CIO Insider

CIOInsider India Magazine


Data Privacy

Argha Bose, Head - Cybersecurity, Tata Advanced Systems

Argha Bose has two decades of experience in consulting, practice and delivery management, pre-sales, and business development that is related to cybersecurity, identity and access management across the globe.

What are the best practices for managing data in an organization?
Every organization has some important data within their environment and IT landscape at different places. They are battling with answers to what and where these data exist, their relevance to the business, and the ability to get the right data when it is needed. Hence, data management and governance are essential to practice in today’s digital landscape. With accurate data governance, many complex data sources that exist and contribute to decision making can be managed and monitored throughout the layers in which they exist. This gives businesses the most unified and consistent view of the data. Some of the best practices of data management and governance are:

1. Defining Clear Targets: Every organization is different, and hence, there is no laid-out approach for data governance. While setting-out for data governance, organizations need to have a clear target that they would like to achieve at the end of the road.

2. Track the Data: On setting targets for data governance, the next logical step is to be able to identify and locate data that exists within the organization and track its access throughout the organization. This way, it would provide a holistic view of the organization's data and how it needs to be managed.

3. Identify Risks: Once the data is tracked, it is then important to classify the data, identify the risks associated with it, and take relevant steps, both from technology and process perspective, to provide relevant controls to address these risks and minimize the exposure levels.

4. Assign Ownership: There needs to be well-defined ownership of the data that exists within an organization. This could be individuals, groups or departments. Identifying these relevant owners, making them responsible for the data under their control and allowing them to control access to the data helps in executing the overall data governance strategy.

5. Defining the Right Controls: By focusing foremost on the security of data, organizations can minimize risk and maximize compliance at the same time. To meet the regulatory compliance of processing, storing and/or transmitting sensitive data, organizations are required to maintain data policies that include measures for data protection and data privacy.

6. Implement the Strategy: Once the data governance program is outlined, the next step is to execute the plan to realign the organization based on the recommendations. Not all of this can happen overnight-some initiatives will be easier to implement than others. By determining which aspects of the data governance program should be introduced in what order, we can maximize the effectiveness of its rollout, while minimizing the chances of its failures.

What challenges do you think organizations face concerning data privacy?
Data privacy and data protection are a complex problem. Initially, data (both sensitive and PII) need to be identified and classified according to the risk, and then needs to be ensured that it is protected with appropriate security technologies and strategies. To be able to measure the impact and criticality of global data privacy, we need to

understand the challenges organizations face in data privacy and protection.

There is no doubt that organizations today are generating more data than ever, yet weak security practices continue to put organizations at risk of a data breach. Organizations need to be on top of their game in protecting not only their customers’ personal information, but sensitive data as well. Currently, where every single device is generating and accessing data, it sometimes becomes overwhelming to handle millions and even billions of data records.

Along with the increasing volume of data, there is a substantial rise in the potential of organizations to experience incidents in which their data is compromised in some way. Most of the enterprises have trouble in fully understanding how and where data flows across the organization, as well as establishing ownership and accountability for such data. Disruptive technologies such as software-as-a-service (SaaS) and cloud computing are some of the factors.

By determining which aspects of the data governance program should be introduced in what order, we can maximize the effectiveness of its rollout, while minimizing the chances of its failures

With multiple service providers now engaged within an organization, data has moved from the complete control of the organization to the service providers. This increases risk by enabling confidential data to cross organizational boundaries. The portability of data coupled with the ability to access data from anywhere using any device (BYOD) makes it increasingly easy for data to be lost, stolen or abused.

The cost of a data breach for organizations has become quite steep. Regulatory bodies like GDPR, CCPA, and others have very stringent fines and even jail time for non-compliance or violation. Hence, organizations need to make investments in technologies that ensure data protection.

Do you think cloud can be considered as an option for securing sensitive data?
Organizations these days are adopting cloud more and more heavily. The public cloud has opened-up amazing possibilities and is changing the types of challenges businesses encounter. The cloud offers more than just servers. There are a lot of benefits in moving to the cloud, including cost reduction, elasticity, flexibility, redundancy, effective collaboration, scalability, and better integration. Virtually, every business utilizes the cloud to some extent, but most of them hesitate to adopt a full-scale cloud strategy, particularly for primary storage, because of security concerns. It is true for organizations dealing with highly sensitive data. And this is the reason you would find sectors like BFSI, Healthcare, defense, and others are reluctant to send sensitive data into the cloud.

“Personal data protection bill (PDP bill) is India’s first attempt to domestically legislate the mechanisms for the protection of personal data and aims to setup a data protection authority in the country”

In my opinion, the cloud can be considered as an option. It will boil down to the organization’s business models, and the data that they handle with the kind of contractual obligations and regulatory compliance expectations that would drive their decision to move to the cloud. A lot of organizations have also opted for partnering with the right hybrid cloud service that enables them to focus on their primary mission, while ensuring their data is better protected than it could be in their own hands. If done right, the cloud can truly be a safer place for sensitive data than on-premises.

How do you see PDPB will drive overall security and data privacy as a long term association?
Today, the Internet is commonly used across the length and breadth of our country and is being accessed through multiple devices. As India’s consumers spend a good amount of time in Internet services like social media and other applications, they end-up submitting their personal and critical details to service providers in exchange for the free use of their services.

The Personal Data Protection Bill (PDP Bill) is India’s first attempt to domestically legislate the mechanisms for the protection of personal data and aims to setup a Data Protection Authority in the country. PDPB is a valuable step towards a sustainable solution that would aid India in strengthening its data security concerns and position, as well as empower and equip individuals to manage their data. The proposed bill gives high priority for individual rights on data protection. As per the bill, citizens’ personal information can’t be collected, processed, and shared without their consent. The companies are required to be clear and concise on what data is collected, its purpose, how it’s used, and for how long the data will be retained.

Moreover, restrictions are placed on ‘sensitive personal data’ which needs to be stored in India. This bill will change the way privacy is perceived and practiced in India. It applies to both government and private organizations established in India as well as abroad. Non-compliance with the regulation may lead to both financial penalties and personal liability. The introduction of this bill will not only improve individuals’ trust with such organizations, but will also help India gain and establish better acceptance while transacting business. It will drive overall security and data privacy, specifically around individual rights.

Current Issue
63SATS : Redefining Cyber Security For A Safer World