Security & Data Protection: The Finance & Payments Divison

India is one of the largest digital markets in the world, attracting global players. The rise in digital services being provided online by both the public and the private sectors has led to the generation of vast amounts of data. However, due to the unprecedented growth in internet accessibility, novel business models have sprung up that collect and analyse personal data for commercial purposes. Using personal data for commercial purposes without clear regulatory and legal frameworks poses grave risks to individual autonomy and privacy. There is a need to construct an institutional and legal framework to ensure the utmost privacy for individuals while encouraging businesses to innovate and expand. There exists a need for a more comprehensive law to address data privacy concerns.

Policy formulation has to consider all the recent developments in the commercial use of personal data so that legislation does not prove inadequate to handle the complex challenges in this field. The policy has to strike a delicate balance between necessary compliance and over-regulation. Because the bill will regulate the use of data in almost all economic activities, there can be high compliance costs, specifically for small businesses. There has to be consultative dialogue with all the concerned stakeholders so that upcoming legislation can fulfill the tasks of protecting personal data and encouraging innovation. Hence the esteemed panelists of the panel discussion organised by the SKOCH group discussed the ‘Finance and Payments Dimension particularly’ and provided their valuable viewpoints.

Views on the PDP Bill and the Crypto Bill

Ms. Pooja Bansal (Global Head, Security Operations, Compliance & Investigation, Faceportal India Pvt. Ltd.) presented her views on the Personal Data Protection Bill and the Crypto Bill. She has also explained how her organisation would attempt to handle both the bills. She said, “India is among those countries where we have a lesser presence. Hence from a back-office perspective, we assume that the Data Protection Bill of India will not cause more of a challenge. However, it is easier said than done. Once the data protection bill becomes a law format, we will be able to see what timelines they would provide for implementation and, in actuality, issues in implementing some of the articles, etc. Now, if you look at various organizations, typically, what they’ve done is deemed acceptance, which may or may not be relevant when this law passes. Indians do not give a lot of importance to privacy. For instance, we keep giving our phone numbers everywhere. Various aspects of the usage of the personal data that we provide to various organizations are not implemented in India. And for us to implement that will depend more on the rules once they come and then work on preparing a strategy for implementing it.

A massive challenge from a Data Protection Bill perspective

Mr. Pawan Chawla(Chief Information Security Officer & Data Protection Officer, Future General India Life Insurance) feels it will be tough. He further said, “so if you look at the last data protection bill, many amendments have been made to it in November and December. Alone in December, they had 81 amendments and some new clauses were added. Hence, until and unless it becomes an act, it will be tough to judge and tell what an organization can or cannot do in this regard. We saw that many loopholes and clarity are required because the proposed draft has some grey areas. Though it is similar to the GDPR, it is much more enhanced in certain aspects. Now, we have been talking about consent and hence there is a right of removal, which needs to be focused upon. I feel it is important for a country like India because India is always known for vomiting data and is also much more vulnerable. Because wherever we go today, we vomit data like anything.”

Challenges that would come with the shift in Digital Payment Landscape

Mr. Pawan Chawla said, “till the Act comes out, we won’t be able to know what exactly is going to be there or how we need to respond to it. How long it will take to get implemented is a question that can only be answered after it comes out as a bill. It will be a challenging task and will take much more than what it would have taken in the EU to implement if they were given 18 months. Hence, it will take much longer in India because we don’t even know where the data is today.” 

On being asked about her view on the challenges which would come with the shift in the digital payment landscape, Ms. Pooja Bansal said, “it depends on the government as to when that becomes a formally acceptable mode of taking payment. So until the formal regulatory clearances come in, we will not be in a position to take that as a form of payment. It would take a lot of effort from an organizational standpoint to tackle the challenges and security needs to go hand in hand with any strategy that the organization at any level goes ahead with. We have also realised that in most organizations the security aspect is not looked into from the beginning. So, the kind of involvement that security gets to have is maybe in the middle and we do not have that concept of security by design. The GDPR brought in the concept of privacy by design in a similar manner and I have the perspective that we must have a strategy to have security by design. That will play a vital role in whatever modes we deploy new technologies. If security is embedded from the beginning, it will make life easier for the organization and give a better customer experience.”

Data’s Role in Financial Services and Handling the Finance Aspect

Digitization is here to stay and will be the future for all of us. There is no way that any organization decides not to adopt digitisation in India. The most prominent example we can see is when the demonetization happened, Paytm became a unicorn and now they’re launching an IPO. So digitisation and securing data have become more relevant. However, it may still need to be formalized and regulated. First, it needs to be held and only then can one implement controls to protect that. Hence it will be a challenge for every organization as it will be the future and the organizations need to think through it from today onwards.  

The challenges and the penalties which are mentioned in the act are going to be huge. There is a lot of money that the organizations need to invest in those technologies or compliances, which we don’t know today because it’s going to be a mix of both.

Having Adequate Controls

On being asked about having adequate controls in the business, Ms. Pooja Bansal said, “what we have essentially done is that we keep ourselves updated with the regulatory requirements of various countries that we are operating. We have our legal team, which worked with various third-party organizations and they provide us details of what needs to be there and what controls we need to comply with from a regulatory standpoint. This is kept updated regularly. If new regulations come in from a new market standpoint, that gets added. We have also made a comparison of the requirements of various laws. Hence, certain requirements may be common to, say, 10 Different laws. However, a specific law or a regulatory market may require a unique set of requirements. So that is something we’ve called out, and we have done our data flows, mapping, etc.”

Going Forward

Mr. Pawan Chawla said that India is known for vomiting information, and we don’t know where the data lies. We have provided details to many agencies if we get several calls and messages. It will be a challenge for organizations to put off controls and ensure customers’ data is secure. The consent and right of removal will also play a significant role. 

On the other hand, Ms. Pooja Bansal said, “In this digitised world, we are moving very pleased towards having a secure infrastructure for every organization. However, when we talk about security, we also want to deliver a mature customer experience to every customer of ours. When it comes to the digital experience, the customers want everything in an automated fashion. There are times when we have agents attend to all the customers concerning emails, chats, queries on the phone, etc. However, there has been a paradigm shift in the expectation of the customers. While many four plus seven services were available earlier, customers expect their queries to be answered within less time. There has been a shift from the current landscape to a place where people want a better experience which is starting to play a vital role in all organizations. We as an organization are investing a lot in giving that digitized experience to our customers. And when we say that we want to give customers a superior experience, we want that experience to be good. And when we say good, security plays a vital role. An organization’s first kind of loss is a reputational loss, along with the financial and monetary loss that comes with the penalty. Hence, we need to have our strategies right, built across the organization to move towards secure land and give our customers a better experience.”

Recommendations

• There is a need to construct an institutional and legal framework to ensure the utmost privacy for individuals while encouraging businesses to innovate and expand. 
• Policy formulation has to consider all the recent developments in the commercial use of personal data so that legislation does not prove inadequate to handle the complex challenges in this field. 
• There has to be consultative dialogue with all the concerned stakeholders so that upcoming legislation can fulfill the tasks of protecting personal data and encouraging innovation.
• Security must go hand in hand with any strategy that an organization at any level goes ahead with.
• Efforts should be made to have the concept of ‘Secure by Design.
• Digitisation and securing data must be formalized and regulated.   

• SOURCE-PIB