Indian Data Protection Bill – How to comply with The New Data Law?

The Indian Government is all set to legislate the Personal Data Protection Bill of 2019, which seeks to protect the privacy of personal data, regulate the processing of critical and sensitive personal data and establish a Data Protection Authority of India (DPAI) for regulations.

In other words, the bill would control the collection, storage, usage, processing, transfer, protection, and disclosure of personal data of Indian residents. This is an important development for global managers.

What does the Indian Data Protection Bill provide?

The Indian Data Protection Bill highlights some key features:

  • Promote concepts of consent, storage limitation, purpose limitation, and data minimization.
  • Put down obligations on agencies that collect personal data required for a specific purpose only, with the express consent of the individual.
  • Grant rights on obtaining personal data of the individuals, make corrections to inaccurate data, update data, erase data, port data to other fiduciaries, and also the right to prevent the disclosure of personal data.
  • Grant right of grievance to individuals to complain against data fiduciary.
  • Authorize the central government to exempt any government agency from applying the proposed law.
  • Establish Data Protection Authority of India (DPAI) to prevent misuse of personal data, protect the interests of individuals, ensure compliance, and promote awareness about data protection.
  • Empower the Data Protection Authority of India (DPAI) to specify the code-of-practice to promote good practices of data protection.
  • Update social media intermediary as a significant data fiduciary whose actions have a significant impact on electoral democracy, the security of the state, public order, or sovereignty and integrity of India.
  • Authorize Adjudicating Officers for deciding on penalties and award compensation for violations and Appellate Tribunal to hear appeals against these.

What’s in for Organizations?

Unlike Chinese regulations that follow the isolationist framework and prevent global players like Facebook and Google from operating within its borders, India has followed the EU’s General Data Protection Regulation (GDPR) in allowing international digital companies to conduct business under certain conditions. Yet, the bill carries additional provisions beyond the EU regulation. And India would always treat the data generated by its citizens as a national asset, store and guard it within national boundaries, and reserve the right to use that data to safeguard its defense and strategic interests.

The Indian Data Protection Bill or Personal Data Protection Bill (PDPB) has many features that will require organizations to change their business models, practices, and principles. Many others will have to add operational costs and complexity. The concerns being raised will act as a primer for what Organizations need to keep in mind about India’s new regulation and the increase in data protection regulation around the globe. Additionally, understanding these issues will help digital companies to plan ahead, address future regulations, and decide whether to enter or exit certain markets.

Organizations need to Gear Up

The need to secure Data Privacy is quite urgent for Organizations, considering the emerging threat scenarios and implications of a data breach. With growing instances of data center decommissioning and migration to the cloud, companies are going through a technological shift. According to a study, by the year 2025, 80% of enterprises are expected to migrate away from on-premises data centers to the cloud. IT asset migration with faster device refresh cycles highlights residual data leakage as a key issue linked to disposal workflow.

Keeping these intrinsic data privacy challenges in mind, lack of awareness, technological shift, and usage patterns in the emerging policy framework for data protection, it is obvious that most companies are not yet prepared to tackle them.

Unlike America and Europe, where data privacy laws have been for long and now going through iterations to govern data handling at the micro-level, we are yet waiting for our first data protection statute. So, Organizations in India will have to scale up their skills, systems, practices, and policies to fall in line with the Personal Data Protection Bill. But there’s a whole lot that Organizations will need to understand to fall in line with the new law. Let’s have a closer look.

Ownership of Personal Data

The Bill proposes that the data provider is the owner of their own personal data. Now, this notion can impose an enormous implementation burden for digital companies. Organizations in the digital world would have to figure out how to comply with this requirement when the user demands erasure or recall of their personal data from a digital company. Digital companies will also have to think beyond their own data storage and usage, as they might have sold the data to a third party.

Three Classes of Data

According to the Personal Data Protection Bill, there are three categories of data from which a principal can be identified, Sensitive Data, Critical Data, and remaining data. Sensitive data includes data on financials, health, genetics, sexual orientation, transgender status, caste, and religious belief. Critical data includes data that the government stipulates from time to time as extraordinarily important like military or national security data. The third is a general category that is not defined but contains the remaining data. As mentioned above, the bill prescribes specific requirements that data fiduciaries must follow for the storage and processing of each data class.

All sensitive and critical data is supposed to be stored in servers located in India. While critical data can’t be taken out of India, sensitive data can be processed outside the country but must be brought back for storage. For general data, there are no restrictions. Currently, digital companies operate in a seamless cyber world, where they store and process their data wherever is economically most efficient. However, the locational divide proposed by the Personal Data Protection Bill will impose additional costs on digital companies.

This might result in subeconomic storage and processing capacities and may lead to “splinternet” or fragmentation of global digital supply chains.

