We saw extraordinary challenges last year, not only due to the global pandemic but also due to an increase in data breaches and related penalties, which is a direct fall-out of not complying with data protection regulations.

The pandemic of data breaches was far-reaching and devastating for businesses as it was non-discriminatory. No business/industry was spared. Teleconferencing platform Zoom that zoomed the popularity charts during the pandemic was targeted by hackers as were giants such as Twitter and Marriot.

At the same time, data protection authorities across the globe are pressurizing organizations for implementing security controls to protect personal data and also comply with other data privacy requirements.

Few examples are as follows:

• British Airways and Marriot Inc. were fined £20 million and £18.4 million respectively by Information Commissioner’s Office in the UK for failing to keep their customer’s data secure.
• Multinational cloth retailer H&M was fined €35.3 million by the German data protection authority for unlawful employee-monitoring practices.
• Lifespan Health System in the USA agreed to pay a penalty of $1.04 million for a data breach.

India is not far behind in terms of data breaches. All of us would have read news about Amazon and Swiggy’s payment partner Juspay’s data being available on the Dark web. And even more recently, the revised ‘privacy policy and ‘Terms of services’ of Whatsapp has become the most read and debated content in recent history. This has thrown the spotlight on the ‘consent’ and ‘data sharing’ practices of organizations.

What we have yet to catch up with are effective data protection laws in India. Under section 43A of the Information Technology Act, the body corporate is liable to pay damages for negligence in maintaining reasonable security to protect sensitive personal data or information.

Reporting of data breaches and levying/paying penalties are not currently India’s forte. However, this may change once the upcoming Personal Data Protection Bill is passed and enforced by the Parliament. It proposes several obligations for the organizations as well as heavy penalties - up to Rs. 15 crores or 4 percent of the global turnover if norms are violated.

This bill will also bring certain other challenges to businesses in India, such as the localization of ‘critical personal data. What this means is that personal data can be transferred outside of India as long as ‘sensitive personal data is mirrored in the country­—that is, a copy will have to be maintained in India. Organizations will, however, be barred from transferring ‘critical personal data’ (a category that the government can notify at a subsequent stage) outside the country.[GB1] [SU2] 

In short, organizations catering to clients in India as well as other countries will have to tackle various data protection challenges, including:

• Increasing cyber-attacks
• Stringent data protection regulations across the globe
• Remote working in a regulated environment such as HIPAA (Health Insurance Portability and Accountability Act) or PCI-DSS[GB3]  (Payment Card Industry Data Security Standard)
• The need for a single set of policies and procedures to comply with various regulations

The future is not as bleak as it sounds though. Every problem comes with a solution, and in this case, the solution may lie in a robust data privacy framework that can give us tools to tackle these challenges.

DSCI (Data Security Council of India) Privacy Framework (DPF©) is one such framework that comes with a layered data privacy approach. Three layers elaborated in this framework are as follows:[GB4] [SU5] 

• Layer 1: Privacy Strategy and Processes:

1. This is the layer that helps in establishing the strategic elements for privacy.
2. It talks about 5 practice areas: Visibility over personal information (VPI), Privacy Organisation[GB6] [SU7]  and Relationship (POR), Privacy Policy and Processes (PPP), Regulatory Compliance Intelligence (RCI), and Privacy Contract Management (PCM).

• Layer 2: Information Usage, Access, Monitoring, and Training:

1. This layer ensures that an adequate level of awareness exists in an organization.  Significant controls are deployed to limit access to the information, usage of information, as well as managing incidents compromising personal data privacy.  information usage and access as well as privacy monitoring and managing incidents compromising data privacy.[GB8] 
2. Practice areas in this layer include Information Usage and Access (IUA), Privacy Monitoring and Incident Management (MIM), Privacy Awareness and Training (PAT)

• Layer 3: Personal Information Security:

1. This layer derives strength from an organization’s security initiatives and demands a focus on data security.

 The DSCI provides various checklists and industry best practices to implement practice areas in each layer.

Other frameworks in the market:

• ISO/IEC 27701: 2019 provides Privacy Information Management System (PIMS) framework for managing privacy – especially the General Data Protection Regulations.  
• ISO/IEC 27018:2019 is another framework that provides a code of practice for protecting personal data in the cloud environment.
• ENISA (European Union Agency for cybersecurity) is working on an emerging EU framework for the ICT[GB9]  (Information and Communication Technology) certification of products and services. 

How is DSCI Privacy Framework different?

What is unique about the DSCI Privacy Framework is that it does not restrict itself to a management system, a specific technology environment, or a specific regulation. It is intended to provide an approach and detailed guidance that will help establish a mature privacy function.

“How To’s” of key requirements such as ‘Maintenance of records’, ‘Consent’, ‘Data protection officer’, ‘Data protection impact assessment’, ‘Privacy in design’, ‘Data breach reporting’, etc. mentioned in India’s upcoming Personal Data Protection Bill are addressed in detail in DSCI privacy framework.  

Also, importantly, while the DPF© methodology provides the right pathways to deal with data privacy challenges, organizations have an option to get certified by DSCI for this framework or obtain a Privacy Seal for their products/services. This certification or seal will enable organizations to demonstrate their compliance with a particular geography’s legal requirements, thus providing them an edge in their business endeavors.