Data Protection Law Shifts Spotlight on CISOs
The Personal Data Protection Bill cleared by the Union Cabinet last week would set legislative proceedings in motion that would culminate in India joining the legion of nations where protection of one’s data is given as much importance as that of one’s life and belongings. Once approved by Parliament as law, it would require all organizations, both public and private, to comply with provisions related to data security and usage.
Based broadly around the contours of European Union’s General Data Protection Regulation (GDPR), the immediate impact that the law would have on enterprises would be to enhance the role of leaders handling security. The Chief Information Security Officers (CISO) would move beyond advising the leadership on data security matters and become a sort of ombudsman on all matters related to privacy and usage of data in all forms.
The Change Agents
Security experts believe the new law would endorse a risk-based approach to delivering the latest security best practices to protect any type of sensitive data. So, it is largely the function of an officer who has been dealing with information security for some time and with some insight. However, examining the CISO’s responsibilities in the light of the PDP bill is not as simple as it may sound.
More so because, presently, there are no laws on the utilization of individual information and forestalling its abuse in the country, even though the Supreme Court maintained the right to privacy as a fundamental right back directly in 2017. It is only in line with the GDPR, the Indian government, a year ago, presented a draft Personal Data Protection bill on how individual data information can be stored and processed by both the public and privately-owned businesses.
“The biggest challenge is that in India, most firms go to market without considering embedding security in the product or service,” says Sriram Laksmanan, Vice President – Cyber Security Assurance, Genpact. With the advent of PDP, instead of cybersecurity being an afterthought, CISOs will be involved from the scratch to ensure all new offerings are compliant to the PDP (as well as GDPR) and secure by design from a business, legal and technical standpoint, and that he believes can be a mammoth task.
Coming to CISO’s role in particular, some believe, it should change very little to their practice on a day to day basis. The CISO’s role change in fact is already underway, especially in large organizations – thanks to the complex and evolving nature of security threats – where they are already required to flex new muscles.
“Now CISOs work with a broader set of stakeholders and build an increasingly diverse team to handle different areas of concern,” including regulatory and privacy issues, product security and shadow IT, says Sheril Jose, Head- Cyber Security at Pune-based Emcure Pharmaceuticals.
Moreover, with cyber security needs growing more diverse by industry CISOs should spend more time understanding the industry they’re in and the business priorities of the company,” says Jose.
One good example in India is the BFSI sector, where the Reserve bank of India (RBI) and Insurance Regulatory Authority of India (IRDAI) mandated that CISOs in banks and insurance companies respectively should not report to the CIOs—it is understood that the data fiduciaries have to ensure that in the best interest of their ability to meet the compliance requirements.
Closely following the footsteps of BSFI industry, the healthcare sector also started to wake up to the recent spate of cyberattacks. A comprehensive cybersecurity framework – Digital Information Security in Healthcare Act (DISHA) – which came into being in March 2018, is also expected to have a huge impact on the healthcare sector (once it comes to force) and likewise the CIO’s role. Many others are still assessing the security situation, developing a strong security team and building relationships and credibility with business leaders and executives.
However, the PDP Bill (which covers largely every sector of digital enterprise) will further change this trajectory with newer and more complex clauses. As mentioned by a TOI article, violation to the PDP will cost the companies dearly. It mentions that a company may have to pay a penalty of up to Rs 15 crore or 4% of its total turnover if found violating norms under the PDP Bills. Besides this, the company’s executive in-charge of conduct of the data business can also face jail term of up to three years if found guilty of knowingly “re-identifying de-identified data” of individuals in the country or processing them in violation of the norms laid in the Bill.
This implies that all digital companies will have to mandatorily store critical data of individuals within the country. And, they can transfer sensitive data overseas after explicit consent of the data owner to process it only for purposes permissible under law once the Bill is approved by Parliament. And despite companies spending millions on security products and security good practices and risk-based approaches, this is where most companies and their security teams see the major challenge.
Therefore, to understand CISO’s role in maintaining security good practices to protect any type of sensitive data as underscored by the PDP Bill, it makes sense to examine the global regulatory landscape and draw some lessons from the GDPR as the PDP Bill emulates the privacy principles incorporated under GDPR.