Key Principles for processing of Personal Data

  • Transparency: Data controllers and data processors should provide a privacy policy for handling personal and sensitive information and must ensure that the policy is available to the subject who has provided the information by lawful contract. The policy should be published on the website of the company or person on its behalf. The policy must provide:
    • Readily accessible statements of the policies and practices of the data controller.
    • Types of personal data collected by the body corporate and purpose of collection and usage of such information.
    • Reasonable security practices and procedures.
    • Disclosure of information including sensitive personal data as and when it is requested by the data subject.  
  • Lawful Basis of Processing: The body corporate must obtain consent in writing from the data subject for the specific purpose for which the data would be used, before the collection of data. Sensitive personal information may only be collected if considered necessary. The companies must ensure that the information is being used only for the purpose for which it is collected. 
  • Purpose Limitation: The body corporate holding personal data should not retain that information for longer than it is required for which the date should be used lawfully. Although a specific time frame for the retention of personal information has not been provided yet.
  • Retention: The IT Act does not provide any specific guidelines regarding the time frame for the retention of personal data. As per the IT Act, an intermediary is required to preserve and retain the information in a format for a period of time as prescribed by the Central Government. Intermediaries include telecom service providers, network service providers, web hosting companies, search engines, online marketplaces, and cyber cafes.

Registration Formalities

Depending upon volume and sensitivity of data processed, risk of harm from processing to data principals, types of technologies used by the data fiduciary, and turnover, the data protection authority will notify some data fiduciaries as significant. This notification would require the data fiduciary to register with the authority, as specified. As per Section 38, data protection authority would require registration by any data fiduciary at its discretion, even if it is not notified as a significant data fiduciary.

For data processors and controllers, there are no statutory registration requirements. If a data fiduciary contravenes registration requirements, it will be liable to a penalty that may extend up to Rs. 50 million or 2% of its total worldwide turnover in the preceding financial year, whichever is higher.

Limits on how Start-Ups can monetize Data

While large companies, including Indian information technology companies and global Internet giants, may not have to put too much effort to tweak their systems to comply with the proposed Indian law, start-ups may find it tough to put systems in place. The government will likely give companies up to 2 years to be fully compliant with the proposals in the Data Protection Bill after it passes Parliament and becomes law.

Indian startups will have to significantly restructure the way they capture data, store it, and have set up the consent mechanism. They will also require manpower who can well understand the law and rules. A cost element will also be involved and they may have to budget for storage and compliance cost, as well.

Once the Personal Data Protection Bill is in force as a law, the start-up companies will only be able to collect personal data for clear, specific, lawful, and communicated purposes. Companies can collect only that data which is required for processing. The data cannot be repurposed for another use without informing the user of that change

This can be particularly relevant for pilot projects that collect data without a definite purpose, in the hope of monetizing that data at some point in time. As per the new law, start-up companies will have to anticipate and inform consumers of the use cases and purposes of data collection in advance, even before processing any data, so as to ensure that the user consent that they obtain is valid.

The real challenge is with government agencies and state government departments and large tech giants who deal with a lot of user data. Start-ups will have additional cost burden, but the implementation of privacy provisions will not be a challenge.

The new data protection bill will have significant consequences for start-ups, but at the same time companies will benefit from engaging with the shaping of the Personal Data Protection Bill. Learn more about the details of PDPB.

Data Protection from Security People

Talking of modern security tools that scan millions of devices every day and gather intelligence on billions of events, these devices have grown increasingly capable. While the whole idea is to bring more information together for threat intelligence, it is equally important to understand how all this data protection can be practiced.

When Data keeps streaming in

Organizations never delete the data, they are always adding more, with more devices and applications. They collect, store, and access information from many locations. Many Organizations lack control over employee-owned devices, which may be used to access key data. This makes malicious insiders a real threat to companies, especially those who hold vast amounts of sensitive data. Trend Micro and Twitter are two examples of a long and growing list of Organizations that have abused legitimate access to enterprise systems and information.

With a lot of sensitive data streaming in, it is crucial that security companies re-evaluate how they store the data and who can access it. For some Organizations, this demands a closer look at the IT department, where too much access to data is provided to IT pros, who develop and test new applications.

Why do Data Breaches happen?

This might be risky in many ways. When you provide access to coders and developers to production data, you allow them to see sensitive information and bring the data into potentially risky situations. Sharing data inappropriately with unauthorized entities creates a vulnerability, but this is not the only consequence.

This violates many growing data protection laws and regulations, according to which companies can only use personal data for the purposes for which it is collected. Using data to test new applications and updates is usually not the only purpose. Sharing a single user ID and password for each system is still a pretty common practice among IT and development teams. The problem that arises is, if something happens to the data, there is no way to find out who was behind the malicious activity.

Data Protection from Insiders

With multiple people using the same user ID, there is no chance of keeping accountability for those using that ID. This makes it hard to ascertain if someone used that ID to steal key information. Failing to implement controls can make it easier for an insider to get away with data leakage or theft. Therefore, people who can access sensitive data should have their access monitored. Using individual IDs can facilitate keeping a track of employees who obtain certain types of data or share it outside the Organization.

Usually, data backup is one area where insiders can take advantage, but Organizations should take into consideration the fact that which data needs to be protected. There are many companies that have strong controls on their data that is used for production for daily work activities, but their backups are left wide open. Additionally, access to backup data is not prohibited to employees and access is granted to many people who can obtain personal information or corporate secrets.

Separation of Duties & Access – First step towards Data Security

There are many ways Organizations could put data at risk and there are some ways they can protect it.

Maintaining a historical record of all assets connected to the Internet, communications between them and who owns them can actually enable customers to identify unknown assets and potentially malicious traffic.

