R

esearch Project

Under the guidance of our chairman Mr. Sudhanshu

Pani

Submitted by: Kartik Dabas

A009
80552100023
 DATA PROTECTION AND PRIVACY
What is Data Protection and privacy and why is there an emerging need of it in India?

In today’s world every information is saved in a computer at last and when there are different
types of information stored at one place that is called Data and such data is very important for the
user and that is why Data protection and privacy is emerging now.

Data Protection is a process through which any important information/data is secured from being
corrupt, compromised or any loss to such data. It also ensures that the data is used only for
authorized purposes only and follows the legal and regulatory requirements.

Data protection and Data privacy is used interchangeably but there is difference between both.
Data Protection is saving the data from hacking, phishing, and other fraudulent activities
whereas, Data Privacy means who has access to the data and restricting unwanted users from
such data.

Data Protection and privacy plays an important role in business operations, development, and
finances. Companies use the process of Data protection to prevent data breaches, damage to their
reputation and meet better regulatory compliances. Data protection rely on technologies such as
data loss prevention (DLP), storage with built-in data protection, firewalls, encryption, and
endpoint protection.

Here are key Data management aspects:

 Data Availability – ensuring that data is available to concerned users for operating the
business even when the data is lost.

 Data lifecycle management – This involves the automated transmission of important data
to offline as well as online storage.

 Information lifecycle management – it involves protection of various information assets

from various sources, malware, viruses, user errors and machine failures.
Sectors that need data protection and privacy on priority basis:

1. IT Sector:
Companies in the IT sector include file-sharing solution providers, cloud storage
providers, computing service providers, software developers, and many more. Large
amounts of sensitive and important data are frequently managed and stored for customers
by this sector. Attacks typically target particular network members or target the network
operations of a corporation directly.

2. Health care sector:

The healthcare sector is all too frequently noted for having inadequate security breach
management capabilities. Attacks on their broader supply networks are a common
occurrence for public sector providers. Typically, lucrative attacks target healthcare
suppliers. Additionally, hospitals hold some of the most sensitive and in-depth patient
data.

3. Government entities:
It is no surprise that government entities are at high risk due to the extent and sensitivity
of the data they often possess. Extensive servers and databases are of high interest and
value, resulting in a focus from cybercriminals that is well educated on known
vulnerabilities, such as the NSA’s attack in 2016 that could have exposed billions of
software users.

4. Legal sector:
Legal service providers hold and manage enormous amounts of data, most of it sensitive
data with legal and financial ramifications. Due to the significant monetary value
attached to the data they manage; corporate and property law firms are particularly risky.

5. Financial and banking:

 The causes of the unique risk in this sector are quite simple. Financial institutions are
now required by FDIC regulations to present results of penetration tests and follow
compliance guidelines. The financial and banking sectors specialize in these crimes since
information and money are two of the most sought-after elements in cybercrime.

Why Data Protection and Privacy is a necessity now?

The 21st century is referred as ‘the information age’ because there is an immense rise in number
of ways in which India has used the information. India has been affected by this digital
revolution as well. The Government of India has created and implemented the "Digital India"
program in recognition of its relevance and the potential for significant disruptions it holds for
practically all spheres of society. With nearly 450 million Internet users and a growth rate of 7-
8%, India is well on the path to becoming a digital economy, which has a large market for global
players.

The processing of personal data is already pervasive as the world moves toward a digital
economy. Today's digital environment makes it so that practically all of an individual's activities
entail some form of data transaction.

Even the Biggest companies in today’s world are data driven. The Internet has given birth to
entirely new markets: those dealing in the collection, organization, and processing of personal
information, whether directly, or as a critical component of their business model.

 Uber: The world’s largest taxi company, owns no vehicles

 Facebook: The world’s most popular media owner, creates no content
 Airbnb: The world’s largest accommodation provider, owns no real estate

Data protection is a very essential part of business strategies now and it is performed by all the
companies, no matter the company size be. Many countries like Europe and USA has made it a
legal obligation to protect data by introducing a data protection legislation such as:-

 General Data Protection Regulation (GDPR)

 California Consumer Privacy Act (CCPA)
This has been introduced to protect the processing and storage of personally identifiable
information (PII) which includes names, addresses and phone numbers and grant several rights to
data subjects.

Data protection is important for the companies as they have a lot of confidential information
stored in the data which if leaked can cause huge financial distress to the companies. According
to IBM and the Ponemon Institute's Cost of a Data Breach Report 2021, which was published in
2021, the average cost of a data breach around the world increased by 10% to $4.24 million. The
increase in price was brought on by higher regulatory fines as well as the effects of remote work
during the pandemic.

The methods used by hackers to carry out cyberattacks have also advanced. Nowadays, it's
simpler to infiltrate a network and disseminate malware and ransomware via phishing and social
engineering techniques. Cybercriminals only need to steal someone's identity, deceive workers
into sharing credentials, or click a malicious link or attachment to obtain access to a work laptop.
They can easily infect the entire network once inside.

So what does big companies do to protect their data?

