top of page

9 things to keep in mind to ensure you are respecting your User’s Data Privacy.

Privacy is by the day becoming the new buzzword across nations. More than 66% of countries have data privacy legislation in place, and 10% of countries have draft legislation that may come into force anytime soon, India being one of those countries with draft legislation under the Joint Parliamentary Committee consideration.

One may ask why to worry about it now when India still hasn’t enacted the law yet. There are ample reasons to worry, the primary one being that Indian consumers are increasingly becoming aware of their privacy rights. A survey conducted by Open Text, an Information Management Solutions company, concludes that 84 percent of Indian consumers prefer organisations committed to protecting their data privacy. Further, many Indian companies offer their products directly to overseas consumers, and other companies act as outsourcing partners to overseas companies and process information about their consumers. The extraterritorial application of the privacy laws of many countries has made it increasingly difficult for Indian Companies to stay away from the clutches of data privacy.

How do companies comply with data privacy requirements? How do companies demonstrate to their users that they are reliable and trustworthy? Believe it or not, a template-based privacy policy is no longer an answer to consumer privacy concerns, so what do you do?

1. Product, Privacy and Planning

Privacy is not an afterthought anymore; a pre-ticked checkbox at the end of a template-driven privacy policy is no longer an answer. Instead, the thought behind Privacy needs to be put in right at the stage of planning the development of products and services. This can be simplified into the concept of Privacy by Design.

Privacy by Design is a concept initially thought about by Ms Ann Cavoukin, the then Privacy Commissioner of Ontario province in Canada. There are 7 foundational principles of Privacy by Design. While we will not delve into each foundational principle, suffice to say that the concept encompasses that while developing a product, companies need to consider Privacy throughout the Product engineering process. Having a well developed Organisational Privacy policy and an agile Privacy team, which is fully involved in the product planning stage, is the first step to ensure that privacy considerations are taken into account right from the word go. Data Protection Impact Assessment (DPIA), the other action, which goes a long way in ensuring data protection. DPIA is an exercise that is carried out before initiating any new product or process that poses a high or significant risk to a user’s personal data.

2. Understanding the System and identifying the loopholes

For a privacy friendly product/website/service, the internal stakeholders must understand the system well. Auditing the current system and maintaining a record of the following goes a long way to understand the following-

  • What personal information of the customers the organisation stores;

  • the nature of the information;

  • the identification of stakeholders responsible for the maintenance of information;

  • storage of information;

  • deletion policy of information;

  • the procedures employed to safeguard the information; helps in identifying the gaps which need to be addressed.

To fix a leaking pipe, you first need to find the pipe.

3. Policies and procedures

It is essential to understand that policies and procedures must be in place before you implement them. Any organisation, which needs the processes to be fixed, first need policies and procedures in place. From a data privacy perspective, an organisation's privacy team need to work with multiple stakeholders to draft policies, to name a few-

● IT Policy

● Information Security Policy

● Data Retention and Destruction Policy

● Data Subject Access Right Policy

● Bring Your Own Device Policy

● Personal Data Breach Policy

● Monitoring Policy

● Employee Privacy Notice

4. Fixing the Loopholes

Once those leaking pipes have been identified, you know the next step; that’s right, figure out a way to fix it. The fixing of loopholes can be done by adopting the following measures-

● Privacy should be a default setting - Don’t let your Users work hard to achieve Privacy. Privacy should be considered the default option in your web and your system settings, especially in the case of data collected for analytical or advertising purposes.

● Making your customer and employee privacy policies easier to understand, remove the unnecessary legalese and heavy-duty jargons.

● Make sure you collect consent properly and appropriately store consent.

● Make sure any data that is not essential for the purpose for which it is collected is not collected.

●Making sure the data collected is only used for the purpose for which it was collected.

● Making sure the data collected is secured.

● Making sure that the data collected is error-free and accurate.

● Making sure that the data collected is not retained for a period that is more than the required time.

● Making sure that customers/ employees can exercise their data subject rights keep the procedure ready. The next step is to keep those forms ready

○ Data Subject Access Right Form

○ Data Deletion Request Form

○ Data Restriction or Processing Request Form

○ Data Correction Request Form

5. Security Measures

While this should be a sub-point of the previous point, the importance of this measure has earned it a spot as a different point altogether. To ensure that the end-user data is actually protected, it is necessary to establish procedures such as-

● Sophisticated Encryption Measures

● Two Factor Authentication

● Access Control Measures

● Pseudonymization and Anonymization of data points.

6. Employee Training

Employees are the face of an organisation; any number of policies, processes and controls are useless unless the employees are adequately trained on the policies and procedures. This training especially becomes essential in the realm of data privacy. Employees should be trained on the general principles of data protection as well as on role-specific obligations, including but not limited to-

● Overview of privacy principles

● Handling data subject access requests

● Password and device policy

● Ethical and privacy considerations in marketing

● Designing a privacy friendly product

7. Vendor Audits and Management

Vendors are as crucial for the business as employees. Vendors who handle user data on behalf of the organisations need to be fully equipped with human resources and processes to take care of the Privacy of your users. To ensure that your vendors take care of your customer’s data in line with your organisational policies, make sure you have the following processes in place-

● Vendor Pre-On boarding Verifications

● Vendor Data Protection Agreements

● Vendor On boarding Policies

● Vendor Audits

8. Certifications

An essential method of demonstrating that you are a privacy friendly organisation is to ensure that you think ahead of time and get your organisation certified under one or more of the available privacy standards and certifications. The following certifications go a long way in demonstrating that your organisation is privacy-friendly-

● ISO/IEC 27001:2013

● IS 17428:1

● SOC 2

● ISO 27701

9. Transparency

Being transparent to your customers and end-users about the Organisation's privacy practices, this can be achieved by-

  1. Clear and concise privacy notices

  2. Uncomplicating the language of privacy notices

  3. Process data in line with people’s expectations when the data is shared

  4. Disclose what information is collected.

  5. Disclose the purpose of data collection

  6. Disclose source of data

  7. Disclose the parties with whom the data is shared

  8. Disclose how long the data will be retained

  9. Have a point of contact for grievance redressal

  10. Ensure sector-specific regulations are taken into account

  11. Existence of data subject rights

These are just a few steps that demonstrate to your users that your organisation is committed to Privacy. These are not all the steps but a few very pertinent measures organisations can take. Commitment to Privacy is not merely a regulatory requirement but also an excellent customer acquisition strategy. Therefore, viewing Privacy as an isolated function, separate from other organisational functions, is the same as viewing the tiling of a washroom as isolated from the plumbing of the washroom—a grave mistake. Lots of leaking pipes, I tell you.


Follow LexTalk World for more news and updates from International Legal Industry.




bottom of page