the data is
organised and retrievable is of great importance. The primary object of the
management should be that the format and manner in which data records are
maintained would demonstrate beyond doubt that due diligence is exercised by it
in protecting the personal data in case of litigation.
(f) Monitoring
The framework for
the implementation would be incomplete without providing for supervising the
efforts taken for the personal data management. From the beginning an
independent authority be established in the form of internal audit or
supervisory in nature to see that the processes and compliances are well
integrated and the exceptions are reported and corrected in time
Personal Data
Protection implementation plan can be graphically represented in the following Fig.
1 which shows the key components. These can be viewed and considered from
top to bottom order.
Fig. 1, Personal Data Protection Implementation Plan
3. Identification of processes and Data sets
As a first step to
comply with the provisions of privacy law it is important to identify the
processes through which this personal data comes into the possession of the
company. There are business processes and supporting IT processes which need to
be identified and documented. For example, to generate customer inquiry about a
product or service you may have an application (API) where the customer enters
his / her name, email-id, or in case of on-boarding of new employee the
organisation may have a process to obtain personal details like address,
qualification, health details, etc. Such processes then become the focus for
identification and need to be documented. A register can be prepared containing
process identifier, purpose, input data, output data, geographical
jurisdiction, responsibility, third party interface and so on.
Similarly,
supporting IT processes to the above business processes need to be documented
containing relevant information like database, data sets (tables), input and
output interfaces. A register for data collected from these processes should be
maintained which would serve as the basis for demonstration of privacy law
compliance. The data register can be maintained as spreadsheet or database
containing details like source, type of information (personal attributes),
purpose, owner of the data, storage destination, jurisdiction, type of storage,
retention period, consent obtained and data whether exported to other
applications,
4. Communication with Data Principal
The person who owns
his / her personal information is called as Data Principal who has prime right
to share his / her privacy data. Hence, communication with the data principal
is of great importance. The communication procedure also recommends a
structured approach and should have the following features:
NOTICE
Notice to the data
principal contains the company’s privacy policy and procedure description and
should be communicated at or before the time the personal information is
collected or immediately on collection, or if the personal information is sought
to be used for a new purpose (other than the purpose for which it was
originally collected). The language of the notice should be unambiguous and
conspicuous. It should state clearly the purpose of collecting the personal
information and intended use. Notice can be in multiple languages and contain
the identity and contact details of the data fiduciary (company) and contact
details of the data processing officer.
CONSENT
Communication with
the data principal should state the choice available with the individual
whether or not to share his / her personal information. The proposed bill makes
it obligatory for the data fiduciary to obtain consent. The provisions state
that ‘Personal data shall not be processed except on the consent given at the
commencement of its processing.’ The language of the consent should have
features like free, informed, specific, clear and capable of being withdrawn.
It should be noted that the provision of the goods or services or the
performance of any contract shall not be made conditional on giving consent to
the processing of personal data not necessary for that purpose. The burden of
proof is on the data fiduciary to prove that consent has been given by the data
principal for processing personal data.
EXCEPTIONS
In the following
cases, however, personal data can be processed without consent of data
principal:
– In connection with performance of any
function authorised by law for providing any benefit or service or issuance of
license or permit to the data principal,
– In compliance with an order or judgment by a
court or tribunal in India,
– As a response to medical emergency or threat
to life of data principal or any other person,
– To undertake any measure to provide medical
treatment or health service to any individual during outbreak of disease,
epidemic or threat to public health,
– Any non-sensitive data can be processed if
and when necessary for recruitment or termination of employment of data
principal by data fiduciary,
– In connection with providing any benefit to
employee data principal,
– In connection with reasonable purpose as
prescribed by the regulations. Reasonable purpose would include
whistle-blowing, network or information security, credit scoring, recovery of
debt and operation of search engine.
5. Collection
Once the purpose of
collection of personal data is communicated to the data principal, the process
of collection is to be standardised to satisfy two conditions: the collection
should be by lawful and fair means.
The information to
be collected should be necessary and which fulfils the purpose of collection.
It should be collected without intimidation, without deceptive means. The rules
of collection by law or by customary method must be complied with. The
management needs to ensure that information gathered from third parties like
intermediaries, e.g., social media site should also follow fairness and lawful
means.
6. Data retention and disposal
The international
laws provide that the data collected of personal nature should not be retained
by the data fiduciary beyond the intended purpose of collection. For the
purpose of demonstrating that the company does not retain the personal data
beyond required limit, a ‘Data Retention Policy’ be documented. Employee data
may be retained longer, till in employment, but marketing data of customer
inquiry needs to be retained only up to order fulfilment. Data beyond retention
limit can be retained only if required by any other law or with explicit
consent of the data principal. Responsibility of complying with the retention
policy should be assigned to the data processing officer. Options for disposal
of the data no longer required are anonymisation, i.e. data is cleansed of
personal identification fields, deletion or disposal in a manner that prevents
loss, theft, misuse or unauthorised access.
7. Data security
As a part of
personal data protection compliance, the sole accountability of protection of
the data is placed with the data fiduciary. The company should therefore have
data protection as part of its general information security policy. Personal
data needs to be protected after collection, during processing and while in
store. Data security standards prescribe for encryption of the data so that in
case of breach of theft it is very difficult to decipher the vital data stored.
