The Digital Personal Data Protection Bill 2022, once enacted, will change the way businesses function. The new regulatory law requires businesses to move away from legacy processes and silos and adopt a comprehensive data protection program built with resilience in mind. In an interview with Shashidhar Angadi, Co-Founder & CTO, Exterro, he discusses the importance of data protection, and how technology can lead the way towards cost-effective investments that can help businesses comply with the new regime.
- Modern data protection – where and when you need it most
The quote “Data is the new Oil” has been around for a while. Historically data protection has focused on high availability and redundancy with a focus on Recovery Time Objective and Recovery Point Objective. With the digital transformation that has occurred in recent years, enterprise viability and success relies on proper data governance. Well managed data can maximise the ability of enterprises to make effective and informed decisions for revenue growth and profitability. Most organisations require modern data protection. Modern data protection allows organisations to handle data at a petabyte scale and help them conform with tougher data protection and privacy laws. It also provides resilience against insider and outside threats. Modern data protection helps organisations deal with cyberattacks and ransomware as remote working increases proliferation of endpoints.
2.Importance of data protection softwares across environments
Data protection software provides resilience against cyber attacks and ransomware. As organisations move towards a hybrid model with on-premise and cloud systems, data protection softwares helps manage and protect data across a distributed infrastructure. Having a centralised system to manage data allows us to look at data via a single pane of glass and also look for threats and vulnerabilities and mitigate them effectively. A good data protection software helps with broader business objectives including resilience, governance and risk management.
3. How data protection and cyber resiliency go hand-in-hand
When we look at the cyber risk that most organisations need to tackle, one area has always posed a major vulnerability: visibility into third parties. There exists a gap in knowledge about which third parties have access to organisational data and what data privacy risks arise out of the lack of third party visibility. There are also gaps in knowledge about security practices of third parties. This is why any comprehensive data protection programme will also need to understand vendor risk. With the right technology these risks can be mitigated.
Data privacy and cybersecurity are closely linked as cybercriminals often target proprietary and consumer data while perpetrating attacks. Having a robust data protection programme with nuanced tools to mitigate legal and cyber risk is more important now than even. But a data protection programme would also require organisations to harmonise data deletion and retention strategies. Put simply: data you don’t have cannot be breached. The proposed Digital Data Protection Bill 2022 calls for just that — keeping only the data that is important to essential business practices. Adopting data privacy tools can enable organisations to identify which data to retain and which data needs deletion. Such technology can also identify whether data is under another regulatory obligation, or has been requested by a customer for deletion. At its core, data minimization and cyber security are two sides of the same coin as it helps businesses establish deterrence against attacks.
4. Business’s commitment towards effective data protection and data management
Data protection is important, as it prevents proprietary business information and customer data from falling into the wrong hands, be it cyber criminals who try to extract it through hacking, phishing, or insider threats and corporate espionage. In the age of data, any organisation that wants to work effectively needs to ensure the safety of the data they hold. It’s not unfounded that countries across the world are implementing data privacy regulations defining consumer and employee rights over business use of personal data, fines for breaches of personal data and mandating that businesses retain the data that they need.
A data protection program helps build credibility for the business. If organisations fail to recognise its importance they would have to end up paying exorbitant amounts of fines and risk huge losses as a fallout. But there’s light at the end of the tunnel. Many organisations are attempting to answer a number of questions pertaining to what data they store, why they store it, how prepared they are to respond to consumer requests for that data, and who can access it. It’s the responsibility of every business to formulate comprehensive data protection programmes even if they need changes to processes in order to comply with norms.
5. What the Digital Data Protection Bill 2022 means for businesses
Currently, data protection in India is governed by the Security Practices and Procedures and Sensitive Personal Data or Information 2011 and the Information Technology Act 2008. But once the new Digital Personal Data Protection Bill is enacted it will have major implications for organisations across different sectors. If companies don’t begin making changes to existing processes, transitioning from complying with SPDI Rules to the new and more complex law, may pose great challenges. Data currently resides in silos in most companies and this approach will have to change if businesses need to comply with the upcoming law as it specifically defines responsibilities of organisations, how they must manage the data they hold and also be able to respond to data subject access requests. Since it levies hefty fines for non compliance, businesses have no option but to adopt data protection mechanisms.
But any revamp in business processes cannot be done overnight and organisations must start building holistic data protection programmes now. The new bill calls for organisations to establish a legally defensible data protection programme but when data volumes are skyrocketing, organisations cannot comply without the right technology. Businesses will need to evaluate which technology is the best one to mitigate legal risks. There are four questions businesses need to ask while choosing the right technology: Does the technology help us create a defensible and scalable data inventory? Can the technology automate data subject access requests? Can the solution tackle cyber risk? And does the tool automate data minimisation and retention?
6. How the right tools can help Data Fiduciaries prepare themselves to comply with norms and remain agile amidst evolving regulations
To effectively comply with the law, data fiduciaries or organisations must have an effective inventory of data that resides across departments, in one centralised repository. This would be next to impossible with the sheer volumes of data being generated every day. With tools that are easy to configure and scale, organisations can create a comprehensive data inventory that provides a roadmap to meet compliance obligations, identify existing vulnerabilities, and demonstrate accountability. Automated tools can also gather information for data subject access requests within minutes and also identify which data must be retained to meet parallel compliance norms and which data needs to be deleted. These tools also have the potential to identify and address third party risk and ensure organisations are complying with cybersecurity norms too. Without a unified solution to address the massive challenge data protection presents in India, businesses would risk non-compliance and will end up paying massive fines.