CIO Wall

Harish Agarwal

Partner - Ernst & Young LLP

CIO Perspectives

Prioritising Privacy in the Digital

In today’s digital world, organisations are using social, mobile, big data and analytics, as well as Internet of Things (IoT) to gather as much information on their customers as possible, while simultaneously trying to do everything possible to protect their organisations from cyber- attacks that may emanate from the outside or within. In this environment, privacy management may become an afterthought, bolted on to information security programmes in an adhoc manner.

Poor privacy management practices can cause reputation risk and be a threat to the organisation’s commercial value. Pressure is continuously increasing on organisations to improve their privacy compliance, as customer demand for better privacy management grows.

The constantly changing threat landscape, driven by an ever-connected world, is resulting in regulators enhancing privacy requirements regularly. This is one of the biggest challenges encountered by many organisations, as they grapple with new legislations and frameworks around data privacy. The concerns around data privacy impact both consumers and enterprises alike. While consumers are concerned about the misuse of personal and sensitive information, organisations are worried about the potential impact on their reputation, brand value, consumer trust as well as revenues.

The changing legislative requirements, most recently demonstrated by the European Union’s General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronics Document Act (PIPEDA), California Privacy Law and India Personal Data Protection Bill, coupled with increasing customer expectations, pose a rising number of challenges for companies.

In 2017, the government of India constituted a committee of experts with former Supreme Court Justice, BN Srikrishna as chairman, to study various issues related to data protection in India. The committee had to make specific suggestions on principles to be considered for data protection in India and suggest a draft Data Protection Bill. The committee, formed with the intention of creating a powerful data protection law in India, has submitted its draft bill to the Ministry of Electronics and Information Technology (MeitY) on 27 July 2018. This submission came after a year of consultations with various stakeholders.

The proposed bill applies to both government and private entities. The applicability of the law will extend to data controllers/fiduciaries or data processors not present within the territory of India, if they carry out processing of personal data in connection with business, goods and services and activities involving profiling of data principles within the territory of India. The bill lays down penalties, ranging from five crore rupees or 2 per cent of total global turnover to fifteen crore rupees or 4 per cent of the total global turnover. It is thus changing the way privacy is perceived and practiced within Indian businesses.

The complexities of privacy regulations call for a systematic way to grasp how privacy management operates. Most data privacy challenges can be addressed by Data Management and Governance divisions along with risk management functions. Privacy is defined in Generally Accepted Privacy Principles such as “the rights and obligations of individuals and organisations with respect to the collection, use, retention, disclosure, and disposal of personal information.”

Well-established privacy management cannot only give organisations a competitive edge, but in the age of increasing consumer awareness and digital interconnectivity, transparency is key to achieving and maintaining the trust of the customers. Building sustainable data privacy management strategy that incorporates customer rights and the ethical use of data that adheres to legal and compliance obligations can achieve just that. The privacy management strategy must combine legal reform with the encouragement of new business models that are premised on consumer empowerment and supported by a personal data ecosystem. The new strategy is important because it changes the focus of who benefits from the collection and use of personal data from businesses to consumers. It also increases consumers’ trust by giving them control over how their data is collected and used.

Real-time consent

A leading-class strategy in building customer trust is transparency during the consent process. This includes giving customers access to means that allow them to exercise control over the use of their personal data at the time the data is used.

User-managed access

This is an Auth-based access management protocol standard. It’s designed to enable individuals to control the authorization of data sharing and access to other protected resources.

Privacy by design

Organisations can consider designing data protection into the development of business processes and new systems. Privacy settings are set at the highest level by default. For designers and developers to use privacy by design or privacy by default methodologies, practical and implementable procedures must be available.

Digital personas

A digital persona is a realistic representation of consumer groups that are based on research and data. These personas are developed using aggregated customer data from a variety of sources — such as website analytics, online surveys, social media use among others — to advise on the creation of groups of personas that represent the organisation’s digital customers For organisations, privacy is about managing privacy requirements end-to-end. Technical point solutions, such as encryption and auditing tools, are vitally important, but often address nly a small part of overall privacy concerns. Although a number of different privacy-enhancing technologies are available, privacy requirements for global organisations can still be challenging. The way business environments are changing, there is need for more automation in order to protect online privacy. The challenge is how to move towards this model, without automation itself harming the privacy of the individual or organisation. Transparency, responsibility and privacy impact assessment and assurance – the key aspects of accountability, are an important part of the solution. New technologies and business models can bring higher risk to data privacy and security. The necessary increased trust can come from improved transparency and sound stewardship of information by service providers. A greater sensitivity (both as individual and organisations) towards data and privacy needs to be achieved through training and case studies.

Related Topics

    No releavent topics