This article has been written by Srushti Mandade, pursuing a Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.
Table of Contents
Introduction
Data is everywhere and is virtually created by anything we do. Whether we decide to share this data voluntarily or not, data continues to be generated in huge volumes every minute. While there are many questions revolving around this subject like; who does this data belong to, who can use it, what are its limits, etc? This short article is a step-by-step guide to understanding the importance of protecting this data and explores the simple meaning of policy compliance and its relevance in today’s world.
What is privacy compliance?
Privacy compliance refers to the responsibility of a company to practice caution while handling sensitive data that passes through every day. It is a process that allows companies or organizations to meet business rules along with legal rules and regulations of storage and management of data. It essentially deals with how companies that work with individuals’ personal information are responsible for protecting how this sensitive data is collected and shared.
What is meant by sensitive data?
Every client, employee, contractor, or person who comes into contact with a business brings along a wealth of personally identifiable information (their sensitive data). This information may include their full name, date of birth, home address, bank details, social security number, telephone number, etc. Basically, it is classified private information that must be protected and is generally inaccessible to outside parties unless specifically granted permission. The legal definition of sensitive data describes it as “information that must be protected against unauthorized disclosure”. It is not a legal obligation but also ethically reasonable to protect such information and restrict the access of such information especially because it pertains to the individual privacy and property rights of a person.
What is meant by being GDPR compliant?
Being compliant means “putting workflows and policies in place that outline how data protection is achieved at a business in line with laws that govern the areas that the business operates in”. Around the world, there are different compliance laws in place. But by far, Europe’s General Data Protection Regulation (GDPR) has been considered as one of the most stringent ones and India is following its footsteps to regulate the data within its territory through the Personal Data Protection Bill (PDP Bill). A breach of GDPR can be a very costly affair for the businesses and may include a fine of up to €10 million, or 2% annual global turnover, whichever is greater, or a fine of €20 million, or 4% annual global turnover, whichever is greater. Recently in April 2021, a famous Netherlands-based online travel company named Booking.com was fined €475,000 (around $560,000) under GDPR laws after they failed to report a data breach within the mandated time frame of 72 hours within the discovery of such breach.
How is privacy compliance relevant in today’s world?
You must have probably heard that ‘data is the new currency!’ There are many such analogies that show that data has emerged as one of the most important commodities in the last decade. Owing to the recent pandemic, the entire world went digital because of the work from home models. This led to data and data compliance gaining the spotlight. With an increase in user-generated data and the recent digital revolution, it has become vital for the government authorities to take requisite steps to protect the data rights of their citizens. It is said that a successful data breach can occur in less than one minute and it is almost impossible to fathom the amount and types of damages it might attract. As consumers who trust the companies with our sensitive information, we must keep a check on how this information is used. If not a check, we must at least be curious and cautious while accepting all the terms and conditions before using the apps and other various services of the companies.
Why is data privacy important to consumers?
- Firstly, we must understand that data protection is not just for protecting sensitive data but to protect the fundamental rights and freedoms that are associated with this data. As consumers, our data must not be incorrectly stored or used. For example, an academic counseling company saves my full name and birthday incorrectly. This might bring about a situation where a person is overlooked for admissions or worse, loses out on a college opening due to data not matching with original documents.
- Secondly, breaches in protecting sensitive information can lead to huge financial losses. For example, the bank account details I used to pay for an online order were leaked and money was withdrawn from that bank account as an act of theft.
- Thirdly, data protection compliance ensures consumer-friendly commerce. If the website is safe and secure, the consumer is more likely to engage with the website. Many times bogus websites or fake company profiles collect data and sell it freely for money. Having a sound privacy compliance regime in place ensures that data is safe and also entrusts confidence among consumers, it can also lead to creating a brand image of a company. If personal data is leaked, it can cause significant damage to the company’s reputation and might also bring along penalties and fines.
Why is data privacy important for companies?
As is already mentioned above, being compliant with privacy policies is beneficial for building the brand image and brand value. It instills confidence in the consumers and helps to prevent loss. But apart from this, there are many other reasons because which data privacy can be important for companies.
- Firstly, the companies that do not implement privacy protection attract governmental scrutiny and fines.
- Secondly, having a privacy compliance regime in place at an organizational level may help the business in preventing privacy breaches, thereby upholding business ethics.
- Thirdly, a good provision for maintaining data privacy may help a business in competitively differentiating and gain a competitive advantage in the market.
This way more consumers will flock today the business today with a feeling of surety and reliability. Certainly, Data privacy compliance is a good way to win over the consumers.
Some recent examples of privacy breaches
We are all aware of the Panama Papers controversy but there are many recent examples that stress the importance of privacy compliance. In 2020, India banned 118 additional Chinese apps because they were breaching Section 69A of the Information Technology Act. As per reports, these apps were found to be indulging in the illegal collection of data. The information collected included sensitive information of consumers, their GPS locations, wifi access point names, etc.
