The discreet and diabolical manner in which cyber threat actors, hackers and attackers have been in operation in the digital sphere, has called for transnational and interdisciplinary assessments of the effectiveness of data protection regulations across the globe. 


This thought leadership examines legislative developments in India in the context of data protection and provides specific best practices that you can consider (with due guidance) for implementation in your organisation. 

Background

The meteoric adoption of technology in the backdrop of the exponential penetration of digital applications, requires privacy safeguards to mitigate the risk of personal data being subjected to unauthorized access. Individuals and organizations must assume control over the manner in which their data is collected, stored, processed, transferred, disclosed and used.


In this context, the right to privacy is a fundamental right under the framework of the right to life (Article 21) as per our Constitution, as a consequence of the landmark judgment of the Hon'ble Supreme Court of India in 2017. The Reserve Bank of India has in 2020, developed restrictions for payment aggregators and lending applications that seek to restrict payment aggregators who facilitate payments between users and merchants using electronic/online payment modes from storing cards and associated data (e.g., card number and CVV). The Bureau of Indian Guidelines has in 2021 formulated data privacy standards as an assurance framework for enterprises and the central government has set out due-diligence rules for internet intermediaries to implement.


While the Information Technology Act 2000 (as amended) read with its supplementary rules, currently provide the legal cornerstone to ensure the protection of personal information, India needs a comprehensive legal framework to address the overarching principles of data protection.


A comprehensive regulation for data protection in India ...

After five years in the making, the Personal Data Protection Bill 2019 ran into rough weather with several issues (that were relevant but beyond the scope of a modern digital privacy law), being raised as the bill was in its final stages. Consequently, this was withdrawn in August 2022 and the government has started drafting the new bill, which we understand is being targeted to be made into law by early 2023 in the parliament’s budget session, which typically runs in January & February.


What should be the focus of the new regulation? 

The proposed regulation should be modelled along the lines of the GDPR, while specifically addressing requirements for notice and prior consent for the use of individual data, with limitations on the purposes for which data can be processed and restrictions that ensure that only data necessary for providing a service to the individual in question is collected. 


The legislation should outline measures for responsible, lawful and ethical processing of data with the obligation to ensure adequate transparency, while relying on one of the six lawful grounds listed in Article 6 of GDPR and being in accordance with all the other general principles listed in Article 5 of GDPR (i.e. fairness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality and accountability). Data subjects should have specific rights with emphasis on the right of access or erasure. 


With a primary focus on the foregoing, the new bill will further propel the growth of the digital economy, while seeking to keep the personal data of citizens of India secure and protected.

10 key best practices 

  1. Undertake a mapping of the components of your system: Identify infrastructure, IT assets & data that require protection.
  2. Undertake a cyber security risk assessment: Make cybersecurity an integral part of all business processes. Identify relevant threats, exploitable vulnerabilities and consequent risks; and determine the business impact of critical risks.
  3. Monitor the severity of the residual risks: Establish and maintain specific information security risk criteria; ensure that repeated risk assessments produce consistent, valid and comparable results; place emphasis on risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; identify the owners of risks; and evaluate the effectiveness of the measures to mitigate the information security risks, according to an established criteria 
  4. Go beyond the protection of the perimeter to protect your data itself: Firewall technology by itself will not guarantee that your data is 100% secure, with the growing volume of circumvention of safeguards resulting in mis usage of sensitive data. You must also identify sensitive data and ensure that your policies and procedures are engineered to and protect the same.
  5. Encrypt all devices: Ensure that all data is stored in an encrypted format and remains encrypted (specially during migration). Implement safeguards such as pseudonymisation, or even anonymisation of sensitive data., 
  6. Delete redundant data: Ensure that you have information disposal mechanisms in place that prevent stale data from being forgotten about and stolen at a later date. Have a system for shredding, erasing or otherwise modify redundant data to be indecipherable.
  7. Establish strong passwords: Assess your password policies and avoid having simple, generic and easy-to-hack passwords for critical accounts, which have access to the sensitive and valuable data. Use reasonably complex passwords and change them at least every 90 days. 
  8. Update your programs regularly: Ensure that computers being used in your organization are adequately patched and updated. Your security applications are only as good as their most recent update. 
  9. Back-up your data regularly: This should already be a crucial part of your IT security strategy. As a security best practice, backup data should be stored in a secure, remote location away from your primary place of business.
  10. Create an organization wide security mindset: Everyone who has a password and username should be made aware of his/her responsibility for keeping data secure.  Data security is everyone’s job and is not limited to your IT team.

There is no one comprehensive list of measures that can apply to all organisations. Your cyber risk strategy and data protection measures need to be developed after considering the nature, size and complexity of your business and planned growth. 


Should you have any questions or wish to speak with one of our IT risk advisory professionals, please do not hesitate to reach out to us at contactus@mgcglobal.co.in.


Stay secure and have a great weekend.


Best regards

Markets Team

MGC Global Risk Advisory

About MGC Global Risk Advisory 

Recognized as one of the '10 most promising risk advisory services firms' in 2017, as the 'Company of the Year' in 2018 &, 2019' (both in the category of risk advisory services), one of the 'Top Exceptional Companies to Work For’ in 2020 and amongst the ‘Top 25 Customer Centric Companies’ in 2020 and 'The Consultant of the year' in 2021 (in the category of risk advisory services); MGC Global is an independent member firm of Allinial Global.

 

MGC Global provides services in the areas of enterprise wide risk management, control assessments (SOC, IFCR & SOX), internal audits, process re-engineering, governance frameworks, IT advisory (including VAPT), GDPR & data protection readiness, cyber security, CxO transformation and forensic services. Our Firm has the capabilities to service its clients through its offices in Bengaluru, Mumbai, NCR; and has service arrangements with its associates in all major cities in India.

About Allinial Global

Allinial Global (formerly PKF North America) is currently the world's second-largest member-based association (with collective revenues of approximately USD 4.5 billion) that has dedicated itself to the success of independent accounting and consulting firms since its founding in 1969. It has member firms in 99 countries, who currently have over 28,000 professional staff and over 4,000 partners operating from over 680 offices across the globe.

 

Allinial Global provides its member firms with a broad array of resources and support that benefit both its member firms and their clients in the key impact areas of learning and development, human resources, international outreach, technical support, knowledge-sharing platforms through its specialized communities of practice, marketing resources, information technology and best practices in practice management. 
MGC Global Risk Advisory LLP | 323, 324 & 327, Square One Building, Saket District,
 New Delhi, 110 017 India
Unsubscribe monish.chatrath@mgcglobal.co.in
Update Profile | Constant Contact Data Notice
Sent by contactus@mgcglobal.co.in powered by
Trusted Email from Constant Contact - Try it FREE today.
Try email marketing for free today!