Engineering and data science employees who have access to back-end systems should sign an agreement. This agreement should be separate from the employee contract and must highlight the fact that they can’t use the data outside certain applications. This is your first step towards Data Security and Protection. The number of people in the Organization who could access the data is relatively small. Systems should also be segmented so that employees who do not require certain data, should not have access to it. For instance, members of the marketing team should not be able to reach back-end systems.

Lastly, the audit ensures that systems are behaving as expected. The security manager does his compliance and audit checks, but third-party pen-testing and security checks are also advisable. Maintaining separation of duties will ensure people who have access to sensitive data are different from the ones who approve that access. Offboarding and onboarding controls are also important to ensure sensitive data stays where it belongs.

Financial Services

Security Companies are already facing new laws and protocols that will dictate how data collected by security tools will be protected. The financial services industry is also responsible for vast amounts of sensitive data and has been tightly regulated. Therefore, there is a lot to learn from an industry that uses organizational controls and peer-to-peer collaboration to protect data.

Just like Cybersecurity Companies depend on their customers’ trust in their responsible data management, financial companies depend on public trust in the financial system. This industry has evolved “trust-building” mechanisms that allow members to share intel in a trusted network without the fear of that information being leaked or used against them.

According to Neumetric, one of the top cybersecurity companies in Bangalore, the industry has always been heavily regulated and therefore, many individual financial companies have invested in personnel, services, infrastructure, and also protocols to protect customers and themselves.

In security financial service companies are implementing new technologies including cloud computing, artificial intelligence, and machine learning for data protection.

These new technologies provide potentially game-changing business opportunities, but at the same time, they also bring new risks that institutions must manage if they are to maintain the trust of their customers. Building a strong peer-to-peer network and sharing intel is the key to mitigating risks.

Neumetric, a cybersecurity services, consulting & product Organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for Organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the Business objectives of the Organization.

GDPR for Sales – How GDPR affects Cold Emailing & Calling?

If your sales process relies heavily on cold emailing or calling prospects, then there is something crucial for you to know about the European General Data Protection Regulation (GDPR).

At the most basic, the GDPR changes the way outbound sales teams can collect and use personal data like name, ID, email addresses, and other details. So, whether you buy lists of leads to fill out your pipeline, automatically add new inbound contacts to your sales funnel or search prospects from social media platforms, the sales strategies that you have been using to turn prospects into customers are going to have to dramatically change.

There are a lot of questions about how the General Data Protection Regulation can affect salesforce. Here are the 10 biggest concerns that sales teams have about staying compliant while prospecting.

Q. What does the GDPR cover and do I need to care about it if I’m outside of Europe?

It provides EU citizens more control and transparency over who can use and store their personal data. This means using personal data to build contact sales leads, a company has new responsibilities around collecting and processing that data. Personal data includes names, phone numbers, IDS, email addresses, IP addresses, mobile device IDs, and even encrypted data.

For any sales team, personal data is crucial for outbound sales. Under this protocol, you cannot use personal data (like a phone number or email address) without the consent of the person to be contacted by you. This may sound like no more sending out cold prospecting emails, product demos, or quick catch-up without that person opting into receiving your messages. But here are a few things that you must understand about the General Data Protection Regulation.

GDPR is only for your sales prospecting towards citizens of the EU. You need to be concerned about the  guidelines if your business either:

  • Offers services or products to EU citizens.
  • Has an established presence in the EU.
  • Use their personal data in some other way like monitoring or profiling them.

You may still be able to contact prospects if you have legitimate interests. If your company’s legitimate interests are not overridden by the individual’s fundamental rights and freedoms, then you may be able to use the contact data. In a scenario, where a prospect sends a complaint about your outreach, the company should be able to argue that communication was legal. Therefore, it is crucial that you document your legitimate interest, make it clear in the communication, and offer an easy opt-out.

We are not sure about the final effects until the ePrivacy directive is finalized.  This protocol is just a starting point for new regulations around personal data. We are still unaware of the final impact that it may have on outbound sales and marketing, until another regulation. In other words, there is still more change ahead.

Q. How do I get consent from my prospects?

Under the General Data Protection Regulation, the only way your sales team can do any sort of outbound sales is if you have consent from the prospects to contact them. Therefore, the consent should be

  • Given freely
  • Transparent and specific about what it will be used for
  • Easy to withdraw at any time

To show that the consent was given freely, your lead has to openly click an opt-in to receive communications from you. This means that consent to receive sales emails or calls cannot be a requirement for using your services.

When a prospect gives you consent, you should be open and transparent about what you are using that consent for. For instance, if a prospect has given you their email to send them an eBook, it cannot be used to send sales emails or unrelated content.

Lastly, your prospects should have the ability to withdraw consent at any time, like unsubscribing the link on emails or some other way of contacting you to get off your list. So, if a prospect emails you and asks why you have their personal information, you should be able to say, “Here’s where we got your data. Here’s the link to our privacy notice and here’s the link to unsubscribe.”

Q. Do I need consent only for sending bulk emails? What about individual outreach?

Fundamentally, there is no legal difference between bulk emailing and one-to-one emailing, when it comes to cold outreach under this protocol. So, just-reaching-out emails need to have prior consent in order to be legal.

Q. How to build the outbound sales funnel under GDPR?

It might seem impossible to build an outbound sales funnel under this protocol, but there are still ways to grow your leads.

