Cloud, social media and mobile technology advancement is fundamentally altering the way businesses operate.With the proliferation of digital and social media, a vast amount of information is being exchanged across multiple platforms. Most mobile applications work only post getting access at least to the phonebook, camera and location. Pokemon Go, a popular game, hit the headlines due to its in-built security and privacy concerns as it uses GPS and contacts to function. Hackers realised that the best way to target users would be to provide them with a mirrored game due to its unavailability in specific regions like India.
As per EY’s Global Information Security Survey (GISS) 2015, 38% of respondents mentioned that they address security in new business processes and technologies but not privacy specifically. More telling, and perhaps more concerning, is that for nearly half (46%) of survey respondents, their number one or two concern is not having a clear picture of where personal information is stored or processed outside of their main systems and servers.
The ever evolving threat landscape driven by the connected world is forcing law enforcement agencies to enhance the privacy legislation regime across the globe. This is today, one of the biggest challenges faced by many organisations and it will only get bigger with introduction of newer legislations and frameworks around data privacy.
Privacy rules in India were first established in 2008, and even post implementation of the first set of rules in the IT (Amendment) Act 2008, the scope of the measures were limited. To reinforce these protections, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, was introduced by the Indian government.
However, India does not have any separate law which is designed exclusively for data protection and is yet to have an effective and concrete legislation for data privacy. A new legislation dealing specifically with the protection of data and information present on the web is the need of the hour. However, while drafting laws, the legislature has to be cautious of maintaining a balance between the interests of the common people and tightening its grip on the increasing rate of cyber crimes.
With GDPR (General Data Protection Regulation) coming into force in May 2018, the rules of business will change for Indian organisations having a footprint in Europe. All organisations based out of India and serving the European continent, need to adhere to the GDPR requirements. This would also mean big changes ahead for Indian organisations processing personal data on behalf of their European customers.
The data processors were only bound by the contractual requirements as agreed upon with the controllers and the controllers remained accountable for compliance with data protection principles and associated fines for non compliance. With GDPR, processors will also be directly subject to the same compliance obligations, legal requirements and punishment for noncompliance as controllers.
To thrive in this rapidly-changing regulatory environment, organisations will have to start a new compliance journey by assessing their current position in terms of privacy maturity as accountability shifts from regulators to organisations.