09 February 2021
Recently, Bigbasket - India’s largest online grocery store was found to be subject to a massive breach; the personal contact and ID details of more than 20 million users iformation had been leaked for sale on the dark web. What could be one of the country’s biggest data breaches has followed cyber attacks to some of India’s largest companies such as Dr. Reddy’s and Paytm. These incidents highlight the importance of encouraging a plan to deal with breaches for your own start up. Regardless of the size of business, Companies today are meant to possess and process vast amounts of personal and client data. Privacy has been recognized as a Constitutionally guaranteed Fundamental Right
Indian cyber law has laid down certain regulations to be followed in the event of cyber breaches. The Information technology Act of 2000 was one of the first to recognize the importance of data protection by including provisions on liability for any wrongful loss of personal information by any body corporate who is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, then such body corporate may be held liable to pay damages to the person so affected.
The Personal Data Protection Bill of 2019 goes a step further in mandating requirements for data protection as well as specifically lists out and defines exhaustively what would constitute as “ Sensitive Personal Data”, which as such must be dealt with a higher standard of care and consent which details the purpose of disclosure . “Personal data breach" has been defined by the Personal Data Protection to mean any unauthorised or accidental disclosure of, acquisition of, sharing of, use of, alteration of, destruction of, loss of access to, personal information that compromises the confidentiality, integrity or availability of personal info to a data principal” which simply put means that a loss of safety and security of any customer/client information.
Some salient features of the Act that will come into effect to cure any breach of privacy, include
In an increasingly overwhelmingly information-based environment, businesses are tasked with the highest responsibility in ensuring the safety and protection of the personal info of their customers, vendors and clients. In an era where information is compared to gold, ensuring your business is up to date and complaint is of utmost importance and an indispensable part of protecting the goodwill of your business.
The EU GDPR( General Data Protection Regulation) introduced in May, 2018 has become the standard bearer of Data Protection and Privacy regulations. EU GDPR laws dictate the terms and manner of collecting and processing personal information, in addition to the management of such info. Such a regulation guarantees Data Protection safeguards in every step of the information collection and processing operations, with further penalties for non-compliance or any compromising of such info of the member of EU nations. In summary, as Article 5 of the EU GDPR itself states, the key principles of data protection are:
The EU Data Privacy regulations apply not just to European companies, but any company in the world that deals with Data of European citizens. The conditions where an Indian company may process personal info of an “EU Data Subject” include
The GDPR Regulation requires companies that collect, store or process personal data of any EU Citizen. Even if your company does not have a presence in Europe, any personal data of a European Citizen should be treated in strictest of confidence and dealt with utmost sensitivity keeping all the technical measures into consideration, below is the checklist for compliance with the same:
|1||Information Audit||Organizations that have at least 250 employees or conduct higher-risk data processing are required to keep an up-to-date and detailed list of their processing activities and be prepared to show that list to regulators upon request.
A person in the organization may be in charge of compliance ( along with a representative in the EU if required). The best way to demonstrate GDPR compliance is using a data protection impact assessment Organizations with fewer than 250 employees should also conduct an assessment because it will make complying with the GDPR's other requirements easier.
Questions to be askedthe purposes of the processing,what kind of data is processed,Employee access to privileged in your organization,Any third party access (and where they are located), Steps taken to protect the data (e.g. encryption), plan to erase it after completion of mandate (if possible)
The GDPR requires organizations to use encryption or pseudonymization whenever feasible
Operational security policy that ensures your team members are knowledgeable about data security. It should include guidance about email security, passwords, two-factor authentication, device encryption, and VPNs. Employees who have access to personal data and non-technical employees should receive extra training in the requirements of the GDPR.
You Should be able to comply with requests for Rectification/Completion of incomplete data (under Article 16).
Treelife Ventures Services Private Limited.
All Rights Reserved. © 2022.