  • Focus more on content marketing and inbound sales: Moving forward, inbound marketing and sales are going to become more important. Organizations should take time to ensure that all the forms are set-up to properly gather personal data and get consent.
  • Buy relevant lists with documented consent: You can still buy lists of leads under this protocol, but you must ensure that those lists come with attached metadata explaining how and when each person gave consent. If you can prove that clients consented to receive emails from you, the list is fine to use.
  • Advertising on sites that are relevant to customers: While advertising and getting inbound sales leads is legal with this protocol, you just need to ensure that you gather and track consent whenever you get a new lead.

Q. How will GDPR affect cold calling?

If you are a part of all those sales teams that are already seeing success with cold calling, then you must be happy to know that cold calling isn’t as restricted under General Data Protection Regulation as cold emails. And if cold calling is not yet a part of your sales process, you might want to consider it now.

But you still need to identify and tell your prospect who you work for, why you’re calling, and how you got their information. You also need to ensure that you are only calling companies who have either consented to receive your calls or who aren’t registered on a no-call list. For this, you may have to look on a nation-by-nation basis.

While cold calls are not heavily scrutinized under this protocol, this will probably change when the ePrivacy Regulation finalizes next year. According to the proposed Regulation, unsolicited direct marketing by any means like SMS, email, or automated calling machines will be prohibited unless direct consent is given.

GDPR may be bringing some major changes to the way outbound sales teams work. Don’t think of it as something meant to kill the outbound sales process. Rather, it is a shift in the way you think about who your ideal customer is and how to get in touch with them.

Neumetric, a cybersecurity services, consulting & product Organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for Organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the Business objectives of the Organization.

What does GDPR mean for Start-Ups?

General Data Protection Regulation has become a concern for many start-ups, these days. Whether you are just yet to launch or have started your business already, but if you haven’t got everything in order, this is something more relevant than ever.

If you are a start-up, the GDPR (General Data Protection Regulation) should make you think about how you manage your data in a transparent and accountable way. It is crucial to ensure that you have put the right systems in place to manage user data securely.

Despite the initial effort, GDPR can be a good thing. Today, where iterative development has become so popular, this regulation forces us to pay attention to the undeniable fact that we are responsible for people’s personal data. It forces us to think about designing the data lifecycle in a minimalistic and responsible way.

Consequences for Non-Compliance

When discussing the GDPR, we must discuss the biggest motivating factor, its compliance.


If you are not aware, you must know that the consequences of non-compliance are quite steep. A first-time violation may or may not get you a warning, but if you fall within the “may not” category, it may cost you up to 20M Euro or 4% of your global revenue (whichever is more). Also, you can be audited that can result in the company being barred from making use of valuable data. If some aspect of the data lifecycle is found to be in violation, you will be open to lawsuits, as the General Data Protection Regulation gives users the right to file a complaint and seek damages where their data is not handled in a compliant way.

So, there are some reasons for the panicked scramble that occurred in the weeks leading up to 25th May 2020.

Does it apply to you?

This is likely to apply to you too. The GDPR may apply in any 1 of these scenarios:

  • If your base of operations is in the EU;
  • If you are not established in the EU, but you offer goods or services to the people in the EU
  • If you are not established in the EU, but monitor the behavior of people in the EU.

How should Start-Ups think about the GDPR?

  • Going legal and avoiding risks: Start-ups are bound to comply with the General Data Protection Regulation in a proactive manner based on the proactive responsibility principle proclaimed under the regulation. In the current situation, you can no longer wait until a security breach occurs to comply with the regulation. You have only 72 hours to notify the regulator and in some instances the data subject, of any breach. Also, the regulation imposes high penalties in case of breach of such laws, which is a great risk for any company, in case of non-compliance. Start-ups need to start seeing GDPR compliance as an opportunity to assess the risks in the processing of data.

  • Attracting investors: General Data Protection Regulation has a deep impact on how most companies operate and has also, radically changed how start-ups receive investment. Investors have been looking profoundly if the premises of the start-up breaches GDPR. Essentially, they have been highlighting if the GDPR will impact customer behavior considering the start-up’s business model and affect its viability. For instance, with the right of data portability and the right to be forgotten, customers will gain power in the handling and sharing of data, thus making free monetization of such data more difficult. Investors are not only considering the level of compliance of the start-up with the GDPR but also if the business development strategy that it uses is viable in a post-GDPR environment.

  • Security for your business: Under the General Data Protection Regulation, Organisations have to implement appropriate measures for the security of personal data. In the current scenario, when cybersecurity attacks have grown exponentially and posed a real threat to data security, start-ups are not exempt from this scenario and can be greatly impacted. Unprotected wi-fi networks, weak passwords, malware, encrypted emails, and data and untrained employees can all pose a risk to data security. Start-ups should manage their GDPR compliance in order to avoid data being compromised, which may affect the continuance of their business.

  • Protecting reputation while working with trusted partners: Start-ups always think big, therefore, it’s time to look after their reputation to that end. The GDPR requires companies to share the personal data of their customers with trusted partners called data processors. These Organisations provide services to companies that entail having access to their personal data, like cloud storage services. To become a trusted partner, they need to comply with the General Data Protection Regulation. In case of a security breach, cyberattack, or non-GDPR compliance, either by the start-up or any company that provides services to it, the market reputation can be damaged. Dealing with trusted partners that meet General Data Protection Regulation requirements helps in building a better reputation and also, gives start-ups a competitive advantage.

