The multiplicity of frameworks trying to compete with each other on how “Privacy” of an individual has to be protected has created a web of confusion in the Corporate circles since all managements ultimately have limited resources and has to balance their compliance activities in the form of audits, generation of reports etc with their commercial limitations.
If there is an Indian Company having 10% of its business in EU data processing, 10% of business from HIPAA entities and balance in India, and would use cloud services of Amazon, they need to address the questions such as
– Should I opt for compliance of ISO 27001/ 27018, HIPAA-HITECH Act, GDPR or ITA 2008?
-besides other security frameworks such as PCI DSS which may also be applicable to them?
-How practical is it to consider compliance of all regulations concurrently,… which is of course the ideal approach?
I am sure that the Privacy Professionals attached to these companies will be scrambling to develop excel sheets showing the mapping of controls meant for one framework with the other. They will try to prove that if I am ISO 27001 certified, I am already deemed to have been compliant with ITA 2008 or HIPAA or a EU data protection requirement.
However since most frameworks are also insisting on “Certifications” from an “Accredited” “Certification Agency”, the plight of an organization does not end with “Being Compliant” and would require “Documenting that it is Compliant”.
This is certainly good for agencies that provide “Certifications”, “Conduct Seminars/Training Programs”, “Sell Compliance Manuals” etc, (and also for consultants), one needs to pause and think if we are going overboard with the proliferation of regulations to the extent that one day organizations will revolt ignoring compliance.
It could then be the field day for Dispute Resolution Managers, (which includes the undersigned who proposes to manage an online dispute resolution mechanism under odrglobal.in) and the legal firms who specialize in such matters.
But in the interest of the industry in general we need to see how we mitigate the “Privacy Regulation Proliferation Risk”.
At the end of the day, the end objective of all Privacy Regulations is to ensure that an individual’s identity information is protected from the time it is collected by an organization, through the life cycle of its usage and until it is destroyed.
The key instruments of such protection are “Disclosure”, “Consent”,”Security”,”Destruction” and above all “Ethical Usage”.
The different frameworks may differ in the detailing of how these objectives are met and how the measures of compliance are documented, audited and reported.
If therefore there is a strong common framework that addresses the principles of Privacy protection, it should suffice.
We must recognize that no framework is in a position to completely deny the powers of an authority to demand information for national security reasons.
Hence the principle of “Privacy Right subject to reasonable Regulations” will continue to rule. The problems of the empowered law enforcement authorities themselves not following the laid down principles is a risk that no framework can address effectively.
Currently, the emphasis of privacy regulation appears to be veering towards strict enforcement with hefty fines. The GDRP proposition of 4% on global turnover appears insane.
The fines that are being contemplated and imposed under HIPAA and EU guidelines will all be transferred to the Business Associates in India through the Business Associate Contracts. Validity of such contracts are further fortified by the ITA 2000/8. Therefore these penalties need to be taken note of by the Indian companies who have a stake in the Data Processing Business.
But it is clear that the million and billion dollar penalties which are being brandished about in the US and EU market can only be indemnified by Indian companies on paper and never fulfilled without simply closing down its business. Even if they are to be insured, the insurance will be expensive and the insurers will limit their own liabilities by various means.
If therefore, one takes the penalties seriously, tries to comply and obtain coverage of Cyber Insurance to meet the contingencies, then these regulations are having such devastating effect on the Indian outsourcing industry that the costs are going to increase astronomically. The increasing costs will only make the competitive edge to vanish and harm even the US and EU companies.
It is therefore the responsibility of NASSCOM and other industry organizations to deliberate how this competing and potentially crippling privacy regulations could affect our industry in general and what steps need to be taken to provide a protective umbrella to Indian companies so that they are not dragged to international arbitration for billion dollar penalties at the drop of the hat.
On the other hand the Companies have to also organize their own compliance activities in such a manner that they try to address the compliance efforts proportionate to the risk of penalties. In this context, the managements need to realize that if they are operating in India, then they are exposed to the requirements of the Information Technology Act 2000/8 where the penalties for non compliance are “Unlimited” in civil terms and could also result in the imprisonment of the CEO and top executives for 3 to 7 years or more for non compliance.
Prudent managements realize that a “Law is as effective as its enforcement machinery”. Some times this is interpreted that they can always manage the Indian law enforcement even if they are caught in a non compliant state. However we need to realize that Indian law has the immediate jurisdiction to enforce where as the international regulations have to hit through arbitration on contractual agreements and further through international treaties. In this aspect we can say that Indian laws are more threatening to Companies in India than the international laws.
Remember that the local police station where an inspector has a jurisdiction to strike is only across the road and some times non compliance of Indian laws may easily make him come hunting. Hence compliance of Indian laws cannot be ignored though for many organizations, it is fashionable to be compliant with international regulations and ignore local laws. This is clear from the fact that there may be more companies in India which are “Patriot Act Compliant” than “ITA 2008 compliant”.
While the industry should continue to deliberate on the methods for “Mitigation of Privacy Regulation Proliferation” there are certain initiatives that are required to be taken by the Government and the organizations such as NASSCOM and STPI if they need to provide a sense of security to businesses in India. I will try to bring it up for discussion some time later.
I hope sufficient attention would be given to this aspect in the coming days by the Government.