Manish Sehgal, partner, Deloitte India,

The recent instances of data breaches in India have raised concerns about data privacy and security of individuals and companies. Advancements in technology will further lead to data explosion and increase the risk of data leakage and misuse. The need of the hour is to develop a data privacy and security framework that offers a fine balance between privacy and business requirements. Manish Sehgal, partner, Deloitte India, talks about the key issues pertaining to data privacy and security, and the measures that need to be taken to tackle them…

What are your views on the recent cases of data breaches reported in social media firms like Facebook?

Across the globe, privacy and protection of personal data have become one of the most discussed topics, not only amongst regulators and organisations, but also among people as this issue concerns them and their personal data, activities, etc. One of the key factors contributing to data breaches is the lack of user awareness and a culture of privacy. That said, a handful of well-informed users are hesitant to submit their personal details on social media platforms unless they are sure that their personal data is safeguarded from potential misuse.

Earlier, the impact of these incidents or attacks was largely limited to selling of basic personal details such as name and email addresses on the dark web using cryptocurrency. The passwords were usually safeguarded as they were “salted” or, in simpler words, modified enough to be untraceable. However, recent breaches tell a different story altogether. Incidents such as celebrities being targeted and asked for ransom in exchange of their confidential files, and a social media giant facing legal investigation have raised an alarm about data privacy.

The implementation of the “privacy-by-design” (PBD) concept is one of the recommended steps that could help individuals (be it employees or customers) safe­guard data while storing and/or processing personal data on an application. PBD promotes the integration of controls to safeguard personal data, thereby en­ab­ling users’ privacy.

What are your views on the government’s preparedness to tackle data privacy and security concerns?

The year 2017 was of historic importance as the Supreme Court established privacy as a fundamental right of every citizen under Article 21, Section III of the Cons­titution. In addition, India is expected to introduce its first privacy bill in the coming months. Sector-specific initiatives like the Digital Information Security in Healthcare Act and the Reserve Bank of India’s (RBI) circular for payment card providers on data residency also indicate that we are headed towards a mature ecosystem that ensures the privacy and security of personal data.

What are the policy and regulatory measures that need to be looked at? What lessons can be learnt from global markets?

There is a need for an ecosystem that of­fers a fine balance between privacy and business requirements. Efforts are under way to achieve this and, hopefully, India’s first privacy bill will be the key to this ecosystem. The building blocks of such an ecosystem would include aspects like:

  • Definition of personal data.
  • Distinction between organisations ac­c­ep­­ting personal data (commonly referr­ed to as controllers) and organisations processing personal data on behalf of a controller (referred to as processors).
  • Stating the obligations that firms have towards individuals (known as data subjects) whose personal data is being ac­cessed and processed.
  • A regulatory mechanism to oversee operations of such an ecosystem.

With respect to global markets, it is believed that the General Data Protection Regulation (effective May 25, 2018) of the European Union is the most comprehensive privacy-focused regulation drafted in the past two decades. It will give data subjects the right to decide the way their personal data is used, accessed or processed by public authorities and corporations. Other privacy regulations in countries like Aus­tralia, Singapore and Canada also provide insights into how regulators across the glo­be are working to establish and main­tain such an ecosystem. However, it is important to note that the regulations imposed in the global markets may not be suitable for the Indian market and thus, a level of customisation is required.

How will the launch of new technologies (5G, internet of things, artificial intelligence, etc.) impact the data protection, privacy and cybersecurity landscape in India?

Advancements in technology will certainly lead to a data explosion, and increase risks and vulnerabilities. A structured mechanism that includes data security frameworks for technology channels and a more cohesive approach will help safeguard users’ personal data, and enhance their trust in leading technologies.