What kind of Data should Start-Ups pay attention to?

The GDPR specifically refers to personal data, which means any information relating to a natural person that can be used to directly or indirectly identify the individual like name, ID, location data, photos, email addresses, IP addresses, and so on. The scope of General Data Protection Regulation protection extends to any person in the EU. This includes users, employees, vendors, partners, customers, and even members of the general public. Therefore, start-ups should not only manage user data responsibly, but they must also pay attention to the privacy management within the Organization.

General Data Protection Regulation may cost you more up-front, but it can give you the competitive advantage of starting things right, mitigating risk, and saving money in the long-run.

You can read more in-depth information about the GDPR here.

Neumetric, a cybersecurity services, consulting & products Organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for Organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the Business objectives of the Organization.

RBI Norms on Prepaid Payment Instruments for E-Wallets

In an effort to promote digital transactions, The Reserve Bank released guidelines to facilitate payments among different mobile wallets, in 2018. RBI Norms for PPI, consolidated guidelines to enable 3 different phases in order to prepare better for the implementation of interoperability.

Interoperability of PPI

Interoperability is the technical compatibility that allows a payment system to be used in conjunction with other payment systems. It allows Prepaid Payment Instrument (PPI) issuers, participants, and providers in different systems to undertake payment transactions, without having to participate in multiple systems.

Before the PPI standards were put in place, a mobile wallet user couldn’t make a payment from his wallet to one run by a rival firm. However, after the Prepaid payment instruments was implemented, users were able to transfer funds between wallets and also from their wallets to bank accounts.

The Three-Phase Implementation

Before The RBI released these guidelines in 2018, interoperability of all KYC-compliant Prepaid Payment Instruments was to be enabled in three phases. These phases included.

  • Interoperability of PPIs issued in the form of wallets through UPI (Unified Payments Interface).
  • Interoperability between wallets and bank accounts through UPI.
  • Interoperability issued in the form of cards through card networks.

So now, if a merchant has signed up for one wallet with full KYC (Know Your Customer), he does not require signing up for others and he can receive payments from any wallet.

The new RBI Norms for PPI

Since PPIs have been playing an important role in promoting digital payments, a new type of PPI has been introduced, which can be used only for the purchase of goods and services up to a limit of Rs 10,000. The loading of such PPI will be from a bank account and used for making only digital payments like bills, merchant payments, etc. This new Prepaid payment instruments can be issued on the basis of essential minimum details sourced from the customer.

RBI Rules for such PPIs state that

  • Banks and non-banks can issue semi-closed PPIs for up to Rs 10,000 after obtaining minimum details of the PPI holder.
  • These details include mobile number verified with OTP (One Time Pin) and self-declaration of name and Unique Identification Number of any of the ‘officially valid documents’.
  • The amount loaded in such PPIs in any month cannot exceed Rs. 10,000 and the total amount loaded during the financial year cannot exceed Rs. 1,00,000.
  • The amount outstanding at any point in time cannot exceed Rs. 10,000.
  • The total amount debited from such PPIs during any given month cannot exceed Rs. 10,000.
  • These PPIs can be used only for the purchase of goods and services. Funds transfer from such PPIs to bank accounts and also to PPIs of the same/other issuers will not be permitted.
  • PPI issuers must ensure that this category of Prepaid payment instruments is not issued to the same user in the future using the same mobile number and the same minimum details.

How rules on interoperability impacted E-wallet Companies?

After the interoperability was rolled out completely in 2018, e-wallets were on a par with payment banks. It opened up a new window for wallet companies to explore new business opportunities. The Prepaid payment instruments industry waited quite long for these guidelines and the new rules made the industry more lucrative for new companies to join.

Impact on Users

Today, mobile wallet users can transfer funds from one wallet to the other, effortlessly, without having to download another wallet. They can pay across different networks of any other Prepaid payment instruments through UPI. Once the users have done their KYC with the wallet companies, they can avail of the benefits of interoperability.

Information Security Effectiveness through ISO 27004 Standard

When it comes to information security, being careful is not enough. Protecting commercially sensitive information and personal records is quite critical. But how can you tell that your Information Security Management System [ISMS] is being effective & making a difference?

Guidance from ISO 27004

The goal of a security process is to minimize exposure to risk, so it is crucial to determine the efficiency of the implemented controls. 

  • How do you justify & explain the budget to improve your existing controls? 
  • How do you measure whether the implemented security controls are effective or not? 

It is important to demonstrate to your Senior Management & to your organization that the funds that are meant for implementing the security controls will be invested in preventing the issues that can adequately mitigate & reduce an information risk against any of the core business processes. 

ISO 27004 can provide guidance on how to evaluate the information security performance and the effectiveness of your ISMS. It explains how to assess and report the results of a set of information security metrics and how to develop and operate measurement processes. ISO 27004 is valid for & applicable to organizations of all types & sizes. It helps establish the following important aspects:

  1. monitoring and measurement of information security performance;
  2. monitoring the effectiveness of an ISMS including its processes and controls;
  3. scrutinizing and evaluating the results of monitoring and measurement.

