By Teeshant Dhiman
As more of India joins the digital revolution, companies today are collecting, storing and processing more user data than ever before, from contact information and IP address to more personal details, such as financial details, shopping preferences and medical history.
For companies, the data they collect is a valuable asset for it is the currency that powers the digital economy. But, with the power to collect and use this data comes the fiduciary responsibility to protect it, along with the rights of the individuals the data belongs to. Data privacy and security are key to building accountability and gaining customer trust in a digital world.
How serious is India about protecting data?
The idea of informational privacy has been growing over the last decade and customers are becoming more cautious about having their information compromised online. One can say that there is a public expectation of data privacy, transparency and protection. Ever since the EU’s General Data Protection Rules (GDPR) came into force in May 2018, businesses around the world have been investing in improving their data privacy practices.
Data privacy relates to how data should be collected, stored, managed, used and shared with third parties. In India, even as the digital economy has swelled, specific regulation around data protection has fallen by the wayside. Personal data is currently regulated by the IT Act 2000 which is riddled with flaws. It is narrow in scope, its provisions are easily overridden or bypassed, it does not require companies to report any cybersecurity incident publicly and the penalties in the case of data breach are close to absent.
It’s no surprise then that in 2019, India was victim to over 3 lakh cybersecurity breaches. 2020 witnessed some major data leaks among well-known Indian consumer brand startups. In all these instances, millions of user accounts and sensitive data were compromised. All this exposes the gross underinvestment made by Indian companies in bolstering their cybersecurity measures and the lack of protection that Indian customers have from misuse of information shared online.
The damage incurred from data leaks goes beyond loss of revenue and reputation. Data leaks also have negative implications on the stock prices of publicly traded companies, affecting stakeholders all over the world.
As data breaches become increasingly common, companies have the fiduciary duty to protect sensitive data and become accountable to customers. Recognising this, companies globally are investing in treating data protection as a strategic function and defending themselves against cyber attacks. The benefits are many, including increased customer confidence, reduced data storage costs and improved alignment with evolving technology and privacy standards.
No longer a ‘good to have’
In the absence of comprehensive legislation around data protection, Indian companies can gain a competitive advantage by voluntarily complying with global laws such as GDPR which protect customers’ personal information and give them control over how their data is collected, stored and shared.
Any company that uses website forms can include opt-in checkboxes that seek user consent before adding them to a mailing list. E-commerce companies can protect customer information by limiting data retention. This means they only keep customer data for as long as is needed for the provision of service, periodically auto-deleting inactive or cancelled user accounts and erasing legacy logs such as order history and contact details that are no longer relevant to the business.
Companies must also invest in the right infrastructure to keep their data secure from unauthorised third-party access. This can be done by controlling access to sensitive data within the organisation, conducting security awareness training among employees as well as hiring data security specialists as part of the workforce. Other data security measures to put in place including de-identifying and encrypting personal data, prompt patch management, implementation of multi-factor authentication and secure configurations to minimise any vulnerabilities.
While we wait for the Personal Data Protection Bill to be enacted as a law, it would do businesses good to stay a few steps ahead of legislation and have privacy and security safeguards baked into not just their day-to-day operations but the very ethics of the company. As businesses, just as we share the benefits of collective confidence in digitisation, we also share the responsibility to protect our data and customers.
(The author is Senior Product Manager, MyGate. Views expressed are personal.)