There’s a massive explosion in data being generated by connected internet users in India. Wherein, large tech companies are unhappy with such restrictive laws but the Indian government seems to have decided to break the nut. Deriving more on the impact of data localization, Rana Gupta, Vice President – APAC Sales, Identity and Data Protection, Gemalto elucidates on what is data localization and its real impact. Edited Nub.
1) What is Data localization and its impact?
In the era of the internet whereby anyone sitting anywhere in the world can access the data assets residing anywhere in the world, what purpose does the localization of data serve? What risks does it pose if the data resides outside the country?
If the concern is around the data protection then data localization without appropriate data protection regime wouldn’t serve any purpose.
Does the concern around company own the data, mining the data to its benefits? If so, how will localizing the data help prevent it?
Is the concern around company sharing the data to a foreign government under the local judgment/directions? If so then yes – it helps to mandate companies to keep data locally.
But considering that in many a case, the interaction data being generated (say for example on Facebook, Twitter, WhatsApp etc) will involve interactions between individuals from multiple nationalities, then it is perceivable that the same data will be available in multiple geographies. Especially in cases where the localization is being sought, there do will be a foreign/MNC entity involved unless it is just intended to force Indian companies to not use the foreign CSP.
So, wouldn’t the bigger issue to focus be to ensure the protection of data against any breaches AND enabling the control of that data as much as possible with the data subjects?
To summarize, data localization without the regime of 3-Step Secure The Breach pillars of Encryption, Secure Key Management, and Secure Authentication could create a false sense of security.
2) Role in simplifying the adoption of security practices?
I am reminded of “Necessity is the mother of invention”. Once the Data Privacy Bill mandates certain requirement then it is bound to shake up the existing ecosystem and customers will ask of simpler ways to implement the security requirements as asked for by the Data Privacy Bill. It is expected that in the longer term it shall simplify the adoption of security practices by nudging the organizations to build privacy by design rather than thinking of it as an after-thought.
3) What are your expectations being a major security company?
As a security company, we sincerely seek to have this bill do the following things –
- Mandatory breach notification so that we all start to understand the severity of the problem. One cannot address a problem if one doesn’t understand the extent of the problem itself.
- Categorization in terms of penalties to be imposed on different kinds of organizations. I certainly hope that in this context, the biggest burden be put on the Government Departments, Defense Organizations and PSUs as any breaches into those organizations will likely have the biggest dent on India as a society.
- It is hoped that this bill raises the importance of data-centric security and seeks to have the organizations apply the concept of privacy by design (encryption) and by default (processing the minimum amount of sensitive data)
Web for Gemalto: Click here