Data security implies that the data should be accessible only to authorised
users. Therefore, strong access control like user authentication and multiple
authentication techniques be implemented. Internal audit can perform reviews and
monitor the controls over data security. Any lapses in the security policy
operations may be reported to the governing body. Many of the data breaches in
recent years have been possible for want of adequate data protection policies
and poor implementation. Data breaches have ruined reputations of big companies
and ended in huge penalties and risk of survival.
To give a few
instances in 2020, Roblox gaming company saw its 100 million accounts with
passwords exposed by a hacker who bribed an insider and badly ruined its brand.
Popular Zoom video conference service data of nearly 500,000 users was stolen
and was available for sale on the dark web. British airline Easyjet suffered
from their nine million customer account email addresses, travel details and 2,000
credit card credentials being stolen. Now the victims are subjected to
e-phishing attacks. In 2017, the Equifax (credit reporting and data analytics
company) data breach of 147 million people ended with the company settling for
425 million dollars with the US Fed Trade Commission. In 2019, Capital One, a
reputed bank, got its 106 million records compromised with precious data of
social security numbers, social insurance numbers and financial history of
customers. Similarly, in India SBI credit card data was breached in 2019.
8. Risk Management
It is evident from
the above examples that risk of personal data being exposed is very high and
sensitive for any organisation. The best way to approach this is by resorting
to risk management seriously. Risk management includes three factors: Risk
identification, Risk assessment and Risk treatment. The starting point is that
all the events and threats be listed and discussed with the tech team and
operations. The more exhaustive the identification of events and threats, means
the more robust will be the risk mitigating plan. Equally important is the
assessment, i.e., likely loss from each event. It is no doubt difficult to quantify
the impact of the likely event in monetary terms but the magnitude can be
estimated by assigning values on a 1 to 10 scale. Risk treatment should include
the description of controls considering available resources and technology. The
risk assessment and treatment for mitigating the risks need to be addressed at
the highest level of management. A documented risk treatment plan can be a
guiding tool for internal audit, the executive management and should be updated
from time to time.
Many organisations
document this as a one-time exercise (and shelve it or remove it) only to show
to the auditors or regulatory authority. In case of sensitive data, the law
provides for ‘Data Protection Impact Assessment’ to be undertaken. Sensitive
data means such information about data principal which may cause harm if
disclosed. The assessment in such a case should contain a detailed description
of the proposed processing operation, purpose and nature of data to be
processed and so on. It would also indicate how the data fiduciary intends to
protect the sensitive data. This information will then be reviewed by the
statutory authority before giving approval. Sensitive information may include
credit, health related, financial or banking related information.
9. Personal Data Access Management
The primary defence
against attack on personal data is strong access control. Having access
(logical and physical) procedures which have the following controls embedded in
it will go a long way in building a defence framework. Some of the controls
could be authorising limited internal users to limited access; managing the
change of access due to addition or separation of internal users effectively;
restricting access to offline storage; backup data; systems and media;
monitoring access activities of privilege users (system administrators) through
log reviews; restricting system configurations; super-user functionality;
remote access utilities and security devices like firewalls.
The most vulnerable
segment in personal data is transmission over email or public networks and
wireless networks. Companies dealing with collection of personal data often
resort to industry standard encryption methods. Importantly, testing of the
above safeguard controls should be carried out periodically and reported.
10. Incident management and breach reporting
As a part of the
personal data management, every legislation provides for immediate response
communication to the authority. The incident-reporting provision states that
information about the breach should be communicated without undue delay. A
similar provision in the GDPR (General Data Protection Regulations) in the
European Union prescribes the time limit as 72 hours. A baseline reporting
mechanism needs to be developed about reporting of a data breach incident from
internal or external source by designing reporting templates. The reporting
mechanism should mainly include information-gathering and investigation
procedure about interaction between parts of the organisation and the data
processor. An important part of the incident management process is notification
to the data principals, i.e., individuals or groups whose data is subjected to
the breach. The notification should be proactive and should provide several
channels of communication like press, media and website notification at large.
The process should include legal advisory involvement, organisational
responsibility about formulating an appropriate message. Formal incident and
crisis management should be brought in in case of significant data breach.
The above stages in
strengthening data protection at any business enterprise would go a long way in
cultivating good governance practices. To adopt the best practices of personal
data protection, the International Standard Organization has released ISO 27701
which would help the organisations to provide the required assurance to
customers and authorities.
The above roadmap
and stages on this road to data protection compliance are no doubt initially
cumbersome but one should note that these are also steps towards good corporate
governance. The processes once set, if periodically reviewed for gaps and
improved, would certainly demonstrate due diligence and form a good defence in
data breach litigations.
References:
1. The
Personal Data Protection Bill, 2019, India
2. The
Regulation (EU) 2016/679 of European
Parliament, and Directive 95/46/EC
(aka General
Data Protection Regulations, GDPR)
4.
PIPEDA (Personal Information Protection and
Electronic Documents Act), Canada.