As India readies itself for an era of data compliance and regulations, it is important that the law be formulated such that the customer data shall remain safe however companies are penalized based on their cyber security track record. On the other hand, organizations need to understand that they are the ‘custodians’ of customer data and not the ‘owners’, so they need to remain careful while handling user data.
[quote font=”tahoma” font_size=”13″ font_style=”italic” color=”#262626″ bgcolor=”#f9f9f9″ bcolor=”#5f9dc0″]
“Consent of the customer to use and store information and Due Diligence are the two keys to ensure compliance. A CISO/CIO should know what PII (Personally Identifiable Information) is being received, processed, and stored in their infrastructure.”
Sanjit Chatterjee
CEO
REVE Antivirus
[/quote]
How are Indian Companies and Businesses getting along with the compliance headache?
Governments around the world are getting particular about the usage and safety of user data. New Policies are being introduced to ensure that customer data is not being misused by companies or data does not get hacked. Organizations need to understand that they are the ‘custodians’ of customer data and not the ‘owners’, so they need to remain careful while handling user data.
What are important factors for any CISO/CIO to keep in mind with ensuring compliance?
Consent of the customer to use and store information and Due Diligence are the two keys to ensure compliance. A CISO/CIO should know what PII (Personally Identifiable Information) is being received, processed, and stored in their infrastructure and whether the safeguarding mechanism and tools are in place to protect this data.
How damaging can be failure of GDPR compliance for any organization?
It can be extremely damaging. Companies dealing with European Union customers have to face serious penalties if they fail to comply with the GDPR standards. Besides paying 20 million Euros or 4 percent of annual global turnover, failure of GDPR compliance can put an entire business to risk and can even erode brand value since you are not doing things the right way.
Indian Govt. is also mulling bringing in Data Protection Laws. What do you expect from the Govt.?
The Data Protection principles state that all organizations who are receiving personal data have to make sure that the information is used fairly, lawfully and transparently. We see GDPR as one extreme kind of legislation. Legislation has to be fair to both the companies and customers. Law has to be formulated such that the customer data shall remain safe however companies are penalized based on their cyber security track record. Penalties should be reasonable and based on the size and turnover of the company. It should be a win-win situation, which encourages compliance and makes consumer data safe.
What is your advice to CIOs and CISOs on the way forward in the era of compliance?
You never know when a breach is going to happen. So the advice is to do two things. Firstly, there should be multiple layers of security at Application and Network level. Secondly, the incidents of data theft can be from internal sources. This can be controlled or prevented through advance DLP (Data Loss Prevention) mechanisms. Organizations can deploy Endpoint Security Solutions, with advanced DLP features. Along with deploying the right IT security tools, organizations should make its employees aware about cyber security best practices. To manage the IT Security Solutions, organizations can recruit trained professionals or go for the services of Managed Security Service Providers.