The value of ISO 27004 in mitigating Cyber Attacks

Cyber attacks are one of the greatest risks that a business can face and that is why the enhanced version of ISO 27004 is trusted the most as a reliable mechanism to manage them. It gives the necessary fundamental and practical support to organizations that have already implemented the ISO 27001 Standard to safeguard themselves from the growing diversity of cyberattacks that they face.

Cyber security metrics can provide insights about the effectiveness of an ISMS and hence have taken center stage in an effective information security program. Whether you are a Professional, Consultant, or Engineer responsible for cybersecurity and for reporting to the Management, security metrics have become a crucial way to communicate the state of your organization’s cyber security risk posture.

Making the most out of your Cyber Security Investment

Organizations need help in addressing the question of whether their investment in information security management is effective or not. They need to know what it is fit for the purpose to react, defend, and respond to the continually changing cyber-risk environment. This is where ISO 27004 can provide multiple advantages to your organization.

ISO 27004 can help organizations construct an information security measurement program, make selections as to what needs to be measured, and operate the necessary measurement processes. This includes different types of measures and how the effectiveness of these measures can be assessed.

Benefits of using ISO 27004

Using ISO 27004 provides many benefits to organizations:

  1. Improved accountability.
  2. Enhanced ISMS processes and information security performance.
  3. Evidence of meeting requirements of ISO 27001.
  4. Adherence to applicable Laws, Rules, and Regulations.

Neumetric, a cyber security services, consulting & products organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.

Get in touch with us if you wish to implement the ISO 27001 Series of information security standards in your organization.

General Data Protection Regulation – Complying With GDPR Requirements

In 2018, the General Data Protection Regulation (GDPR) replaced the Data Protection Directive 95/46/ec as the Primary Law regulating how companies will protect EU citizens’ personal data. The new requirements of GDPR became effective on 25th May 2018. Today, companies that are already in compliance with the directive must ensure that they are also compliant with these new requirements of GDPR. If a company fails to achieve General Data Protection Regulation Compliance, it is subjected to stringent penalties and fines.

General Data Protection Regulation Requirements

GDPR requirements apply to every member state of the European Union. The requirements aim at creating more consistent protection of consumer and personal data across EU nations. The Key Privacy and Data Protection requirements include:

  • Consent of subjects for Data Processing
  • Protecting privacy by anonymizing collected data
  • Handling safe transfer of data across borders
  • Providing Data Breach Notifications
  • Appointing a Data Protection Officer [DPO] to oversee GDPR compliance

A set of standards is made mandatory for companies that handle the data to better safeguard the processing and movement of EU citizens’ personal data.

GDPR Compliance

General Data Protection Regulation imposes a uniform data security law on all EU members, so that every member state no longer needs to write its own data protection laws and the laws are consistent everywhere. In addition, it is crucial to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. As a result, GDPR will impact the data protection requirements globally.

Requirements Of GDPR 2018

General Data Protection Regulation contains 91 articles and 11 chapters. Following articles and chapters have the greatest potential impact on security operations:

  • Articles 17 & 18: These articles give data subjects more control over personal data which is processed automatically. As a result, the data subjects may transfer their personal data between service providers more easily. They can also direct a controller to erase their personal data under certain circumstances. These activities are known as “Right to Portability” & “Right to Erasure”, respectively.
  • Articles 23 & 30: These articles require companies to implement reasonable data protection measures so as to protect the personal data and privacy of consumers against loss or exposure.
  • Articles 31 & 32: These articles are about data breach notifications. According to Article 31, for single data breaches, controllers must notify Supervising Authorities [SA]s of a personal data breach within 72 hours of learning about the breach. They should provide specific details of the breach like the nature of it and the approximate number of data subjects affected. According to Article 32, data controllers should notify data subjects as quickly as possible about the breach, when it puts their rights and freedoms at high risk.
  • Articles 33 & 33a: These articles require companies to perform Data Protection Impact Assessments in order to identify risks to consumer data and Data Protection Compliance Reviews to make sure that the risks are addressed.
  • Article 35: According to this article, certain companies should appoint data protection officers. If a company processes data that reveals a subject’s genetic data, health, racial or ethnic origin or religious beliefs, it must designate a data protection officer who can advise the company about compliance with the regulation and act as a point of contact with SAs. Some companies are subjected to this article as they collect personal information about their employees as part of human resources processes.
  • Articles 36 & 37: These articles outline the position of Data Protection Officer and the responsibilities to ensure compliance as well as reporting to Supervisory Authorities and data subjects.
  • Article 45: This article extends data protection requirements to international companies that collect or process the personal data of EU citizens. It subjects them to the same requirements and penalties as EU-based companies.
  • Article 79: This article outlines the penalties for the General Data Protection Regulation non-compliance. It could be up to 4% of the violating company’s global annual revenue depending on the nature of the violation

Best Practices for GDPR

Every organization must be aware of all GDPR requirements and must comply with them. For many companies, the first step in complying with it is to appoint a Data Protection Officer who can build a Data Protection Program to meet their requirements. Once the company is compliant, it is crucial to stay informed of changes to the law and enforcement methods.

