Authored by: Leela Krishna
Data has never been as important for companies as it is today. The potential impacts of loss of data privacy have led many countries to pass data regulations such as the General Data Protection Regulation (GDPR) in the EU or the recent Digital Personal Data Protection Act (DPDP Act) in India. These regulations require companies to take specific measures to protect customer data and facilitate requests from individuals, making compliance a key concern.
The protection of customer data is a major business imperative for any organization, especially ones working with sensitive information like financial or health data. Data has long been the backbone of operations and business models of companies and is only becoming more crucial with the increasing deployment of machine learning models. Creating data protection protocols in compliance with these regulations will help assuage customer concerns and enable fintech companies to build a strong data foundation upon which they can create solutions. For the sake of simplicity, the measures that companies can take can broadly be grouped into two categories: security and general compliance.
Protection is the priority
Adopting robust security measures is now a non-negotiable that has been ratified into law. There are many ways in which data can be protected in the digital age, but a good first place to start is actually non-digital – adopting best practices on data governance, hygiene, disposing of the data and physical security. Organizations need to ensure that their data assets, and other critical infrastructure are safeguarded against unauthorized access, natural disasters, and other potential threats. By implementing strict access control systems, businesses can deter malicious actors from physically accessing sensitive data. And then the governance, supported by a strong and regular audit of the effectiveness of the controls is vital to ensure that vulnerabilities do not exist and or are remediated promptly.
Physical measures will only be the starting point for data protection. Businesses are becoming more and more interconnected with rising rates of cloud adoption across sectors, all while remote working becomes a common business practice. All these factors compound, exponentially increasing network vulnerabilities and making network security a priority for organizations. Creating and regularly updating the perimeter defenses such as firewalls, intrusion detection systems, and intrusion prevention systems to monitor and block any unauthorized or malicious traffic will be crucial to thwarting evolving cyber threats.
The conventional network/security controls can be taken one step further with the creation of Zero Trust architectures that have stringent verification protocols, regardless of whether the user or device is inside or outside the organization’s network. Zero Trust is becoming the norm for many organizations as it protects organizations from external and insider threats alike.
While network security focuses on safeguarding the pathways by which data can be illegally accessed there are security measures that target the data itself. Such data security measures first require companies to map out all the data they own and process, whether it is customer data or proprietary data. This provides the foundation for additional measures like encryption at rest and in transit to limit the damage when access is compromised by malicious actors, and regular backups. Backups are an essential component of contingency plans in the event that data gets lost, corrupted or compromised.
Having robust internal data protocols and accesses also can create a rich layer for advanced machine learning based analytics and automated response mechanisms. Using security information and event management (SIEM) tools with a layer of analytics can allow the organization to monitor, detect and respond to threats in real time. Finally, to reiterate, no security measures will be effective if they are not complimented by commiserating audit process. And lastly, the most important aspect is the human intervention in the middle. Continuous training and awareness campaigns are what can avoid or minimize any and every possible impact of an incident.
Beyond network boundaries
While security measures are an essential part of data protection laws, most regulations cover a variety of other provisions concerning the implications of data processing activities. For example, organizations will have to think of compliance when setting up their data processing and storage infrastructures. Many data protection regulations, including the DPDP Act, create obligations on companies to respond to requests from data principals regarding the status of any personal data the company may be holding. Similarly, there are obligations to notify data principals if their data has been compromised via a data breach. All these measures require the setting up of necessary mechanisms to ensure that organizations are well placed to adhere to these provisions. This can be especially complicated for large companies that have third party vendors who store or process data on behalf of these companies.
Organizations will also need to conduct privacy impact assessments to identify, assess, and mitigate privacy risks. Previously just an ideal practice for organizations to follow, Data Protection Impact Assessments (DPIAs) are now a requirement under the DPDP Act. These assessments allow companies to scrutinize the nature, scope, context, and purpose of their data processing activities to ensure compliance and protect the rights of data principals under the DPDP Act.
Keeping up to date
Data protection regulations are going to be the norm moving forward so ensuring compliance will be a crucial aspect of operations for all organizations. As the importance of data continues to grow, so does the responsibility of protecting it.
A multi-faceted approach encompassing both robust security measures and stringent privacy compliance processes is the way forward. This includes clearly defining policies on classification, ensuring access on need basis, employing right set of standards and technology controls, aptly defining processes for customer data, vendor/third party assurance programs, proactively integrating the privacy in design, and getting executive support for the initiative while ensuring continuous improvement. In a world rife with cyber threats and regulatory complexities, this dual focus ensures not only business continuity and legal compliance but also the trust of customers and stakeholders.
The author is the IT Head of Broadridge India, a global fintech company. Broadridge provides the critical infrastructure that powers investing, corporate governance, and communications to enable better financial lives.