Privacy is by the day becoming the new buzzword across nations. More than 66% of countries have data privacy legislation in place, and 10% of countries have draft legislation that may come into force anytime soon, India being one of those countries with draft legislation under the Joint Parliamentary Committee consideration.
One may ask why to worry about it now when India still hasn’t enacted the law yet. There are ample reasons to worry, the primary one being that Indian consumers are increasingly becoming aware of their privacy rights. A survey conducted by Open Text, an Information Management Solutions company, concludes that 84 percent of Indian consumers prefer organisations committed to protecting their data privacy. Further, many Indian companies offer their products directly to overseas consumers, and other companies act as outsourcing partners to overseas companies and process information about their consumers. The extraterritorial application of the privacy laws of many countries has made it increasingly difficult for Indian Companies to stay away from the clutches of data privacy.
1. Product, Privacy and Planning
2. Understanding the System and identifying the loopholes
For a privacy friendly product/website/service, the internal stakeholders must understand the system well. Auditing the current system and maintaining a record of the following goes a long way to understand the following-
What personal information of the customers the organisation stores;
the nature of the information;
the identification of stakeholders responsible for the maintenance of information;
storage of information;
deletion policy of information;
the procedures employed to safeguard the information; helps in identifying the gaps which need to be addressed.
To fix a leaking pipe, you first need to find the pipe.
3. Policies and procedures
It is essential to understand that policies and procedures must be in place before you implement them. Any organisation, which needs the processes to be fixed, first need policies and procedures in place. From a data privacy perspective, an organisation's privacy team need to work with multiple stakeholders to draft policies, to name a few-
● IT Policy
● Information Security Policy
● Data Retention and Destruction Policy
● Data Subject Access Right Policy
● Bring Your Own Device Policy
● Personal Data Breach Policy
● Monitoring Policy
● Employee Privacy Notice
4. Fixing the Loopholes
Once those leaking pipes have been identified, you know the next step; that’s right, figure out a way to fix it. The fixing of loopholes can be done by adopting the following measures-
● Privacy should be a default setting - Don’t let your Users work hard to achieve Privacy. Privacy should be considered the default option in your web and your system settings, especially in the case of data collected for analytical or advertising purposes.
● Making your customer and employee privacy policies easier to understand, remove the unnecessary legalese and heavy-duty jargons.
● Make sure you collect consent properly and appropriately store consent.
● Make sure any data that is not essential for the purpose for which it is collected is not collected.
●Making sure the data collected is only used for the purpose for which it was collected.
● Making sure the data collected is secured.
● Making sure that the data collected is error-free and accurate.
● Making sure that the data collected is not retained for a period that is more than the required time.
● Making sure that customers/ employees can exercise their data subject rights keep the procedure ready. The next step is to keep those forms ready
○ Data Subject Access Right Form
○ Data Deletion Request Form
○ Data Restriction or Processing Request Form
○ Data Correction Request Form
5. Security Measures
While this should be a sub-point of the previous point, the importance of this measure has earned it a spot as a different point altogether. To ensure that the end-user data is actually protected, it is necessary to establish procedures such as-
● Sophisticated Encryption Measures
● Two Factor Authentication
● Access Control Measures
● Pseudonymization and Anonymization of data points.
6. Employee Training
Employees are the face of an organisation; any number of policies, processes and controls are useless unless the employees are adequately trained on the policies and procedures. This training especially becomes essential in the realm of data privacy. Employees should be trained on the general principles of data protection as well as on role-specific obligations, including but not limited to-
● Overview of privacy principles
● Handling data subject access requests
● Password and device policy
● Ethical and privacy considerations in marketing
● Designing a privacy friendly product
7. Vendor Audits and Management
Vendors are as crucial for the business as employees. Vendors who handle user data on behalf of the organisations need to be fully equipped with human resources and processes to take care of the Privacy of your users. To ensure that your vendors take care of your customer’s data in line with your organisational policies, make sure you have the following processes in place-
● Vendor Pre-On boarding Verifications
● Vendor Data Protection Agreements
● Vendor On boarding Policies
● Vendor Audits
An essential method of demonstrating that you are a privacy friendly organisation is to ensure that you think ahead of time and get your organisation certified under one or more of the available privacy standards and certifications. The following certifications go a long way in demonstrating that your organisation is privacy-friendly-
● ISO/IEC 27001:2013
● IS 17428:1
● SOC 2
● ISO 27701
Being transparent to your customers and end-users about the Organisation's privacy practices, this can be achieved by-
Clear and concise privacy notices
Uncomplicating the language of privacy notices
Process data in line with people’s expectations when the data is shared
Disclose what information is collected.
Disclose the purpose of data collection
Disclose source of data
Disclose the parties with whom the data is shared
Disclose how long the data will be retained
Have a point of contact for grievance redressal
Ensure sector-specific regulations are taken into account
Existence of data subject rights
These are just a few steps that demonstrate to your users that your organisation is committed to Privacy. These are not all the steps but a few very pertinent measures organisations can take. Commitment to Privacy is not merely a regulatory requirement but also an excellent customer acquisition strategy. Therefore, viewing Privacy as an isolated function, separate from other organisational functions, is the same as viewing the tiling of a washroom as isolated from the plumbing of the washroom—a grave mistake. Lots of leaking pipes, I tell you.
Follow LexTalk World for more news and updates from International Legal Industry.