As the global IT hub involving data processing from countries with stricter data privacy regime, and with increasingly digitally connected citizens, India needs to have well- defined privacy laws, says Srinivas Poosarla, VP & Head (Global), Privacy & Data Protection, Infosys Ltd, in an interaction with Arpit Gupta of Elets News Network (ENN)
What is the significance of data privacy in Indian IT industry? Is privacy distinct from security?
In India, data privacy becomes important from two broad perspectives. Firstly, it is reasonable to assume that every Indian, particularly those part of the rapidly growing digital ecosystem, would expect some degree of privacy to avoid being victims of identity theft, nuisance calls, profiling, and other harm caused by improper handling of their personal information.Secondly, data privacy is a key enabler for growth of the Indian IT industry, much of which caters to clients from those parts of the world having stricter data privacy regime.
Today, while privacy obligations are imposed on Indian IT organisations indirectly through contractual means, the new GDPR (General Data Protection Regulation) adopted by EU (European Union) is expected to make data processors handling EU citizens’ personal data directly liable, even for entities outside the EU. Moreover, most opera- Indian IT and other industry, which have global operations, are headquartered in India where bulk of the enterprise data processing , such as payroll, HR and marketing operations, happens.
This requires that such data acquired from clients, employees, vendors etc., from various parts of the world are processed in regulaIndia according to data privacy regulations of the applicable countries.
Yes, Privacy is different from security – it is about giving choice or information to individuals on data being collected about them, how it will be used and protected, with whom it will be shared, etc. Security, on the other hand, is about CIA (confidentiality, integrity and availability) for not only personal data but any type of information that an organisation may process. But, both are equally important.
With emerging technologies, such as IoT and Big Data, and the proportionate rise in the threat landscape, what are the challenges and solutions to meet the security and privacy needs?
In traditional IT systems and Internet applications, personal data is exchanged between a user and a service provider, such as a bank, e-commerce store, etc., and data processing is based on an agreement called privacy notice or consent. Depending on the exact choice exercised by a user, data processing must be restricted to only agreed purposes. However, for applications, such as Big Data solutions and Smart Cities, with data sharing across entities, newer threats will get introduced for various use cases, which need to be mitigated by appropriate methods, and tools such as differential privacy, data obfuscation, etc. But we also need regulations and industry standards to ensure adoption of such measures by the industry.
|Not only the awareness on data privacy is low in India but also it is often misconstrued to be fully a subset of security. As a result, many organizations included this as part of CISO function, although slowly Data Privacy is emerging as an independent function|
How are you contributing to shaping up standards on data privacy?
For data privacy, regulations are essential to bring accountability on organizations, but they cannot specify how organizations can design, develop and manage their. products and processes on personal data. Moreover, it is difficult for regulations to keep pace with emerging technologies, such as IoT, Big Data, etc. which have significant impact on data privacy. This is where standards play a key role.
IoT is one of the focus areas and is expected to immensely benefit the consumers and society at large. It also has a high potential to introduce newer privacy and security threats, if adequate safeguards are not deployed. Some of the key privacy considerations identified in IoT are aspects such as:
- The need to uniquely attribute a “thing” to an individual, particularly in multi-user applications such as a home thermostat or connected cars
- Capture and management of privacy choices where multiple stakeholders are involved such as device manufacturer, util- ity service providers, ISP, and other actors
- Authentication of a data subject when a device is not in physical proximity to the user
- De-identifying a “thing” when its ownership changes or it is lost/damaged
- Data sharing without consent for intrusive purposes that offer business benefits to one or more of stakeholders in IoT ecosystem
Following deliberations at the SC27 meeting in Tampa in April 2016, it was decided to grant a one-year study period to examine this in-depth and come out with findings, including the need for standards. As a designated expert in ISO Committee on Security & Privacy, I was assigned the task to study this, along with a senior expert from South Korea, and obtain inputs from other international bodies and groups.
Is there a scope for more organisations other than DSCI and Nasscom to support initiatives on strengthening data privacy environment in India?
Today the only privacy regulation we have, apart from few provisions in some sectoral laws, is the IT Rules 2011 from Section 43A of the IT Act, which is also not as comprehensive, and hence this gap needs to be filled on priority. Needless to mention, such privacy regulation must be drafted keeping in view the unique cultural and demographic needs of India, while emulating best practices from other countries’ experiences. This will not only alleviate the privacy concerns of citizens, but also help Indian industry use it as a market differentiator. This cannot be achieved without contribution from stakeholders from all sections of the community – industry and public bodies, civil society organisations and individual experts.
Today DSCI is one organisation which pro- motes data protection among the Indian industry and works closely with the relevant government departments to bridge the gap. But we need greater participation from law schools, human rights and consumer organisations. Data privacy should no longer be the focus area for only IT and outsourcing industry, but for all kinds of organ- isations, government bodies and citizens.