Steps to Ensure GDPR Compliance

  • Read the GDPR: There may be several sections in the legislation which are difficult to decipher and they also feature more legal language. But every person in a position to be affected by General Data Protection Regulationshould attempt to read and understand the legislation.
  • Look to Other Organizations: Not just in the European Union, businesses around the world are affected by this. If your organization still lacks understanding about the needed steps to reach compliance, you must reach out to those who are compliant. Other businesses are likely to share the steps taken to reach compliance.
  • Pay Close Attention to Your Website: Data storage, cookies, opt-ins, and more are things that can be easily set up on a website. Their compliance with GDPR is crucial. While many tools used to collect and store contact data have allowed for compliance, it is up to the organization to make sure that it is compliant.
  • Pay Close Attention to Your Data: All the data must comply with GDPR if you have a presence in the E.U. It should be properly mapped out as to how data will enter, how it will be stored, transferred or deleted. Knowing every route personal information is vital to prevent breaches and ensuring proper reporting in the event of data loss.

GDPR Enforcement And Penalties For Non-Compliance

As compared to the previous Data Protection Directive, the General Data Protection Regulation has now increased penalties for non-compliance. It has set a standard across the EU for all companies that handle EU citizens’ personal data and therefore, SAs have more authority than in the previous legislation. They have corrective and investigative powers and can issue warnings for non-compliance. They can also perform audits to ensure compliance, order data to be erased, require companies to make specified improvements by prescribed deadlines, and even block companies from transferring data to other countries. Data controllers and processors are subject to SAs’ powers and penalties.

This also allows SAs to issue larger fines than the Data Protection Directive, which are determined based on the circumstances of each case. The SA can decide whether to impose its corrective powers with or without fines. If a company fails to comply with certain General Data Protection Regulation Requirements, it would be fined €10m or €20m or 2% or 4% of total global annual turnover, whichever is greater.

Neumetric, a cyber security services, consulting & products organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.

Ensuring Compliance With New General Data Protection Regulations

General Data Protection Regulation (GDPR) is the EU’s new data protection legislation that strengthens and unifies data protection for individuals and addresses the export of personal data outside the EU.

In January 2012, the European Commission wanted to make Europe ‘fit for the digital age’, for which they set out plans for data protection reform across the European Union. Four years later, an agreement was reached, General Data Protection Regulation (GDPR) was introduced and the new EU framework applied to organizations in all member-states and had implications for businesses and individuals across Europe, and beyond.

What is General Data Protection Regulation?

GDPR is a new set of laws to provide EU citizens more control over their personal data. It simplifies the regulatory environment for business, so that both citizens and businesses in the European Union can benefit from the digital economy. It brings laws and obligations around personal data, privacy and consent across Europe for the internet-connected age.

In April 2016, General Data Protection Regulation got its approval by the European Parliament. In May 2016, official texts and regulation of the directive were published in all of the EU official languages. On 25th May 2018, the legislation came into force across the European Union.

GDPR Compliance

Primarily, every aspect of our lives revolves around data. Almost every service that we use involves the collection and analysis of our personal data. Our name, address, credit card number and other information (generally known as Personally Identifiable Information [PII] ) are all collected, analysed, and stored by organisations. But data breaches inevitably happen. Information gets stolen, lost or otherwise released into the hands of people with malicious intent.

With the General Data Protection Regulation compliance strategy, organisations have to ensure that personal data is gathered legally and under strict conditions and those who collect and manage it are obliged to protect it from misuse and exploitation. They must also respect the rights of data owners or else face penalties for not doing so.

The personal data under GDPR as per the existing legislation includes name, address, photos, IP address and sensitive personal data like genetic data or biometric data that can be processed to uniquely identify an individual.

Who Needs to be GDPR Compliant?

GDPR applies to every organisation operating within the EU or outside the EU that offers goods or services to customers or businesses in the EU. Basically, every major corporation in the world needs a GDPR compliance strategy.

There are two different types of data-handlers to whom legislation applies; processors and controllers. A controller is a public authority, person, agency or body that determines the purposes and means of processing the personal data. On the other hand, the processor is a public authority, person, agency or body that processes personal data on behalf of the controller. For instance, if you were subject to the UK’s Data Protection Act, you will likely need to be General Data Protection Regulation compliant.

In order to maintain records of personal data and how it is processed, GDPR places legal obligations on a processor. Controllers are required to make sure that all contracts with processors are in compliance with GDPR. This gives a higher level of legal liability should the organisation be breached.

GDPR for Businesses & Consumers

GDPR has established one law for all companies doing business within EU member states. According to European Commission, having a single supervisor authority for the entire EU will make it simpler and cheaper for businesses to operate within the region. The Commission claims that GDPR will save €2.3 billion every year across Europe.

Organisations are encouraged to adopt techniques like pseudonymization so as to get benefitted from collecting and analysing personal data, while the privacy of their customers is protected at the same time 

Due to the sheer number of hacks and data breaches that occur, the unfortunate reality is that some of our data has been exposed on the internet, like email address, password, social security number and much more. But one major feature of GDPR is that it provides consumers the right to know when their data has been hacked.

Businesses must notify the appropriate national bodies as soon as possible so as to ensure that EU citizens can take appropriate measures to prevent their data from being abused. Consumers also get an easier access to their own personal data with respect to how it is processed and how their information is used in a clear and understandable way. Some organisations have already moved to ensure this. For instance, even if it is about sending emails to customers with information on how their data is used and providing them with an opt-out if they do not wish to be a part of it.

