Data Privacy and Safety

09 February 2021

Data Privacy

How to Deal With a Data Breach?

Recently, Bigbasket - India’s largest online grocery store was found to be subject to a massive breach; the personal contact and ID details of  more than 20 million users iformation had been leaked for sale on the dark web. What could be one of the country’s biggest data breaches has followed cyber attacks to some of India’s largest companies such as Dr. Reddy’s and Paytm. These incidents highlight the importance of encouraging a plan to deal with breaches for your own start up. Regardless of the size of business, Companies today are meant to possess and process vast amounts of personal and client data. Privacy has been recognized as a Constitutionally guaranteed Fundamental Right

Indian cyber law has laid down certain regulations to be followed in the event of cyber breaches. The Information technology Act of 2000 was one of the first to recognize the importance of data protection by including provisions on liability for any wrongful loss of personal information by any body corporate who is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, then such body corporate may be held liable to pay damages to the person so affected.

The Personal Data Protection Bill of 2019 goes a step further in mandating requirements for data protection as well as specifically lists out and defines exhaustively what would constitute as “ Sensitive Personal Data”, which as such must be dealt with a higher standard of care and consent which details the purpose of disclosure . “Personal data breach" has been defined by the Personal Data Protection to mean any unauthorised or accidental disclosure of, acquisition of, sharing of, use of, alteration of, destruction of, loss of access to, personal information that compromises the confidentiality, integrity or availability of personal info to a data principal” which simply put means that a loss of safety and security of any customer/client information.

 Some salient features of the Act that will come into effect to cure any breach of privacy,  include

  • A provision for compensation of loss Section 64(1)  
  • Section 25 of the Bill provides for issuance of notice to authorities and further pursuance of any and all urgent remedial measure to cure such a breach. This is done in consideration of factors such as the severity of the breach. 
  • The authorities on the receipt of a info breach by those in charge of handling, as per Section 49(2)(b) and 51 of the Bill are provided with authority to pursue and direct companies to act and investigate into the loss of privity, and would require that the owners of such information and any affected individual be notified.
  • As a requirement of Data Sovereignty all companies must be able to ensure that any required information in the interest of national safety or security is promptly delivered and communicated with the government.

Does your company need GDPR Compliance?

In an increasingly overwhelmingly information-based environment, businesses are tasked with the highest responsibility in ensuring the safety and protection of the personal info of their customers, vendors and clients. In an era where information is compared to gold, ensuring your business is up to date and complaint is of utmost importance and an indispensable part of protecting the goodwill of your business. 

The EU GDPR( General Data Protection Regulation) introduced in May, 2018 has become the standard bearer of Data Protection and Privacy regulations. EU GDPR laws dictate the terms and manner of collecting and processing personal information, in addition to the management of such info.  Such a regulation guarantees Data Protection safeguards in every step of the information collection and processing operations, with further penalties for non-compliance or any compromising of such info of the member of EU nations. In summary, as Article 5 of the EU GDPR itself states, the key principles of data protection are:

  • Transparency
  • Limitation of processing purpose
  • Data minimisation 
  • Accuracy in data collection
  • Limitation of Storage and 
  • Integrity and Confidentiality of Data.

The EU Data Privacy regulations apply not just to European companies, but any company in the world that deals with Data of European citizens. The conditions where an Indian company may process personal info of an “EU Data Subject” include 

  • Processing is necessary to satisfy a contract to which the data subject is a party.
  • You need to process the data to comply with a legal obligation.
  • You need to process the data to save somebody’s life.
  • Processing is necessary to perform a task in the public interest or to carry out some official function.
  • You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data.

The GDPR Regulation requires companies that collect, store or process personal data of any EU Citizen. Even if your company does not have a presence in Europe, any personal data of a European Citizen should be treated in strictest of confidence and dealt with utmost sensitivity keeping all the technical measures into consideration, below is the checklist for compliance with the same:  

Easy checklist for compliance with EU GDPR

1 Information Audit Organizations that have at least 250 employees or conduct higher-risk data processing are required to keep an up-to-date and detailed list of their processing activities and be prepared to show that list to regulators upon request.
 A person in the organization may be in charge of compliance ( along with a representative in the EU if required). The best way to demonstrate GDPR compliance is using a data protection impact assessment Organizations with fewer than 250 employees should also conduct an assessment because it will make complying with the GDPR's other requirements easier.
Questions to be askedthe purposes of the processing,what kind of data is processed,Employee access to privileged in your organization,Any third party access (and where they are located), Steps taken to protect the data (e.g. encryption), plan to erase it after completion of mandate (if possible)
2 Organizational and Technical Measures You need to disclose to people that you are collecting their data and why (Article 12). You should explain how the data is processed, who has access to it, and how you are keeping it safe. This information should be included in your privacy policy and provided to data subjects at the time you collect their data. It must be presented "in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
The GDPR requires organizations to use encryption or pseudonymization whenever feasible

Operational security policy that ensures your team members are knowledgeable about data security. It should include guidance about email security, passwords, two-factor authentication, device encryption, and VPNs. Employees who have access to personal data and non-technical employees should receive extra training in the requirements of the GDPR.
Data protection impact assessment (aka privacy impact assessment) is a way to help you understand how your product or service could jeopardize your customers' data, as well as how to minimize those risks.
The GDPR does not specify whom you should notify if you are not an EU-based organization. For those in English-speaking non-EU countries, you may find it easiest to notify the Office of the Data Protection Commissioner in Ireland. You are also required to quickly communicate data breaches to your data subjects unless the breach is unlikely to put them at risk (for instance, if the stolen data is encrypted).
Data Processing Agreement with any third party services ( Standard format Agreements)
Data quality process in place, and make it easy for your customers to view
You should be able to send their personal data in a commonly readable format (e.g. a spreadsheet) either to them or to a third party they designate.

You Should be able to comply with requests for Rectification/Completion of incomplete data (under Article 16).

Download Startup Guide
A guide with complete lifecycle of startup

Treelife Ventures Services Private Limited.
All Rights Reserved. © 2022.