In times of disorder and disruption, be it the pandemic or economic and political unrest, your data is at extreme risk with cyber criminals taking advantage of real or perceived chaos. Organizations today have a lot to lose in terms of theft & misutilization of confidential data and intellectual property, operational disruption, loss of business and reputational damage (that may negatively impact the trajectory of a company's growth and hinder a success story); apart from hefty fines for non-compliances with the General Data Protection Regulation (‘GDPR’). At the same time, organizations have a lot to gain as well in terms of their competitive and tactical advantage, if their data protection measures are adequate.
 
This alert which has been put together by MGC Global’s IT risk advisory team contains some important pointers that will help you understand the relevance of data protection in the current times and how best to prepare yourself adequately, going forward.
 
The risk factor

The amount of data being created (approximately 2.5 quintillion bytes per day) and stored continues to grow at unprecedented rates. Statistically, cyber-crime (malware, phishing, ransomware, etc) is on the rise, with the proportion of businesses targeted by cyber criminals in the past year increasing from 38% to 43%, and over a quarter of those targeted (28%), experiencing five attacks or more (according to reliable studies).
 
Privacy laws are changing the web

Data protection, privacy laws and related regulations vary from country to country; and there is a constant stream of new ones. China's data privacy law went into effect on June 1, 2017 while the European Union's GDPR came into effect in 2018. In the United States, the California Consumer Privacy Act supports the right for individuals to control their own personally identifiable information. Singapore’s Personal Data Protection Act took effect in 2014 but was amended in October 2020 to include changes to its consent framework. 
 
India’s regulatory mechanism for data protection and privacy is the Information Technology Act, 2000 and its corresponding Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. India’s Personal Data Protection Bill, 2019 (which is modelled largely on existing frameworks for protecting privacy in other jurisdictions, including the GDPR and the Asia-Pacific Economic Cooperation Privacy Framework), follows a long chain of privacy related developments in India that have been influenced by global developments as well as the country’s own constitutional jurisprudence. Though the constitution does not explicitly specify a right to privacy, Indian courts have held that a right to privacy exists under the right to life guaranteed under Article 21.
 
Where and why are organizations failing

The inability of all stakeholders to appreciate and comprehend the potential impact on the organisation if data is lost or stolen, is currently the bane of the challenges being faced by several organizations. Ongoing practices of emailing unencrypted data, sharing passwords, taking sensitive data outside the office environment on work computers, not having appropriate data security policies and procedures in place are some of the alarmingly common mistakes. At the same time, organizations that choose to focus only on data protection and not also data privacy, assume the risk of alienating their customers as a consequence of ambiguity surrounding how their data is being stored and used.
 
What needs to be done

Prevention with adequate preparedness and directional controls (such as training) is the first step, followed by the following:

  • Ascertain the applicability of GDPR and other data protection regulations that are pertinent to your organization and undertake an assessment of the nature and extent of your organization’s compliance with the same.
  • Bring your internal procedures in line with the GDPR and best practices | Encrypt and back, up your data, enhance your anti-malware protection, make your old computers' hard drives unreadable, install operating system updates, automate your software updates and secure your wireless network at your home or business.
  • Develop broad data management capabilities across the enterprise, while facilitating collaboration between functions for implementation of your policies.
  • Embed data privacy in the entire customer journey, from marketing to sales, servicing clients to retention; and even termination.
  • Map and document data streams performed by data processors.
  • Be fully transparent to the user who is providing information.
  • Configure your consent method to use explicit/active consent when processing sensitive personal data on your website.
  • Design a data breach reporting mechanism.
  • Secure personal data through appropriate organizational and technical measures.
 
For any further clarifications or assistance

Please do not hesitate to connect with us at contactus@mgcglobal.co.in, so that our data protection experts and DPOs can assess the measures your organization can take to enhance its data protection capabilities.
 
Stay safe and stay well.
Lalit Sharma
Associate Director
Gautham Desai
Manager
Aditi Mishra
Certified DPO
About MGC Global

Recognized as one of the '10 most promising risk advisory services firms' in 2017, as the 'Company of the Year' in 2018 &, 2019' (both in the category of risk advisory services), one of the 'Top Exceptional Companies to Work For’ in 2020, amongst the ‘Top 25 Customer Centric Companies’ in 2020 and 'The Consultant of the year' in 2021 (in the category of risk advisory services); MGC Global is an independent member firm of the US$ 4.2 billion, Atlanta headquartered - Allinial Global.
 
MGC Global provides services in the areas of enterprise wide risk management, control assessments (SOC, IFCR & SOX), internal audits, process re-engineering, governance frameworks, IT risk advisory, GDPR, cyber security, CxO transformation and forensic services. Our Firm has the capabilities to service its clients through its offices in Bengaluru, Mumbai, NCR; and has service arrangements in all major cities in India.

About Allinial Global

Allinial Global (formerly PKF North America) is currently the world's second-largest member-based association (with collective revenues of approximately USD 4.2 billion) that has dedicated itself to the success of independent accounting and consulting firms since its founding in 1969. It has member firms in 71 countries, who have over 28,000professional staff and over 4,000 partners operating from 688 offices across the globe.
 
Allinial Global provides its member firms with a broad array of resources and support that benefit both its member firms and their clients in the key impact areas of learning and development, human resources, international outreach, technical support, knowledge-sharing platforms through its specialized communities of practice, marketing resources, information technology and best practices in practice management.