Categories
Cyber Security Buffs conducted a webinar on 28th January 2021 to celebrate the occasion of Data Privacy Day. This webinar speculated the upcoming challenges and trends associated with data privacy. It focused on the policies and practices organizations should enforce to prevent data breaches and strengthen their data privacy framework.
In this interactive session, esteemed cyber security experts, Karthik Bappanad, Centre Head at CySecK, Shikha Pathak, Awareness & Skill Building Manager at CySecK, and Pavan Kushwaha, Founder and CEO at Kratikal, took the viewers through various aspects of data privacy.
You can watch the entire webinar here:
Given below are the key points covered in the discussion:
Pavan Kushwaha: Initially, on 26th January 2006, the Council of Europe decided to observe Data Protection Day on 28th January every year. Two years later, Canada and the US started celebrating the day and declared 28th January as the Data Privacy Day. Today, it is globally celebrated to spread awareness about the significance of data privacy in this age of digitization.
We would love it if you could offer your insights on the concept of data privacy.
Karthik Bappanad: Privacy is an important concept for us to understand and appreciate in these times. As the adoption of new technologies has increased so much along with the sharing of data through various channels of technology, it has become extremely important to understand the concept of privacy.
Culturally, we, especially those of us in India, have been a society where privacy is not being taken very seriously, which probably would have been okay in a normal, traditional, physical context. This is because, in a physical world, the risk to your privacy is very limited. However, in the cyber world, this is not the case.
Here, proximity is not a factor. Your privacy can be breached by anyone, sitting anywhere in the world. So, it has become essential to raise awareness about privacy risks in the cyber world.
Shikha Pathak: I think that it is undeniable that privacy is extremely important in today’s world because we are more connected and our presence is on many social media platforms. This makes us more vulnerable and exposed. This also facilitates the sharing of our data, sometimes much beyond our control.
So, Data Privacy Day offers another excuse to emphasize the fact that privacy is gaining more importance every day. For example, in India, there was a petition that challenged the Aadhaar Act, asking the government whether it’s not violating the right to privacy when it’s collecting the citizens’ biometric data and other personal data. This goes on to show that citizens are becoming more aware of the way their data is being used and whether it is going outside the sphere of their control.
Pavan Kushwaha: We celebrate Children’s Day, Women’s Day, Men’s Day and so many other days. Everyone knows about it and celebrates these days. However, even the people in the field of cyber security are not all aware of Data Privacy Day.
So, how can we spread awareness about this day and why is it important to celebrate these kinds of days?
Shikha Pathak: During my tenure as the Awareness and Skill Building Manager at CySecK, what I have realized is that you are only as strong as your weakest link. So, you need to ensure that awareness is generated at the grassroots. We not only need to generate awareness among those in the technical or security fields but also among laymen.
In today’s world, where digitalization has increased so much, we need to ensure that every individual is aware of their data’s security. This highlights the importance of days like Data Privacy Day.
Take a Moment to Stay Tuned Forever
Subscribe to get weekly cyber security updates!
Pavan Kushwaha: I am compelled to mention that a lot of people are confused between the two terms: Data Security and Data Privacy.
What is the difference as well as the relationship between these two terms?
Karthik Bappanad: Data Privacy and Data Security are linked together very strongly. At times, both are oriented similarly whereas other times, the two concepts can be conflicting. When an organization seeks to build a strong privacy posture, it also invariably needs to have a strong data security posture as well.
In that sense, organizations need to make sure that they have strong security policies, processes and controls in place to ensure the privacy of their customers is maintained. At the same time, organizations have access to more data, resulting in privacy concerns. So, all organizations should work towards finding a balance between security and privacy.
Pavan Kushwaha: There are several laws and regulations around the world governing the privacy and security of data. In India, one such law is the Personal Data Protection Bill (PDPB), which has not passed yet.
So, when PDPB is passed, do you think it will increase the workload of the IT managers or security staff in organizations? What is your take on this upcoming law?
Karthik Bappanad: In my opinion, data privacy regulations will help security practitioners. I say this for two reasons. The first is that these regulations act as a guide rail, indicating what you should and shouldn’t do. The second reason is that it will also help them build a better case with the management and the board. So, I don’t think that we should see the upcoming law as an additional burden.