Many organisations, within the retail and marketing sectors have contacted customers to ask if they want to be a part of their database. While other sectors have been warned that they have a lot more to do in order to ensure GDPR compliance, especially if the consent is involved. 

GDPR also has a “Right to be Forgotten” feature that provides additional rights to people who no longer want their personal data processed to have it deleted. This leaves organisations with no grounds to retain it. Therefore, businesses need to keep these consumer rights in mind.

Rectifying if a Privacy Email is a Scam or from an Actual Company

Organisations of all sizes send customers emails and with so many organisations sending out emails on GDPR, scammers and criminals take it up as a prime opportunity to send out phishing emails.

At Redscan, researchers found out scammers posing as Airbnb and claiming that the user won’t be able to send messages to prospective guests until a new privacy policy was accepted or accept new bookings. They specifically mentioned the new EU privacy policy as the reason for the message being sent.

However, the scammers were leveraging GDPR to steal information, but the real Airbnb message didn’t ask for any information. Customers who received the fake message were being asked for their personal information, including account credentials and payment card information. It’s very unlikely for criminals to piggyback on GDPR for their own gain.

What is a GDPR Breach Notification?

As per GDPR rules, it is crucial for companies to report data breaches that involve loss of personal data to the relevant supervisory authority or any unauthorized access. In some cases, organizations must inform individuals affected by the breach. Organizations must also report any breaches that are likely to result in a risk to the rights and freedoms of individuals and lead to discrimination, financial loss, damage to reputation, loss of confidentiality, or any other social or economic disadvantage.

In simpler words, if the name, date of birth, address, health records, bank details, or any personal data about customers is breached, the organization is obliged to report those affected along with the relevant regulatory body so that possible measures can be taken to restrict the damage.

This is done via a breach notification that must be delivered directly to the victims. The information should not be communicated only in a press release, on social media, or on a company website. It must be a one-to-one correspondence with those affected. The breach must be reported within 72 hours of the company first becoming aware of it. And, if the breach is serious enough to mean customers or the public must be notified, the same should be done without undue delay.

GDPR Fines & Penalties for Non-Compliance

If an organization fails to comply with GDPR, it will result in a fine ranging from 10 million euros to 4% of the company’s annual global turnover. Fines and penalties depend on the severity of the breach. It also depends on whether the company is deemed to have taken compliance and regulations around security in a serious enough manner.

A maximum fine of 20 million euros or 4% of worldwide turnover, whichever is greater, is for breaches of the rights of the data subjects, failure to put procedures in place, and unauthorized international transfer of personal data.

A lower fine of 10 million euros or 2% of worldwide turnover is applied to companies that mishandle data in other ways. For instance, failure to build in privacy by design, ensuring data protection is applied in the first stage of a project, failure to report a data breach, and be compliant by appointing a data protection officer.

Biggest GDPR Fines so Far

The biggest GDPR fine issued so far is to Google for a €50m. The French data protection watchdog, CNIL, issued the fine to Google after coming to the conclusion that the organization was breaking GDPR rules around transparency and having a valid legal basis while processing people’s data for advertising purposes. Prior to this, the largest GDPR penalty stood at €400,000 when a Portuguese hospital was fined for deficient account management practices. Currently, data protection watchdogs across Europe are investigating thousands of cases.

Either due to cyberattack, human error, or anything else, if a company loses data, it is obliged to deliver a breach notification, which includes approximate data about the breach, including categories of information and number of individuals compromised as a result of the incident. It should also include the categories and approximate numbers of personal data records concerned.

Companies must provide a description of the potential consequences of the data breach. For instance, theft of money, identity fraud, all the measures that are being taken to deal with the data breach and to counter any negative impacts that might be faced by individuals. The contact details of the data protection officer or main point of contact dealing with the breach must be provided.

Is it Necessary to Appoint a Data Protection Officer?

As per GDPR guidelines, an organization must appoint a Data Protection Officer (DPO) if it carries out large-scale processing of special categories of data, is a public authority, or carries out large scale monitoring of individuals like behavior tracking. Public authorities can appoint a single DPO for a group of organizations. While it is not necessary for organizations outside of those above to appoint a DPO, other companies must ensure that they have the necessary skills and staff in order to be compliant with GDPR legislation.

As per the Information Commissioner’s Office, a Data Protection Officer should have professional experience and data protection law proportionate to what the organization carries out. If the organizations fail to appoint a Data Protection Officer, as required by GDPR, this could count as non-compliance and may result in a fine.

GDPR Compliance is Necessary

Ultimately, these measures are meant to minimize the risk of breaches and uphold the protection of personal data. This may look like more policies and procedures for organizations, but many companies would have already put good governance measures in place.

Under the GDPR provisions that promote governance and accountability, organizations should implement appropriate technical and organizational measures like, data minimization and pseudonymization, allowing individuals to monitor processing, data protection provisions (review of HR policies, staff training and internal audits of processing activities) and keeping documentation on processing activities. All organizations must ensure that they have carried out all the necessary impact assessments and are GDPR compliant.

Neumetric, a cyber security services, consulting & products organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.

Scroll to top