[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the Justice Srikrishna report.]
“Privacy by Design” is a concept which GDPR expects from Data Controllers and Data Processors. The concept of Privacy by design basically means that measures for Privacy protection should be initiated right from the inception of a project and during the engineering process. It is not an after thought considered over the layer of processing but should be embedded into the basic framework of processing.
The concept of Privacy by design imposes a sense of responsibility on software manufactures who have a tendency to design software solely for functional purpose and expect Privacy to be taken care of manually at the time of implementation.
This concept needs to be extended to complete compliance of all provisions of the Data Protection Act which can be controlled by technical means by making “Compliance By Design” as a mandatory provision under law so that the responsibility for compliance is shared by both the software developers and the users. This could mean that systems and outsourced services should have mandatory encryption, mandatory authentication in the form of non repudiable digital signature system, mandatory compliance of data retention, mandatory archival of log records etc.
If such “Compliance by design” is mandated, then the quality of software products from the point of view of “Data Security” would increase and in the event of any “Data Breach” caused by vulnerabilities in the software systems, some responsibility may be imposed on the software companies also. This would help SMEs in particular who donot have greater dependency on the software suppliers, who donot agree for source code audit or for source code escrowing and also donot guarantee that their software is free from bugs.
Larger companies may have better ability to take their own measures to secure the systems irrespective of the vulnerabilities they come with. They also have the power to extract maintenance contracts and source code audits better than the SMEs and hence the proposal for Compliance by design should help SMEs more than large entities provided the definition of “By design” is extended to software development.
The new data protection act can consider imposition of “Compliance By Design” as one of the responsibilities of system developers (both hardware and software). In order to incorporate this provision, a separate chapter that defines the compliance requirements of the Data Controllers, Data Processors and Data Managers (as proposed in our previous article) along with how the fact of compliance should be disclosed to the public and to the Data Protection Authority. This should obviously be controlled through Registration and penal de-registration of entities who are Data Controllers/Processors/Managers.
Hopefully Compliance requirements donot simply remain on paper but are followed up for strict implementation.
In order to ensure that Compliance is taken seriously, Cyber Insurance should also be made mandatory so that the Cost of Insurance should incentivise the business entities to invest the right resources in achieving compliance.
The SKC has asked the feed back on whether the law should be made retrospective or prospective. If “Compliance” is an honest expectation, it goes without saying that the law has to be enforced prospectively with reasonable time given for compliance.
In the meantime the regulatory authorities need to even provide guidance and assistance to the Data processors and Controllers in the SME sector so that they can achieve compliance in the specified time. The compliance schedule also need to be extended with an additional time for smaller entities taking into account the incidence of cost as well as scarcity of manpower to assist them in the compliance.
The compliance dead line could therefore be about 1 year for large units and about 2 years for smaller units, with exact definition of what is Small and what is not being decided on the basis of turnover.