In 
Considerable discussion and debate has taken place about security and privacy, whether with regard to citizens’ rights, state surveillance, the Snowden affair or the Prizm program. However, the critical aspect that has not been in discussion or has been overlooked is what should the corporates in India, or the enterprises as they are called, do to put a stringent privacy policy in place to make the environment more secure and safe? But what is more relevant to CISOs at this point of time is who sets the privacy rules?Is it part of the IT or compliance teams? And are privacy rules set just to ensure protection of personal data, and so on?
Some Common Misconceptions:
There are quite a few misconceptions hovering over the Indian enterprise scenario when it comes to privacy. They include:
‘India is yet to get a privacy legislation – so I don’t have to worry about privacy till then’. In April 2011, India passed the Sensitive Data Protection rules under the Indian IT Act 2008. These rules cover all the core principles of privacy and are applicable to all ‘Body Corporates’ in India. Non-compliance with these rules could lead to invocation of both Section 43A (with civil liabilities to pay compensation) and Section 72A (with punishment including imprisonment & fines) of the IT Act.
‘Privacy is nothing but ensuring protection of personal data’
Privacy certainly involves protection of personal data--but that is just one of several aspects of privacy. Others include organisations ensuring proper notice is given while collecting personal data from individuals, getting an individual’s consent to all that is going to be done with that data, clearly stating the purpose for which the data is being collected (and ensuring that it does not get used for anything other than the stated purpose within the organisation), minimising the data that is being collected and only collecting that data which is pertinent to the business at hand, being transparent to the individual about third parties who may get access to her data, etc.
‘Privacy is the domain of the legal/ compliance teams’. While the legal and compliance teams of organisations certainly need to be involved in building and managing privacy within organisations, all major functions and units also need to be involved to make the program a success.
‘Our business doesn’t involve dealing with individuals and their data- so privacy doesn’t concern us’. Sure, your organisation may not be catering to individuals. You may not even be coming in contact with the personal data of individuals collected by other organisations (your clients or other stakeholders). Under the IT Act, even that data is considered sensitive and comes under its ambit.
What Constitutes a Privacy Programme:
There are many approaches and frameworks available to help organisations roll out privacy programmes. One such framework that is increasingly finding adoption in India is from the Data Security Council of India (DSCI). Known as the ‘DSCI Privacy Framework’ or DPF, this is an optimal framework for organisations that are just starting their privacy journeys from countries/ geographies where privacy legislations and regulations are relatively new. The DPF covers the following key areas that an organisation needs to address in its privacy programme — each of which is a large area by itself:
- Build comprehensive visibility over the personal information handled by the organisation
- Develop appropriate privacy policies and processes
- Roll out a formal privacy organisation with its associated structure, roles & responsibilities, etc
- Ensure all organisational contracts — existing and new — incorporate all aspects pertaining to privacy, including necessary obligations, liabilities and penalties.
- Implement processes and mechanisms to monitor and ensure that the personal data handled by the organisation is being used only as per the purpose committed to the individual in question
- Design a mechanism for the organisation to keep up with continually changing privacy-related legal and regulatory developments and changes in the context of the geographies and verticals it operates in
- Develop (or incorporate into existing systems) a comprehensive privacy monitoring and incident management mechanism
- Roll out a comprehensive awareness and training program on privacy covering all teams and individuals concerned, including third parties
- Build all requisite security measures to protect the personal information handled by the organisation. The other frameworks also essentially address the above. In essence, what is obvious is that a privacy program takes time to roll out and is not a short-term, single project effort. Hence, the earlier an organisation gets started, the better.
About the author:
Shivangi Nadkarni is the Co-Founder & CEO of Arrka Consulting.
Add new comment