How threats to data privacy are fuelling regulatory reform
Arpinder Singh, Partner and Head – India and Emerging Markets, Forensic & Integrity Services, EY
The data revolution has ushered us in a digitally driven ecosystem. Emerging technologies, online products and platforms, social networks and mobile applications have turned ubiquitous; there is an influx of digital information that has made the value of data immeasurable. But recent privacy scandals, including Cambridge Analytica and data leaks impacting millions have invoked uproar as well as a certain sense of disillusionment. The notion of individual data privacy has seen an unprecedented shift, with the expectation to grant more power to consumers in the future.
Privacy upgrades in a digital age
In 2010, Mark Zuckerberg said that “the age of privacy is over”, highlighting the rapid social norm of sharing information extensively on the internet. Users have willingly or unknowingly provided personal data for websites and apps for information and (personalized) services. It was implicit that the data would be used for “commercial purposes” but was not really construed as an invasion of privacy. But consequentially, unsolicited calls and messages, data breaches, identity theft, digital profiling and surveillance activities led to intense debates and public outcry. For example, in 2014, a judge in the US allowed prosecutors to access information by accessing an individual’s email account for an ongoing investigation. The service provider in question was ordered to release this information which showed a fair level of opacity around individual data privacy.
But the last one year saw many regulatory initiatives including the General Data Protection Regulation (GDPR). Effective from 25 May 2018, GDPR makes organizations accountable and responsible for the Personally Identifiable Information of EU citizens. India’s proposed Data (Privacy and Protection) Bill will aim to augment user data protection by setting up a Data Privacy and Protection Agency, and the draft Digital Information Security in Healthcare Act will look to give people complete ownership of their health data.
Knowing the attack vectors
It is clear that data is one of the most critical assets today. Rising awareness and regulatory reforms have resulted in a greater need for companies have a transparent approach when handling data, especially customer data that resides with them. One of the key aspects here has been to tackle internal and external risks that can possibly compromise its sanctity and integrity. These include:
- Insider threats: An insider threat is an employee (current or former) or business partner who inadvertently or maliciously compromises the company’s system or data or premises. Factors that may contribute here include a high degree of access or privileges to certain people for data or records who do not need it, easy availability and accessibility to acquire proprietary or classified information and lack of staff or vendor training on how to protect it.
- External sources: These include data breaches or leakage perpetrated by cybercriminals for financial gain (ransom to release confidential data publically or identity theft to access online banking or sending spoofed emails to customers to transfer funds) or business disruption for a competitive advantage.
- Social media: The rise in usage of social media has blurred the lines between professional and personal lives, exposing gaps which can be exploited. EY’s report, “Responding to cybercrime incidents in India” highlighted that over 90% of respondents identified social media as a big risk area.
The future of the privacy debate
The future of data privacy is still riddled with numerous questions, and the subject under substantial global scrutiny. As data sets continue to increase, the role of technology (analytics, blockchain, artificial intelligence, the Internet of Things and robotics) will be intrinsic to manage digital customer data in a transparent manner. The cost of compliance would certainly see a spike as organizations go above and beyond traditional compliance frameworks, keeping punitive regulations into account. This would mean building holistic data security frameworks with data protection and privacy at its core. Being at a nascent stage, GDPR would eventually see more clarity around data management, portability and intellectual property. Parallely, individuals will need to be cognizant of the ‘terms and conditions’ when sharing their personal data. They will also need to re-evaluate the permissions already given, as well as update their privacy settings.
In the end, a pragmatic wait-and-watch approach is needed as the state of data privacy and protection evolves with more clarity, control and consent.