5 minute read 27 Oct 2021
Data privacy policy

Why data privacy is emerging as the new norm

By Harshavardhan Godugula

EY India Forensic & Integrity Services Technology & Innovation Leader

Technology leader. Advising the C-suite on building safer enterprises through cyber incident response, data governance, fraud analytics and eDiscovery services. Driven by innovation.

5 minute read 27 Oct 2021

As data privacy standards develop, stronger compliance will become mandatory.

In brief
  • Data privacy in the new normal is becoming an integral part of every organization, with various laws evolving around the globe.
  • An important thing to consider opening the gates of data privacy and protection in the organization is awareness.
  • The data provided by users is based on the trust they put in an organization or brand.
  • The approach must change to ‘privacy by default’ to build trust, rather than ‘privacy by design’ to achieve compliance.

Data privacy is becoming an integral part of every organization, with various laws developing around the globe. Corporates process various kinds of data, which includes personal data. Managing this massive amount of data is becoming an arduous task with technology advancement and data growing every second.

Before delving into the numerous data privacy laws and standards, it is critical to first comprehend what Personally Identifiable Information (PII) is. PII is information that can be used to determine an individual’s identity based on their personal information. Every data privacy law and regulation defines it differently. Under the European Union’s (EU) data privacy act, GDPR (General Data Protection Regulation), PII is personal or sensitive data which can be first name, last name, address, identification number or factors such as biometrics, cultural, social identity, economic, mental or genetic. Likewise, under the Health Insurance Portability and Accountability Act (HIPAA), information related to an individual’s health is considered personal data, also known as Protected Health Information (PHI), along with other PII, which include address, driver's license, social security number, credit card information, and passport number.

GDPR has emerged as a comprehensive data privacy regulation concentrating on the protection of EU residents' personal data, regardless of the location or organization processing that data. Similarly, India’s Data Privacy Act - the proposed Indian Personal Data Protection Bill (PDPB) should protect the personal information of Indians. The California Consumer Privacy Act (CCPA) was enacted to strengthen data privacy rights and consumer protection for California residents. The implementation of the Chinese Data Security Law (DSL) is effective from September 2021.

According to the ISACA® glossary, privacy is defined as:

The rights of an individual to trust that others will appropriately and respectfully use, store, share, and dispose of their associated personal and sensitive information within the context, and according to the purposes, for which it was collected or derived.

Apart from compliance, one of the biggest challenges an organization may face in terms of data privacy and protection regulations is to comply with numerous laws, especially when dealing with users across different territories.
Ranjeeth Bellary
EY India Associate Partner - Forensic & Integrity Services

A recent survey conducted by EY Forensic & Integrity Services and ACFE Mumbai Chapter says that 50% of the organizations have deployed data privacy team along with a Data Privacy Officer (DPO), and 57% have data privacy policies and guidelines along with data privacy team, and 46% with the data disposal, deletion and retention policies.

To open the umbrella of data privacy and protection, creating awareness is important. The survey also points to the voice of 41% as having limited understanding of the relevant regulations in multiple jurisdictions and 38% having an unclear understanding of the data involved in processing. However, 61% say they have made investments in training employees and enhancing their skill sets to comply with the GDPR and the upcoming Indian Personal Data Protection Bill New technology is also being invested in for compliance as per 41% and system improvements by 55%.

The big concern is how to comply with data privacy requirements, which includes knowing who the processors and controllers are and what their roles are. Another core concern is about how to manage cross-border transfers and ensure the safety of personal data processing in the organization or by a third-party.

The task is immense, but it is important to avoid heavy fines and penalties, and to maintain confidence with customers. One of the important pillars is “Privacy for Trust”. Privacy is a right provided to individuals. The data collected from users (employees or customers) and processed for business functionality is crucial. The data provided by users is based on the trust they put in an organization or brand. Customers are the most important source of growth for any organization, regardless of size and their trust is like the motor oil that keeps the business running. Employee data, likewise, is critical in terms of privacy. 

Companies are collecting data in significant amounts. The 2021-22 outlook indicates a crisis of confidence from data owners, where organizations are required to build strategies ‘Privacy for Trust’ than ‘Privacy for Compliance’.
Harshavardhan Godugula
EY India Forensic & Integrity Services Technology & Innovation Leader

The vital point is being transparent and lawful while taking consent and making sure the customer can trust the organization with their data. They can have complete authority over their personal data. The best example is cookie settings on the organization’s website, which might seem annoying to many users, though the pop-up is crucial for both the users and the organization. As data privacy laws, regulations and standards develop, stronger compliance practices will become mandatory and the demand for privacy and protection will grow.

Privacy by Design will be used to ensure compliance with privacy requirements as new technologies and work models are developed and implemented. If companies adopt a Privacy by Default policy, Privacy for Trust improve too.

(Ranjeeth Bellary, EY India Associate Partner - Forensic & Integrity Services has co-authored the article.)

Summary

Using ‘privacy by default’, every firm should intend to protect its customers' data by default. While this concept unifies all privacy concerns, it also strengthens the market image of the companies. After months or even years of work, an organization’s compliance with applicable regulations will not only help it avoid hefty fines and penalties, but it will also improve its reputation and performance.

About this article

By Harshavardhan Godugula

EY India Forensic & Integrity Services Technology & Innovation Leader

Technology leader. Advising the C-suite on building safer enterprises through cyber incident response, data governance, fraud analytics and eDiscovery services. Driven by innovation.