Over the past couple of years, the government has tried to keep a tighter leash on financial data generated within the country by not allowing platforms to save data for recurring payments, card tokenization, and storage of payments data within India, among others. Several digital-surveillance measures have been introduced and many companies have been directed to collect and store user data such as names, addresses, IP addresses, contact numbers, and email. However, as the scope of the data collection scale increases, so does the risk of leaks. According to reports, 18 out of every 100 Indians have been hit by data breaches since 2004.
For businesses, customer data is akin to gold dust as this information can be used to improve customer experiences, enhance marketing efforts, better product development, and make informed business decisions.
However, the flip side is that a data breach is one of the fastest ways to damage a company’s reputation. Therefore, it is imperative that companies ensure their customer data is appropriately collected and protected, which includes vetting and monitoring third-party vendors who manage customer data.
There is also an inherent misconception that data security is only essential for large corporations. It has been found that most cyberattacks are targeted at small and midsize businesses, 60% of which go out of business within six months of a breach. And businesses that do survive a data breach still face fines, fees, and potential lawsuits. Boycotts, lost contracts, and customer churn are the most common outcomes of reputation damage.
A company’s responsibility is to ensure that the personal information of their customers is secure and create carefully constructed data security and data privacy policies that will detect the most probable and damaging scenarios.
Good reputation management creates loyal customers, who in return, become brand advocates. Therefore, a business must provide a self-service privacy portal for customers where they can manage their privacy preferences and know how their data is being used.
Data Governance: It’s all about the Law
For companies, the only hope lies in the Data Protection Bill that has been in the works for five years. Moreover, the current version of the bill has been modified to address a host of economic, nationalistic, and privacy-related concerns or objectives. Creating a law that addresses all these issues while also effectively regulating India’s rapidly changing technology landscape seems to be a gigantic task.
India has seen a significant uptick in the number of data breaches, but apart from being a privacy concern, this is also an economic concern. A recent report by IBM Security and Ponemon Institute estimated the average total cost of a data breach in India in 2021 was INR 16.5 crore (US$ 2.17 million).
In the absence of a law, companies and even governments are free to collect data indiscriminately. It is thus imperative that regulatory uncertainty ends and there is clarity around legal and policy issues.
For companies and governments to protect the data rights of citizens, there must be checks and balances in place that require companies to carry out regular data security and privacy impact assessments, demonstrating they are handling people’s data in the right way. Laws that allow independent data protection authorities to hold companies accountable for not complying with data protection and privacy laws must also be passed. And most importantly, the government’s practices should be privacy-protective.
In fact, India is now one of the last few countries in the world to not yet have a comprehensive, modern data protection law regime. Considering India’s desire to foster a global image of a digital economy with a booming data services industry, the Government must move fast to introduce a framework that brings it on par with its partners on the international stage.