The Covid-19 pandemic has massively disrupted and continues to disrupt the way individuals, governments and corporations, function in practically any walk of life. The greatest manifestation of this disruption is seen in the increasing adoption of technological solutions to tackle the challenges that this pandemic is posing.
Key Highlights Of Present-Day Law
The Information Technology Act 2000 (IT Act) read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (Sensitive Personal Data Rules) are the principal legislation governing the collection and processing of personal information and sensitive personal data or information (Sensitive Personal Data) on a sector-neutral basis.
The sensitive personal data rules primarily designate the following as sensitive personal data:
- Financial information such as bank account or credit card or debit card or other payment instrument details
- Physical, physiological and mental health condition
- Sexual orientation
- Medical records and history
- Biometric information
Sensitive personal data may be collected by a body corporate by complying with the provisions of the sensitive personal data rules including obtaining consent from the provider of the information.
Compliance Challenges Ushered In By Covid-19
The sudden digital shift being caused due to the effects of Covid-19 presents a major challenge in compliance, considering the general outlook towards compliance in relation to data privacy in India. With remote working in the wake of Covid-19, data privacy, security and management have become a massive concern for most organisations due to lack of capacity to deal with data privacy and protection.
Moreover, there have been certain measures which have been carried out due to Covid-19 such as temperature recording and screening of employees and visitors, but which in most cases have been done without appropriate safeguards and adherence to compliances. Another area of concern has been a lack of investment in cybersecurity and a lack of competent personnel dealing with matters such as data security.
What Can Be Done?
Most organisations do not even have a basic understanding of the data they collect, let alone the reasons and purposes of such collection. These can be especially detrimental in customer-focused sectors such as retail which collect data at the rate of knots but do not even have a rudimentary audit of data practices. A basic practice that can set the foundation of a sound system of dealing with data in an organisation is to analyse the type and quantum of data being processed and mapping them to the purposes and potential departments that may require access to such data.
Questions To Consider
- How important is data to the business? If data is not required for the business, why is it being collected?
- If data is an asset just like a physical asset, who should have access and how should it be protected within the organisation?
Building Organisational Capacity
Data privacy and protection is best not thought about in silos. Although it goes without saying that confusing a CISO with a CTO is not a particularly good reflection of organisational capacity, ultimately every person engaged by an organisation must be sensitised to understand the value of protecting data. Steps such as regular training sessions and clear policies on the use of devices and networks within the organisation can be incredibly cost-effective solutions towards compliance.
Questions To Consider
- Is there a policy covering responsibility of an employee for ensuring the confidentiality of proprietary data and customer information?
- Is there any responsibility matrix with clear responsibility being attributed to specific personnel for ensuring data protection in the organisation?
Importance To Cybersecurity
Organisations are often daunted by the costs of implementing such solutions but any effort towards protecting data would be a hollow effort without them. Interestingly, many organisations fail to consider the cybersecurity standards used by their IT suppliers such as cloud providers. Organisations using IT in-house can consider doing a gap analysis to understand the existing level of compliances and the areas they fall short. This would provide a starting point to decide on the levels of data protection the organisation can strive towards while keeping commercial concerns relevant.
Questions To Consider
- Is there any mechanism to audit IT/cloud providers for their cybersecurity standards?
- Are there clear policies and measures in case of breach/cyber-attack such as for business continuity and recovery?
Covid-19 has already compelled organisations to take a digital leap and is already proving to be a challenge. However, India’s data privacy and protection legal framework is about to take a quantum leap in the form of the Personal Data Protection Bill 2019, which is currently being considered by the Joint Parliamentary Committee. It is now a crucial moment for organisations to actively consider overhauling their existing practices and usher in a new dawn in which their business can thrive, once the Covid-19 pandemic is behind us.
[The article was co-authored by Supratim Chakraborty (Partner) and Sumantra Bose (Senior Associate) at Khaitan & Co]