1. Superior defense against external threats:

Big businesses implement and frequently upgrade fundamental security features like two-
factor authentication, firewalls, and anti-malware programs to meet external security
threats. Additionally, they go farther by adding more sophisticated techniques like Zero
Trust architecture and Trusted Platform Module (TPM) capabilities.

Never trust, always verify is the new approach to cybersecurity proposed by zero trust
architecture. It makes sure that while accessing trusted resources, people, devices, and
network traffic are all vetted and subject to least-privilege policies. In this manner,
attackers are prohibited from spreading laterally throughout the network if just one
computer is infected.

2. Understanding the location and direction of data:

Large enterprises monitor their networks for sensitive data using data loss prevention
products like Endpoint Protector. They can choose to delete or encrypt it if they discover
 it in illegal places. Transparency is essential in the era of data protection legislation for
both ensuring compliance and developing strong data protection practices.

3. The general application of encryption:

Data must now be encrypted before being sent to the cloud or other portable devices, as
well as on hard drives, USBs, and cellphones, to protect important corporate information
and secure client data.

The rise of remote labour and a mobile workforce, two prevalent data protection
weaknesses in today's global economy, are both addressed with encryption. Since devices
regularly leave the security of corporate networks, encryption makes guarantee that
important data they contain is inaccessible to outsiders in the event of theft or loss.

4. BYOD Policies:
The type of data that can be shared outside of business devices is restricted in large
organizations. Device control policies can be implemented at the same time to make sure
that only devices that adhere to a specified level of security are trusted. Employees have
the choice to match the level of security on their own devices to that required by the
business in this way. It ensures that no sensitive data may be shared to them if they
decide not to use them.

Data protection and Privacy in India

India does not have any legislature for data protection and privacy, but Information technology
Act gives relief to Indian citizens as there are many amendments in the act which indirectly
protect data and privacy.

The following important sections have been substituted and inserted by the IT Amendment Act,
2008:

1. Section 43A – Compensation for failure to protect data.

2. Section 66 – Computer Related Offences

3. Section 66A – Punishment for sending offensive messages through communication service,
etc. (This provision had been struck down by the Hon'ble Supreme Court as unconstitutional on
24th March 2015 in Shreya Singhal vs. Union of India)

4. Section 66B – Punishment for dishonestly receiving stolen computer resource or

communication device.

5. Section 66C – Punishment for identity theft.

6. Section 66D – Punishment for cheating by personation by using computer resource.

7. Section 66E – Punishment for violation for privacy.

8. Section 66F – Punishment for cyber terrorism.

9. Section 67 – Punishment for publishing or transmitting obscene material in electronic form.

10. Section 67A – Punishment for publishing or transmitting of material containing sexually
explicit act, etc, in electronic form.

11. Section 67B – Punishment for publishing or transmitting of material depicting children in
sexually explicit act, etc, in electronic form.

12. Section 67C – Preservation and Retention of information by intermediaries.

13. Section 69 – Powers to issue directions for interception or monitoring or decryption of any
information through any computer resource.

14. Section 69A – Power to issue directions for blocking for public access of any information
through any computer resource.

15. Section 69B – Power to authorize to monitor and collect traffic data or information through
any computer resource for cyber security.

16. Section 72A – Punishment for disclosure of information in breach of lawful contract.

17. Section 79 – Exemption from liability of intermediary in certain cases.

18. Section 84A –Modes or methods for encryption.

The central government also issued Information Technology (Reasonable Security Practices and
Procedures and Sensitive Personal Data or Information) Rules, 2011, these Rules have imposed
additional requirements on commercial and business entities in India relating to the collection
and disclosure of sensitive personal data or information.

India has also come up with ADHAR CARD which is a biometric based unique identification
number for the residents of India. Aadhaar is regulated by the Aadhaar Act. Entities in regulated
sectors such as financial services and telecom sector are also subject to obligations of
confidentiality under sectoral laws which require them to keep customer personal information
confidential and use them for prescribed purposes or only in the manner agreed with the
customer.

Personal data is protected through indirect safeguards developed by the courts under common
law, principles of equity and the law of breach of confidence. In a landmark judgment delivered
in August 2017 (Justice K.S Puttaswami & another Vs. Union of India), the Supreme Court of
India has recognised the right to privacy as a fundamental right under Article 21 of the
Constitution as a part of the right to “life” and “personal liberty”.

Cyber Raksha kavach program

Centre for Digital Transformation and Microsoft have come together to offer various initiatives
on Cyber Security to handhold Indian Small and Medium Enterprises to develop and maintain a
strong Cyber Security posture. This program is offering a series of training programs containing
multiple modules to cover all aspects of cyber security.

The program provides you with the knowledge of:

 Cyber Security Fundamentals

 Types of Malwares
 Cyber security breaches
 Types of cyber attacks
 How to create cloud security
 Common threats for online business
 Prevention tips
 Prevention software
Conclusion:

India has no legislature for data protection and privacy but our nation understands the
importance of data privacy and protection as there are other indirect laws and cases which
support data protection and privacy for the citizens of India. The Indian legislature is still
working on the Data protection Bill, 2019 which was striked off for changes and it will
enforced in December 2021.