Privacy is not a new thing. In our normal life also, people had been locking their secrets in cabinets / safe or been using curtains / doors / tainted glass to prevent unnecessary disclosure of their internal things etc. However, in modern time, as more of our data becomes digitized & we share more information online, we interact with several people / organizations for various different needs & reasons, data privacy is becoming highly important.
As a business, even a small company may possess the personal information of not just their employees but thousands or millions of customers as well. When customers share their personal information with companies, they do it only for a specific reason & expect companies to safeguard their information & privacy. This personal data can be used against them if it falls into the wrong hands.
There are several reasons why an organization must have Privacy Management practice in place:
Data Privacy Regulations: Many countries already have their data privacy regulations ie. GDPR, CCPA, PIPEDA, etc. & any violation to these data privacy regulations can result in hefty fines. Even if in India it’s still in form of Bill, these external laws can still be applicable to businesses in India.
Prevent Breaches: Implementing comprehensive security is one of the core component of a good Privacy Management Framework. A study by Cisco shows that Data breaches fall 71% for the organization which had implemented Privacy Framework.
Legal challenges: Any privacy violation may push an organization into several legal battles. People are becoming more aware of their rights, the remedies they have & are ready to fight for their privacy.
Builds your Brand: In today’s world, a company’s reputation and brand value depends a lot on how they maintain the privacy of their customers. Just an example, maintaining privacy of users has played an important role in building Apple’s brand image.
Offers competitive edge: Businesses with focus on security & privacy are attracting more business. Recently one announcement by WhatsApp in regards to change in their privacy policy resulted in millions of people exiting their application. On other hand, Signal which is more focused towards maintaining privacy of their users, saw it’s adoption increasing by 4200% within weeks of WhatsApp’s announcement.
Data Privacy is not same as Data Security:
Even though the two terms looks similar, they are quite different. While Data Security deals with the protection of data from cybercriminals, insider threats or other factors, Data Privacy deals with policies & procedures that deals with how an organizations or individual legally gather, store, process, use, share & dispose the data. Data security is one of the aspect that facilitates Data Privacy.
Now let’s see where businesses often violates the Privacy norms knowing or unknowingly:
- By not disclosing the purpose information is being collected
- By not taking consent from data subject for which their personal information is being used
- By collecting personal information more than what’s required
- By using collected personal information for an unauthorized purpose
- By not maintaining sufficient Data Security
- By not limiting access to personal data
- By not following personal data disposal policy
- By not having correct Incident Responses process for personal data breach
- By not maintaining transparency in data collection and it’s use
- By not having desired process to handle data subject rights
- By sharing of personal data with third parties
- By transferring personal data across permissible regional boundaries
- By not maintaining legal contracts with other data processors / sub-processors with required terms
We at Cybersec Knights Pvt. Ltd. have been actively working with clients in different sectors & with different segments of Indian market to help organizations with building their Privacy framework & it’s implementation. Most of these organizations report a return that’s more than doubles their privacy spend, and over 50% show “significant” business benefits.
Small businesses in India often thinks that because we don’t have specific regulation for Privacy / Personal Data protection, they need not to follow privacy focused practise. What they don’t know is that privacy regulations around the world in many cases may be applicable to business entities operating in India as well.
Looking at the threat landscape & the growing cyber attacks / breaches, it’s inevitable to avoid privacy regulation. Soon we’ll have one in India as well.
– Aman Chhikara