Shikha Pathak: I absolutely agree. I think that this law should not be considered a burden by organizations because the existing legislations including the IT Act 2000 and the IT Rules 2011 are not strong enough to address the needs of today’s increasingly interconnected world. So, the PDPB, which is somehow remodeled according to GDPR, is actually a very welcome change when it comes to data protection and data privacy.
Pavan Kushwaha: When we talk about data privacy, there are two things to consider: those who work in the organization such as executives, employees, contractors and vendors and those who we work for, meaning our customers.
According to you, how can organizations make sure that the data in their possession is secure?
Shikha Pathak: As you rightly mentioned that when we talk about data privacy, we talk about it on two fronts. One is the customers’ data and the other is the data of the employees of that organization. Making sure that the data in its possession stays secure and private is important for an organization for many reasons.
The first of which is its reputation. If an organization is unable to protect the data of its employees or customers, not only will its reputation bear the brunt of that but also its revenue will get affected in the longer run. Also, most customers expect the organization to keep the data they share with them confidential.
The foremost way of ensuring data protection is to identify the kind of data you are dealing with. Whether it’s personal data, sensitive data or critical data, it is essential to classify the data. Once that is done, take the necessary actions as underlined by the regulations governing your country.
For instance, in India’s case, it will be according to the regulations under the Personal Data Protection Bill. Then, you figure out how your data is vulnerable and how you can transparently process it. This is a very broad framework in which organizations can ensure that their data is safe.
Pavan Kushwaha: The introduction of GDPR caused quite a stir, especially amongst those in the field of security. Would you like to shed some light on the subject of not only GDPR but also our own PDPB?
Shikha Pathak: The cornerstone of both GDPR and PDPB is that it ensures the rights of those who own the data. GDPR talks about ‘data subject’ while PDPB talks about ‘data principle’. Even though the two terms are functionally different, they both basically refer to the owner of the data. These laws are introduced to enforce the rights of citizens over their data.
For example, if you are collecting the data of any user, as per these laws, you have to make the user aware of the data you are going to collect and the objective of data collection. You also have to give the users the rights to revoke consent as and when required.
Pavan Kushwaha: The major question that arises when it comes to these laws is that to what extent do they help common users? Are there some penalties?
Shikha Pathak: Of course, there are penalties in case the provisions of the PDPB are not adhered to. These penalties are really high, going up to 4% of the worldwide turnover of the data fiduciary. As a user, you will definitely have more control over how your data is collected, processed and used.
Karthik Bappanad: I just want to add that ideally, the organizations should go beyond simply complying with the provisions of the laws of your country. The advantage of doing this is that your organization’s security and privacy posture is not limited to protect the citizens of only your country but all users globally.
Privacy is a fundamental right. So, protecting the privacy of all users is the right thing to do. In a globally connected world, your customers are not always located in your country. So, it’s important that your privacy policy is compliant with the superset of the privacy regulations across the globe.
Pavan Kushwaha: What role, do you think, encryption plays in data privacy?
Karthik Bappanad: Strong encryption is the core of strong privacy. It is definitely important to encourage strong encryption, so people can communicate in a secure and private manner. Encryption, itself, plays across different levels. You have encryption of data in transmit as well as encryption of data at storage. Encryption is not the only means of protecting the data. Masking, anonymization, tokenization, etc. are several other means used by security experts to protect the data.
Shikha Pathak: When you talk about encryption strengthening data privacy, I also somehow think about encryption weakening law enforcement. One such example would be Whatsapp. We read enough about how fake news is often circulated, how the government demanded an end to Whatsapp end-to-end encryption because they were unable to control the spread of fake forwards that were inciting violence.
So, while encryption is really important for data privacy, I think the interplay between privacy and law enforcement can only be discussed accurately on a case-by-case basis. You cannot have a generalized opinion for it.
At the end of the webinar, the cyber security experts graciously answered some questions posed by the viewers.
So, stay tuned with the Cyber Security Buffs for other interactive webinars with distinguished cyber security experts.
Get your hands on the latest DMARC report!
Check out the latest trends in Email Security
About The Author
