Privacy concerns have stolen the headlines world over, particularly after the admission by Facebook that personal data of 87 million users, including that of five lakh Indians, was shared with Cambridge Analytica – a London based political, data analytics, advertising, and consulting firm – through a third-party application was extracted for various purposes. General Data Protection Regulation (GDPR) has come into force in the Europe. This is particularly significant for companies that has anything to do with the European continent. Non-compliance can cost companies a fortune besides the risk of reputational and revenues losses.
India is also moving towards enacting its data privacy law. A committee headed by former Supreme Court judge BN Srikrishna has proposed a draft Personal Data Protection Bill. The draft bill paves the way for the formulation of a Data Protection Authority of India in order to protect citizens’ data and privacy. This, of late, has been a growing concern as the country increasingly moves towards digital way of living. The proposed bill makes individual consent the centrepiece of data sharing and imposes obligations on entities which carry out data processing.
Company boards and top management are looking at the CISO to provide technical and organizational controls for managing privacy within their organizations to comply. A CISO’s role thus becomes paramount in ensuring effective alignment he will need to be on top of the game when it comes to privacy risk mitigation.
According to Amit Pradhan, CTSO, Chief Privacy Officer and SVP Technology Security, Vodafone India, the first thing a CISO must do is to make an assessment of his own organisation’s data exposure. But knowing where the data is stored and where is it processed is easier said than done.
“While it appears to be simple, in reality, it is far more complex and challenging. A lot of organizations that I have spoken to can’t say with a fair degree of confidence that they know their data well and therefore can comply with privacy laws that will come into force. That, to me, is the first step. You must know your data, its exposure in your ecosystem, in your partner’s ecosystem, subscribers and clients,” says Pradhan.
However, the challenge for a CISO will be to explain the significance of data privacy to those who take decisions, such as the board members and the business managers. A CISO has to ensure that the management is on-boarded on the sensitivity and importance of data privacy laws. Even though the GDPR may not be directly relevant to a lot of organizations in India, the new data protection bill will certainly have an impact. Moreover, there are many organisations in India, which have business interests in Europe and will be impacted if their parent organizations get penalized. A CISO, therefore, will have to make a case for the importance of data privacy and hammer in the point that it is the fundamental right of every citizen and is non-negotiable.
Privacy is a Culture
As compared to the Western countries, where data privacy is a binding issue, the culture in India is significantly different. Indians very freely share personal data and information and nobody feels offended when asked about personal details. No amount of training can help if that culture of respecting privacy is not there.
“People are brought in such a culture. Even those who comply, do it out of compulsion. There is no real commitment to individual’s privacy. They don’t mind sharing information. Provide them with an hour of free Internet and they are too happy to disclose their names, mobile numbers, and other details,” says Pradhan.
This could perhaps be one of the reasons why data privacy is not given its due importance by the general population in India, he adds. The challenge for a CISO will therefore be to inculcate the culture of data privacy.