The Supreme Court ruled last week that privacy is a fundamental right of citizens. Indian businesses, however, are yet to fully realise the importance of protecting user data.
With little regulation of how companies can store and utilise personal data of users, India provides a massive base of unprotected private data that can be misused.
“In India, we have a lot of data floating around in the dark Web. Reasons being that we don’t have any privacy laws and organisations themselves are not stringent, having pretty loose personal data protection
policies,” says Rajpreet Kaur, senior research analyst, Gartner.
She says while India is among the top countries that are affected due to data breaches, the cost borne by companies for losing consumer data is minimal, as there is no existing policy for penalising the companies from where data was compromised.
The SC judgment mentioning “electronic tracks contain powerful means of information” should be a cue for corporations to start taking data security seriously. “In India, other than payments information, not much security practices are performed (on user data),” Kaur says.
She suggests if there is no business reason for an organisation to store personal data, they should not. And if they must, they should it is encrypted and tokenised.
Recently, names and numbers of Reliance Jio users were put up on a website and were pulled out after reports surfaced and the company took action.
Last year, over 3.2 million debit card pins from Indian banks were compromised and only discovered much later when the banks started requesting customers to change their pins. This was despite the banking sector having a strong protection mechanism for data due to the compliance requirements from PCI-DSS and Irdai.
“When users sign up for free apps and services, they are giving up data. They fail to realise the impact of their data in the public domain, which is something that corporations have been monetising on for some time now,” says Sanjay Katkar, managing director and chief technical officer of Quick Heal Technologies. He adds that cultivating awareness of the value of one’s own data is going to take large-scale education.
Quick Heal has been witnessing increased interest in data leak prevention products from their clients.
Principal Research Analyst Siddharth Deshpande suggests taking a page out of Singapore’s data protection
laws that not only penalises companies for the smallest data breach but also releases periodic reports of organisations involved in the breach. While the penalty itself does not cause a huge dent to the company coffers, it serves to enforce vigilance.
EU's General Data Protection
Act works on similar lines. It penalises misuse of private data and also keeps a strict control on how far voluntarily-provided user data can be utilised by organisations.
"The regulatory bodies’ role should be to provide framework on how data should be protected, or a breach should be reported. Beyond that, it is for the companies to figure out the implementation of the processes," says Deshpande. He advocates a strong regulatory framework instead of mandatory security products, as that would allow organisations to work out data security policies tailored to their specific needs while keeping track of regulations.