LinkedIn, the world’s largest professional social media platform in April 2020 confirmed a massive data breach and data of over 500 million of its users. This leaked database includes sensitive information of its consumers and as per reports, has been sold to unknown users on a hacker forum. In April 2021, an Indian start-up by the name of Big Basket reported data breaches and security bugs in their system, compromising the sensitive information of over 20 million Big Basket users. A source claimed that the said data was put up for sale on the dark web for $40,000, for anyone to download.
In another instance, a breach in the server of a multinational pizza chain, Domino’s, exposed the sensitive bank information of several Indian users. The information included 180,000,000 order details containing names, addresses, payment details, and credit card information comprising a total of 13TB worth of data. The hacker demanded over Rs.4 crores for returning the dataset.
While big fines for data breaches make big headlines, it is pertinent for an evolving business house to take into account the risk-based approach while managing data privacy since the intensity of these breaches is immeasurable.
Many see the introduction of the PDP Bill as a step closer to the digital revolution of India. However, the Bill poses additional challenges for data controllers by creating a unique ‘fiduciary relationship’ between data subjects and data controllers. The kind of data segregation that the Bill mandates will require the businesses to spend more on implementing new artificial intelligence technology and machine learning so that large volumes of data can be handled while complying with all the obligations duly.
Conclusion
Inevitably, we all will have to think about privacy compliance soon because of our engagement with the internet. What happened to our data and who we should share it with, are all important factors that must be considered. And even though many data protection laws and rules are in place, it is no secret that privacy compliance is complex, and very often many companies get lost in the avalanche of legal requirements of these compliances. Many times companies and/or consumers have an “it will not happen with me” attitude when it comes to data privacy breaches. It is paramount that organizations must develop solid data security practices to keep the breaches in check. Even otherwise, data governance as of now has many challenges. One challenge is that of maintaining the privacy of data on individuals versus using data for surveillance. Looking at the rate at which data is multiplying, this increasingly huge database will pose problems for control and management. Even the growth in international data transfers will require attention and new security measures. We have a long way to go in developing compliance regimes in this sector especially because of its dynamic and ever-evolving nature. Thus, it is important for consumers as well as companies to take privacy compliance seriously and stay prepared for it in the future.
The recently proposed law called The Personal Data Protection Bill draws inspiration from the UK’s GDPR model and is based on the core principle that “right to privacy is a fundamental right”. The main objective of this Bill is to ensure the growth of the digital economy while keeping the personal data of citizens safe and protected. This attempt of the Indian Government is very commendable and much needed in a fast-developing digital phase that India is currently undergoing. While the bill is considered to have serious implications on the technological and digital services sector, it will positively impact many business models and enhance the cybersecurity of the citizens.
References
- Panama: The Importance of Having A Data-Protection Compliance Program; https://www.mondaq.com/data-protection/860222/the-importance-of-having-a-data-protection-compliance-program
- What is data compliance, and why is it so important?; https://trint.com/resources/7n1weo10/what-is-data-compliance-and-why-is-it-so-important
- What Is Sensitive Data? Sensitive Data Definition & Types; https://cipherpoint.com/blog/what-is-sensitive-data/
- What is Data Compliance?; https://reciprocitylabs.com/resources/what-is-data-compliance/#:~:text=Data%20compliance%20is%20the%20practice,with%20legal%20and%20governmental%20regulations.
- LinkedIn Confirms Data Breach of 500 Million Subscribers, Personal Details Being Sold Online; https://gadgets.ndtv.com/apps/news/linkedin-data-breach-500-million-users-personal-information-sold-online-report-2409626
- What is data protection, and why is it important? https://www.financialexpress.com/industry/technology/what-is-data-protection-and-why-is-it-important/2076419/
-
How to Achieve Compliance with India’s Personal Data Protection Bill; https://securityboulevard.com/2020/01/how-to-achieve-compliance-with-indias-personal-data-protection-bill/
- What Happens if you breach GDPR? https://cheekymunkey.co.uk/what-happens-if-you-breach-the-gdpr/
- Personal Data Protection Bill, 2019: Practical challenges for stakeholders. https://www.azbpartners.com/bank/personal-data-protection-bill-2019-practical-challenges-for-stakeholders/
- Big Basket data breach: email IDs, phone numbers, home addresses of two crore Indians allegedly leaked on the web. https://www.businessinsider.in/tech/news/big-basket-data-breach-email-ids-phone-numbers-home-addresses-of-two-crore-indians-allegedly-leaked-on-the-web/articleshow/82255857.cms
- ‘Credit card details of over 10 lakh Indians leaked’. Read more at: http://timesofindia.indiatimes.com/articleshow/82154426.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: