Personal data protection: Firms need to do more

Corporations need to invest in cybersecurity to not only protect consumer data but also the business at large

Image
Business Standard Editorial Comment New Delhi
3 min read Last Updated : Aug 31 2022 | 11:10 PM IST
As more Indian organisations move to the cloud, security breaches are likely to become frequent. A lack of legislation protecting personal data allows Indian organisations to collect data as they choose, often needlessly. The data is often sold, or monetised in other ways, and is frequently held in insecure servers. Suitable legislation has not been passed in the five years since the Supreme Court asked for it in a landmark case that upheld privacy as a fundamental right. This is a huge gap, which is at odds with policy initiatives to build Digital India. It opens the door to widespread misuse of data and to cybercrime, potentially targeting every Indian. It is also a barrier hindering efforts to set up data centres for overseas clients. Understandably, potential clients are wary about storing data in such an insecure environment.

Last week, Akasa Air, a new airline, emailed its database of passengers, admitting that it had suffered a breach that exposed private personal data. Further, Vodafone Idea denied that the privacy of 20 million customers had been breached, after reports from a cybersecurity agency alleged this. In June 2022, the French multinational Thales claimed in a Cloud Security Report that 37 per cent of Indian respondents (all large corporations) had experienced a security breach of some nature in the past year. This is a serious problem and is only expected to increase in scale as more segments of the economy get digitised. Therefore, corporations need to invest in cybersecurity to not only protect consumer data but also the business at large. Such threats could undermine and hamper business operations with wider consequences. However, one of the reasons why Indian firms may not be investing enough in this area is because of a lack of regulatory compulsion.

Ideally, a data protection law should cover the following areas. It should lay down clear, broad definitions of what constitutes private data. Those definitions should be open to review and updates as technology develops. There must be norms that data will not be collected needlessly, but only in granular fashion for clearly stated purposes, keeping the data-owner informed and seeking his or her permission at every stage. There should also be clear norms for the security of any data collected and stored, with the collector and storage centre held liable for breaches, with escalating penalties. Victims should be in a position to easily bring class-action civil suits, seeking damages in such cases. Data-owners should also have the “right to forget”. Once the purpose of the data has been served, the data-owner should have the option to ask for deletion.

Further, there should be safeguards against surveillance and overreach. There should be a transparent process for granting clearance to any agency to launch a data collection-cum-surveillance exercise against an individual or organisation. The draft Indian legislation, which has now been withdrawn, offered no protection against government surveillance. Under that draft, any official agency could access any data it chose to, or target any individual for surveillance. Thus, in the absence of legislation offering protection or redress, it’s inevitable that data will be monetised in ways which may expose data-owners to harm. The government should, therefore, plug this gap at the earliest.

One subscription. Two world-class reads.

Already subscribed? Log in

Subscribe to read the full story →
Subscribe to Business Standard digital and get complimentary access to The New York Times

Quarterly Starter

₹900

3 Months

₹300/Month

SAVE 25%

Smart Essential

₹2,700

1 Year

₹225/Month

Save 46%

Super Saver

₹3,900

2 Years

₹162/Month

Subscribe

Renews automatically, cancel anytime

Here’s what’s included in our digital subscription plans

Access to Exclusive Premium Stories Online

  • Over 30 behind the paywall stories daily, handpicked by our editors for subscribers

Complimentary Access to The New York Times

  • News, Games, Cooking, Audio, Wirecutter & The Athletic

Business Standard Epaper

  • Digital replica of our daily newspaper — with options to read, save, and share

Curated Newsletters

  • Insights on markets, finance, politics, tech, and more delivered to your inbox

Market Analysis & Investment Insights

  • In-depth market analysis & insights with access to The Smart Investor

Archives

  • Repository of articles and publications dating back to 1997

Ad-free Reading

  • Uninterrupted reading experience with no advertisements

Seamless Access Across All Devices

  • Access Business Standard across devices — mobile, tablet, or PC, via web or app

Topics :Akasa AirDigital Indiadata protectionsurveillance Business Standard Editorial Comment

Next Story