Safeguarding Personal Data in India: Navigating Data Protection Challenges
By Rakesh Raguvanshi
In the rapidly evolving landscape of technological advancements, India’s enterprises are grappling with a pressing concern – the escalating frequency of data breaches. In the third quarter of 2023, India ranked as the 10th most breached country globally, with a staggering 3,69,000 leaked accounts, according to cybersecurity firm Surfshark. Despite a 74% decline in breach rates since the second quarter, when 1.4 million accounts reported breaches, the severity of data breaches remains a significant threat, as evidenced by the recent Taj Hotels incident. The luxury hotel chain owned by the Tata Group recently experienced a substantial data breach, reportedly compromising the personal information of 1.5 million customers.
As we look at the critical role of the Digital Personal Data Protection Act in India, we must also understand the importance of informed consent and robust data security measures. At a time when personal information is a valuable commodity, individuals must be aware of the risks associated with sharing data and the efforts in place to protect their privacy. For instance, In the quest for a new home, we engage with real estate agencies, entrusting them with a wealth of personal information. Personal data includes sensitive details such as financial information, credit history, and preferences for the type of property sought. Often, to our dismay, after a singular interaction with the agency, we find ourselves inundated with unsolicited calls and emails from various other real estate agencies, mortgage lenders, and even insurance companies. These communications’ sheer volume and precision indicate that our data has been shared or sold without obtaining explicit consent.
Another scenario is visiting a cinema hall where personal information gets sought for ticket bookings. Faced with this request, we grapple with providing our data. The contemplation stems from concerns about this information’s potential misuse or unauthorised sharing. This moment encapsulates individuals’ broader dilemma when prompted to disclose personal details, reflecting the pervasive impact of data collection practices on everyday choices and privacy considerations.
Data protection norms in India are designed to address the growing concerns surrounding data breaches by prioritising the privacy of individuals. Key elements of the act include explicit consent before sharing personal information and stringent penalties for non-compliance. The act places responsibilities on data fiduciaries (brand owners) and data principals (customers), emphasising the need for secure data handling, storage, and destruction.
Companies collecting personal data also face a dilemma –balancing the benefits of data-driven insights with the potential risks of data breaches. Growing instances of unauthorised sharing or selling of personal information highlight the urgency for companies to align their practices with legal frameworks. While proactive measures of adopting advanced technological solutions help safeguard personal data, a lack of understanding among businesses often impedes it.
In response to the challenges posed by data protection laws, companies need to prioritise the adoption of safeguards such as Role-based Access Control (RBAC) to protect personal data. Having restricted controls helps companies navigate the complexities of data protection laws while maintaining ethical standards. Role-based access control is a unified solution that enhances security, ensures regulatory compliance, and facilitates transparent communication with users. By implementing robust access controls, companies can streamline operations, optimise costs, and fortify the data security of their users.
The data privacy law now has some very stringent penalties. Companies (Data Fiduciary) will have to take, store, record and destroy the data of customers (Data Principals), and the Data Processing party has to ensure that data encryption is done in transit and at rest. The governments recently notified Digital Personal Data Protection bylaws now mandate data residency in India, presenting challenges for businesses, particularly non-Indian companies operating within the country.
Any heightened stress between countries can also lead to cross-border data breaches, which only emphasises the need for robust security measures. Cookie consent becomes a critical part of the conversation, focusing on user consent and data privacy compliance, as companies reliant on first-party data face potential hurdles due to stringent data protection laws. Ensuring user consent and data privacy compliance while managing multiple vendors for compliance services poses operational challenges for such companies.
As India grapples with the escalating threat of data breaches and understanding the new Data Protection Act, only the right technological solution will play a pivotal role in safeguarding personal data. Companies must prioritise ethical data practices, balancing data-driven insights and individual privacy. Through informed choices, transparency, and robust security measures, we can collectively build a safer digital environment for all.
(The author is Rakesh Raguvanshi, CEO and Founder, Sekel Tech, and the views expressed in this article are his own)