Lessons from GDPR
Experts observe, despite the GDPR being over a year old, there is still a gap between legal and technical, with many organizations still struggling fully to understand what’s required of them. This has raised concerns about how data security is perceived globally. Most organizations, if audited with any vigor, would likely not meet the stringent requirements that are set out in the GDPR.
Lawyer and EU privacy expert, Sophie Stalla-Bourdillon mentions in her blog, the reason for the lack of adoption lies in the legal complexity of the mandate itself. And this legal complexity is causing the burden of meeting GDPR to be shifted to the shoulders of teams with technical skills. In practice, this means that a large number of boards are increasing their reliance on CISOs and CIOs to prove GDPR compliance.
But, CISOs cannot do it by themselves, and it’s unreasonable to believe that they can. They need all the help they can get, and that means legal help as well. Lawyers need to brush up on their technical knowledge so that they can bridge the gap between the legal requirements of the GDPR and the software, processes and practices in place for security, says Stalla-Bourdillon.
Just like GDRP, PDP Bill is a mandate that affects the compliance team, security team, operations team and every other business department in some way. While it is still not clear in most Indian firms as who will take the ownership of data security responsibilities.
The Data Protection Officer
Many believe, with the advent of PDP, organizations doing business in and with India will be required to appoint a data protection officer or DPO to take over many of these tasks. “The DPO is likely to be a new player in the security governance game, and it could be that he/she brings a different outlook and a different background to the table (very often it is likely to be somebody with some form of legal training),” says, Pierre-Luc Réfalo, head of cyber security consulting at Capgemini.
The DPO will face many challenges similar to those faced by the transformational CISO around driving cultural change and engineering new dynamics around “privacy by design”.
The PDP also explicitly mandates that non-Indian companies should have a DPO based in India. While some see DPO as a threat to the CISO role, the relationship, according to Réfalo should largely be collaborative. They should be strong allies if they manage to build and push from different angles a common transformative agenda and create together the structures they will need to demonstrate compliance (for the DPO) and ensure the adequate protection of information assets (for the CISO).
In a third possibility, however, to avoid any overlap with the CISO’s role in protecting data governance, the CISO may also consider playing a dual role of a CISO and a DPO.
CISO or CDO?
While there have been several debates on whether security professionals like CISO can make a good choice to carry out the responsibility, going by the GDPR global best practices, many large corporations already have Chief Data Protection Officers.
Similar of such positions—be it Chief Compliance Officer or Chief Privacy Officer or Data Protection Officer—are held by legal professionals. Wal-Mart’s Avila, Shell’s Graham, Volkswagen’s Michels, Apple’s Jane Hovarth, Allianz’s Dr Raether, BT’s Emila Chantzi are all attorneys.
Some Indian companies doing global businesses have also appointed DPOs in recent years. Most of the positions are from legal backgrounds and as can be expected, most of them are IT/BPO companies.
Experts however believe that in India, there are just not too many legal professionals who are well versed with technology. So, many Indian companies will go for legal consultants even as they go for tech people to carry out the actual tasks to ensure that the non-compliance does not happen. On the other hand, as the job requires knowledge of law, tech and prior experience with compliance, organizations may switch over to people who can continuously enhance the capability and prevent newer targeted attacks to steal personal data. In that sense, CISOs would fit the role far better.
As Georges Ataya, Professor, security evangelist and Partner at Ataya & Partners writes on LinkedIn Pulse, “Smaller organizations that may not even dispose of a CISO function may be obviously tempted to staff both activities in one single function.”
In any, experts believe, whether the CISO has to work in collaboration with the DPO or a legal expert, or has the expertise to play the dual role, the PDP Bill, which comes with potentially high fines for noncompliance, is forcing CISOs at organizations of all sizes to rethink how they manage data privacy and security and wherever necessary make it work better.
In fact, with the soon to come PDP Bill, it may be time for a revival in the C-suite. An understanding of the business and an ability to communicate about security, risk and compliance issues can bring the CISO role in a new spotlight.