Megha Nambiar is the Legal Counsel to an Artificial Intelligence and Fintech company – HyperVerge, Inc. She works primarily in the areas of data protection, fintech regulatory and compliance advisory, TMT and commercial laws. An alumnus of School of Law, Christ University having graduated with a BA LLB (Hons.), she went on to complete a PG DM in Media Laws from NALSAR and a Graduate Certificate in Technology and Policy from Takshashila Institute. She has a keen interest in all things law, literature and learning.
In this global data economy, great data holdings generate immense value, but also come with significant responsibility and compliance. Data is increasingly becoming one of the most crucial yet vulnerable assets of any modern-day organization and consequently information security, data privacy and compliance take center stage.
Legislators world over are taking cognizance of the importance of governing and regulating the different stakeholders involved in personal and non-personal data exchanges such as private body corporates, governments and individual data subjects/data principals.
Key tenets that form the foundation of personal data protection legislations are:
- Recorded consent as a pre-requisite at the time of collection, that can be reasonably withdrawn subsequently by the data subject at will.
- Ensuring legitimate basis for collection and processing of personal data.
- Existence of direct and specific nexus and alignment between the data collected and the purpose for such collection.
- Proportionality of the quantum of data collected and duration of storage to the purpose sought to be achieved.
- Implementation of technical measures/ processes and confidentiality standards necessary to secure such personal information throughout the data lifecycle.
Data privacy laws seek to balance interests of various stakeholders, empower data subjects with control over the collection and use of their personal data and imbibe transparency, trust, and accountability within the system.
With rampant prevailing data breaches, third party hacks and huge penalties being imposed against corporations for violations of data protection legislations, the present times demand rigorous planning and implementation within the various departments of every organization to create a robust information security and compliance system.
This calls for the coming together and active collaboration between key departments such as the information security team, legal function and the risk and compliance team. Each and every vertical and individual – agnostic of the teams they belong to within the organization, play a role in the day-to-day observance of an organization’s data protection and information security policies and processes. This applies all the way from the external data collected, processed, and transmitted from clients or end users to even internally collected data such as employee/personnel data.
Organizations can no longer put off or ignore the changing landscape of data privacy and security and should focus on shaping and prioritizing the creation of strong systems and processes that enable compliance and secure its most valuable asset. Some of the steps that can be taken towards this are as follows:
- Global Legal Compliance: Globalization has led to cross border collection, transfer and processing of data across various geographies. This attracts the application of and compliances under different governing legislations. Companies should be apprised of the evolving compliances – which include specific and varying consent standards across geographies, pre-requisites that need to be met where cross border data transfers are permitted and localization/mirroring of personal data where cross border transfers are only partially permitted or entirely prohibited for certain sensitive classes of data. Additionally, appointment of data protection officers in the relevant jurisdiction and registration with the local data protection authority where applicable are to be heeded.
- Comprehensive Contracting Standards: Disclosures and comprehensive documentation form the basis of data receipt, processing and transfers between data subjects, the body corporates collecting the data, processors and sub-processors. Here too, certain legislations and conventional industry practices stipulate mandatory clauses and specified documents to be executed (where applicable) such as the EU Standard Contracting Clauses under the GDPR, mandatory Data Processing Agreements- which are to be executed as applicable with third parties; and Non-Disclosure/Confidentiality Agreements – internally with employees, agents and consultants. Organizations should be certain to document rights and responsibilities in line with global best practices and applicable laws in such agreements. It is important to document the standard of security measures and controls that such third parties should implement such as ISO, SOC or PCI DSS which can often be industry specific. Contractually, to be sufficiently protected in the event of a breach, it is essential to seek indemnification where any breach, unauthorized use or access of personal data has occurred and document both suspected and actual security incident notification timelines and the course of action that should be adopted on such occurrence where third parties are engaged.
- Data Sharing Principles: Companies should focus on ensuring that personal data shared within the organization is done on a strict ‘need to know’ basis following the principle of least privilege. Where personal data is shared with third party subcontractors and processors, companies should carry out detailed due diligence before engaging a third party to process data on its behalf. It should also be ensured that individuals within the organization and external third parties access, store and transfer data only for the duration and purpose necessary and permitted and also purge or return all data in an irretrievable manner thereafter. As far as possible companies should actively audit and monitor for compliance in this regard on a periodic basis.
- Managing Data Inventory and Assets: Across functions and verticals various classes of personal data, non-personal, business, financial, technical, proprietary data is logged and processed within systems and by individuals. It becomes important for companies to map and keep an inventory of its data assets and classify such data into specific categories to enable application of different standards of compliance and processes accordingly.
- Training, Awareness and Certifications: There is no substitute to regular employee training and awareness programs with respect to data access, handling and reporting. When done well and consistently, this goes a long way in creating a compliance conscious culture within the company. Specific functions that work very closely with sensitive and personal data should be encouraged to also take up external certifications around evolving standards of compliance, mitigation processes for breaches and to keep abreast of the fast-advancing world of cyber security and the data hygiene practices that go with it.
- Investing in Infrastructure and Insurance: At the core of any information security implementation is the infrastructure and individuals involved. Assessing gaps and potential vulnerabilities in the system, identifying key non-compliances and risks through regular certified third-party audits and setting up technological and people process for preventing, identifying and responding to security incidents of varying levels of criticality is key. Obtaining a comprehensive data security insurance, investing in the latest cyber security defense mechanisms and strengthening preparedness for security events help tremendously reduce the impact of data breaches, sophisticated hacks and attacks.