When one talks about data privacy, it has to be clear that complete protection to all data is not possible and not everything is confidential. So the data elements that are sensitive as per the business being handled have to be identified. Documenting a policy around identifying the sensitive data/information elements and securing the same and demonstrating through regular audits the successful implementation of the defined policy thus becomes essential. Data retention or the need to retain the data as per prescribed norms and yet protect it is important, and so is data destruction – data that is not required shall not be retained longer than needed. Removal of data shall be demonstrable. Kill the Data and any copy of Data residing anywhere irrespective of its location becomes inaccessible.
The IT Act puts substantial legal liability on the companies and requires companies to implement reasonable security measures for protecting sensitive personal data or information. Such legal liabilities, if not mitigated, may erode public confidence in the company; substantially affect profitability and even lead to imprisonment of the officials and directors of such companies.
Today, the Cloud is everywhere. Most enterprises are moving towards the Cloud. Moving data to the cloud makes total sense from a financial and operations perspective. However, with this excitement also come challenges: security being the most important of these. The IT Security personnel say that the Cloud isn’t secure and they are right. They don’t trust the providers and they don’t know how to secure that “thing” called cloud because it is not in the enterprise premise. They don’t even know where the servers are located. Not having full control of the server which they are responsible for makes them uncomfortable and rightly so. The second challenge comes from compliance audit groups are concerned about steps taken to ensure data security and that the architecture confirms to laid down procedures. These and other challenges have significantly slowed adoption of the Cloud. This will change once more robust security offerings become available in the cloud but until then everyone would tread cautiously.