New India Data Privacy Rules:

June 3, 2011

New technologies bring new threats. And with the advent of cloud computing and the increasing popularity of social media, data privacy has been pushed into the background.

That’s putting individuals, enterprises and the country at risk. That’s why, the government of India brought about changes to the IT Act, 2000. The government’s aim is to keep a tab on Internet security breaches and to project India as a responsible and data secure nation.

While many organizations have expressed their discontent–over the new Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011–many enterprises are gearing up to the new regulations.

The government’s announcement this April was intended to ensure customer privacy and boost the offshore outsourcing business in India. But the rules may require enterprises to additionally get customer consent to process certain types of information. Some senior executives feel that the rules are too controlling. “The changes to the IT rules give enormous freedom to the government to block any blog or website. And this is definitely something that is not implemented in print media, for instance,” says Satya Prabhkar, CEO and founder of Sulekha.com. “The act uses generic terms like being grossly harmful, libelous, harassing, etcetera, as reasons to block or remove any content on the Internet. The government should have a re-look at it,” he adds.

While some call it controlling, others complain of a lack of desire to enforce cyberlaws in India. “India is very weak in enforcing a law or an Act. Unless you enforce it and make people aware, I don’t think people will take it seriously. If there are changes which can make our lives easy; and more clarity is brought into it (the new laws), it will be better,” says Sachin Jain, head-IT and CISO, Evalueserve.

Ambiguity is something that also bothers Deepak Rout, CISO, Uninor. “The privacy norms in all the industry sectors cannot be the same. Having a one-size-fits-all kind of a law is not very smart,” he says. But he also feels that this is the right time for the government to take such measures. “India jumped in from not having a privacy law at all to giving a very comprehensive and over-arching policy. This is the right time that India has jumped into the fray with the privacy law, but some kind of exception should have been provisioned,” says Rout.

The road towards the implementation of privacy rules by an enterprise is dotted heavily with cost implications. “In order to comply with the rules, organizations will have to go in for ISO27001 certification, as this has been approved by the government as following reasonable security practices and procedures,” says Faraz Ahmed, CISO and head-regional IT at Reliance Life Insurance. “Also a grievance officer will have to be appointed to address an individual’s concern regarding his personal information,” he says.

But it is upto the enterprises whether they want to implement the law or not. “According to the Indian law, it is not compulsory for every enterprise to implement it. But they should do it if they want to skip on the liability. If found guilty, a civil suit can be filed against them under the IT Act with unlimited compensations,” says Sagar Rahukar, head (Maharashtra) at Asian School of Cyber Laws.

Source New Data Privacy Rules:

%d bloggers like this: