Data privacy laws ‘will be cumbersome and costly’ for industry

Banks and financial institutions will face new and demanding challenges with the spread of data privacy laws, delegates at the OpRisk Asia conference in Singapore have heard.

Parag Deodhar, chief risk officer and head of programme management and process excellence at Bharti Axa General Insurance in Bangalore, warned: “Data privacy acts will be cumbersome and costly for companies to implement. Any user will be able to ask you what data you hold on him: can you tell him? He will also have the right to demand its deletion. But other regulations may require you to keep the data – for example, for tax reasons.”

Data protection acts are already in force in many jurisdictions – including the UK – and usually include safeguards against the unauthorised transfer of personal data to third parties. Data privacy laws, Deodhar explained, include far tougher controls, such as the right to demand deletion – and would create particular problems for financial companies.

“It’s an open question where the chief information security officer should report to, but at least most companies have one. They will need to appoint a data privacy officer as well,” he pointed out. Mobile data and outsourcing would create particular problems.

“If the company is supplying smartphones to its employees, it can dictate their use and control them. But bring-your-own-device is a growing trend. What happens when the company wants to delete its data? It may have to delete all the data on the phone, because the software doesn’t allow any other way, including the personal data.”

Outsourcing raised data privacy issues too: “Where is your data centre, if it is in the cloud? What are they doing with the data? Who knows? There are a lot of issues – you may have to store Indian data only on servers in India, but data exchange could happen all round the world. If you move service providers, how do you ensure that the data on the old provider’s servers is destroyed?”

The law has been in force in India since 2011. This hasn’t produced many problems so far. “Most companies don’t even have a data privacy policy in place. Fortunately, almost no-one in the country knows about the law, so we are safe – but maybe not for long,” Deodhar said.


This article was first published on Risk

Close Window
View the Magazine

You need to fill all required fields!