"Most battles in today's digital-first world are predominantly fought online"

The Digital Personal Data Protection Bill, 2023 was introduced in the Lok Sabha earlier this month, by Union Minister of Communications, Electronics, and Information Technology Ashwini Vaishnaw. On August 9th, the Rajya Sabha voted unanimously to enact the Digital Data Protection Bill 2023.The bill intends to control how digital personal data is processed while upholding people’s rights to privacy and the requirement to use that data only for legitimate purposes.

Since the widespread adoption of digital transformation in the last ten years, concerns about data privacy and security have surfaced. The demand for protection has never been stronger due to the growing volume of data being taken and traded for data thefts and breaches.

Mr. Raj Sivaraju, President, APAC Arete, provider of tech-enabled managed services, and powerful data insights along with proven incident response, that helps businesses and governments manage cyber risk spoke with VoicenData and provided insights on the Data Protection Bill 2023, various cyber risks, addressing breaches effectively and much more. Here are a few excerpts from the interaction:

VnD: How does the Data Protection Bill 2023 encourage businesses to invest in stronger cybersecurity measures to protect personal data?

Raj Sivaraju: As one of the few countries where privacy is recognized as a fundamental right, India understands the importance of striking a balance between protecting users' rights and fostering innovation in the digital landscape. The bill creates a business-friendly environment by eliminating legal implications for non-compliance and facilitating international data transfers. This encourages businesses to adopt data protection measures without the fear of severe punitive actions.

With the bill in place, companies must review their existing data-handling practices and invest in new processes to ensure compliance. Ensuring personal data protection becomes imperative as the bill introduces the possibility of significant commercial penalties, ranging from Rs 50 Crore to Rs 250 Crore, for non-adherence to its obligations. This move makes it clear that transformation is inevitable, and enterprises should embrace it not only for compliance purposes but also to establish and operate within a privacy-enabled environment.

VnD: In what ways does the Data Protection Bill of 2023 impact how businesses and organizations handle personal data?

Raj Sivaraju: The impact of the Data Protection Bill of 2023 on businesses is substantial, particularly in terms of how they handle personal data. The bill designates companies as "data fiduciaries" responsible for protecting digital data taken from individuals termed "data principals." As part of the regulations, data fiduciaries must inform data principals about the data they are collecting and how it will be used. Additionally, companies must appoint a Data Protection Officer and provide contact information for them, enhancing accountability and transparency.

Moreover, the bill empowers individuals, or data principals, with a comprehensive set of rights regarding their data. They have the right to access their data, understand its use, and delete or modify their information. This aspect of the bill aligns with internationally recognized data protection laws, such as the General Data Protection Regulation (GDPR) of the European Union. By granting such rights, the bill seeks to establish a transparent and accountable data governance framework that respects and protects individuals' privacy.

VnD: How does the Data Protection Bill of 2023 address the rights of individuals regarding their personal data and empower them in the digital landscape?

Raj Sivaraju: The Data Protection Bill of 2023 does not solely focus on businesses' responsibilities; it also addresses the governance of government data through the National Data Sharing and Accessibility Policy. This comprehensive approach to data governance involves regulating personal data based on principles inspired by the GDPR and other international regulations on personally identifiable information. Additionally, India has taken a pioneering step by establishing a non-personal data framework, making it the first country to embark on such an initiative.

VnD: What are some notable examples of large-scale data breaches that have occurred in India?

Raj Sivaraju: In April 2019, Facebook suffered a data breach, exposing sensitive information from over 530 million users, including phone numbers, account names, and Facebook IDs. In 2020, Justpay faced a significant data breach, with threat actors compromising 35 million user accounts and selling the stolen data on the dark web. In February 2021, Air India fell victim to bad actors who gained unauthorized access to the personal information of 4.5 million customers, highlighting the risks associated with digital transformation and data protection.

In the same year, the Common Admission Test (CAT) experienced a breach affecting 190,000 applicants, further reinforcing the need for businesses and organizations to prioritize cybersecurity measures to safeguard personal data. In April 2021, Upstox, one of India's major stockbroking firms, faced a security breach, compromising the KYC and other data of 2.5 million customers. This incident underscored the urgency for enhanced data protection measures in the financial sector.

In another major breach in April 2021, Domino's India encountered a significant data breach, with a threat actor obtaining and selling customer data from 18 million orders. The compromised data included names, addresses, phone numbers, and credit card information of 1 million individuals, exposing the vulnerabilities in data security within the food industry. LinkedIn also faced a massive breach in June 2021, impacting over 700 million users, constituting over 90% of its user base. This further emphasized the need for robust cybersecurity measures to protect user data.

These incidents underscore the growing risks associated with digital transformation and the urgency for businesses and organizations to invest in stronger cybersecurity measures to protect personal data and prevent large-scale data breaches.

VnD: How can organizations improve their incident response capabilities to address data breaches effectively?

Raj Sivaraju: Organizations can improve their incident response capabilities by adopting a Zero-Trust security framework, which should be their top priority to combat the ever-increasing complexity of cyber threats. Alongside this, individuals should be encouraged to implement multi-factor authentication (MFA) and be aware of common hacking techniques such as phishing, vishing, and shimming to safeguard their online accounts.

Utilizing strong and complex passwords can also reduce the risk of becoming a target. Governments, enterprises, and educational institutes should play a crucial role in promoting cyber awareness campaigns to educate all citizens, as most battles in today's digital-first world are predominantly fought online. By taking these measures, organizations can enhance their preparedness and response to data breaches, ensuring a more secure digital landscape.