How threats to data privacy are fuelling regulatory reform

The rapid growth of data sets requires the building of holistic security and protection frameworks

The data revolution has ushered in a digitally driven ecosystem. Emerging technologies, online products and platforms, social networks and mobile applications have turned ubiquitous; there is an influx of digital information that has made the value of data immeasurable. But recent privacy scandals, including Cambridge Analytica and data leaks impacting millions, have invoked uproar as well as a certain sense of disillusionment. The notion of individual data privacy has seen an unprecedented shift, with the expectation that consumers will be granted more power in the future.

Privacy upgrades in a digital age 

In 2010, Mark Zuckerberg said that “the age of privacy is over”, highlighting the rapid social norm of sharing information extensively on the internet. Users have willingly or unknowingly provided personal data for websites and apps for information and (personalised) services. It was implicit that the data would be used for “commercial purposes” but was not really construed as an invasion of privacy.

But consequentially, unsolicited calls and messages, data breaches, identity theft, digital profiling and surveillance activities led to intense debates and public outcry. For example, in 2014, a judge in the US allowed prosecutors to access information by accessing an individual's email account for an ongoing investigation. The service provider in question was ordered to release this information, which showed a fair level of opacity around individual data privacy.

But the past one year has seen many regulatory initiatives, including the General Data Protection Regulation (GDPR). Effective from May 25, 2018, GDPR makes organisations accountable and responsible for the Personally Identifiable Information of citizens of the European Union (EU). India’s proposed Data (Privacy and Protection) Bill will aim to augment user data 

protection by setting up a Data Privacy and Protection Agency, and the draft Digital Information Security in Healthcare Act will look to give people complete ownership of their health data. 

Knowing the attack vectors

It is clear that data is one of the most critical assets today. Rising awareness and regulatory reforms have resulted in a greater need for companies to adopt a transparent approach when handling data, especially customer data that resides with them. One of the key aspects here has been to tackle internal and external risks that can possibly compromise its sanctity and integrity. 

These include:

Insider threats: An insider threat is an employee (current or former) or business partner who inadvertently or maliciously compromises the company’s system or data or premises. Factors that may contribute here include a high degree of access or privileges to certain people for data or records who do not need it, easy availability and accessibility to acquire proprietary or classified information and lack of staff or vendor training on how to protect it. 

External sources: These include data breaches or leakages perpetrated by cybercriminals for financial gain (ransom to release confidential data publically or identity theft to access online banking or sending spoofed emails to customers to transfer funds) or business disruption for a competitive advantage.

Social media: The rise in usage of social media has blurred the lines between professional and personal lives, exposing gaps which can be exploited. EY’s report, Responding to cybercrime incidents in India, highlighted that over 90 per cent of respondents identified social media as a big risk area. 

The future of the privacy debate

The future of data privacy is still riddled with numerous questions, and the subject is under substantial global scrutiny. As data sets continue to increase, the role of technology (analytics, blockchain, artificial intelligence, the Internet of Things and robotics) will be intrinsic to managing digital customer data in a transparent manner. The cost of compliance would certainly see a spike, as organisations go above and beyond traditional compliance frameworks, taking punitive regulations into account.

This would mean building holistic data security frameworks with data protection and privacy at its core. Being at a nascent stage, GDPR would eventually see more clarity around data management, portability and intellectual property. Simultaneously, individuals will need to be cognisant of the “terms and conditions” when sharing their personal data. They will also need to re-evaluate the permissions already given, as well as update their privacy settings. 

 In the end, a pragmatic wait-and-watch approach is needed, as the state of data privacy and protection evolves with more clarity, control and consent.   

The writer is Partner and Head - India and Emerging Markets, Fraud Investigation & Dispute Services, EY