In today's digital world, data is the driving force behind personal and business decisions. But as data's importance grows, so does the need for data privacy and security. In this article, we explore why data privacy and security matter immensely in our modern age.
Ruby Bansal and Egemen Zeren from our Global Marketing team interviewed experts Neeru Walia, Alina Oprea, and Shailendra Fuloria to understand more from their viewpoints.
Our experts:
Neeru Walia works in the Global Privacy Council at Nagarro. Neeru has rejoined Nagarro after spending close to 10 years in different companies. She is passionate about data privacy and practices data privacy in her work and day-to-day life. In her role, she enables businesses by providing data privacy-related guidance and ensuring compliance.
Alina Oprea is also part of the Privacy Council and a Data Protection Officer (DPO) for several jurisdictions. She has been working in the field of privacy for the last five years and has been a part of the organization for more than nine years. Not only is Alina an expert in data privacy, but she is also an accomplished mountain hiker who takes up trails during her free time.
Shailendra Fuloria leads Information Security at Nagarro. Recently, he has also started contributing to making IT more global. He has been with Nagarro since 2019 and has been in the industry for about 17 years across various client-facing, engineering, and operational roles in security. Shailendra has a PhD from Cambridge University, where he specialized in the security of Industrial IoT systems.
[Ruby]: How would you define data privacy, and why is it important in today’s day and age?
[Alina]: Let me start with a joke to answer your question: What does a good accountant say when asked: what does 2+2 equal? It depends! Similarly, what is privacy? It depends.
[Ruby]: Depends? Really? Like, on what?
[Alina]: Don't get me wrong. I am a big fan of definitions: whenever I have the opportunity, I make sure we use the same terminology, and we have the same understanding of the concepts we use. Imagine my concern when I professionally entered the domain of privacy. There were euphemisms over euphemisms; it was hard to get a straight answer. At the same time, privacy is a fundamental human right in the EU and an alluded concept in the US Constitution’s 4th amendment. At its core, privacy concerns the individual and the individual's expectation for their private life not to be disclosed to the public and to be kept safe from external interference.
In information technology, privacy has organically developed from information security as technical controls to safeguard the processing of personally identifiable information, meaning, information that could lead to uniquely identifying an individual.
[Egemen]: With the rise of artificial intelligence and machine learning, how can organizations like Nagarro use data responsibly and ethically to avoid potential privacy breaches?
[Alina]: In today's fast-evolving technological landscape, the impact of AI is immense, particularly concerning privacy. First, there is the question of privacy risks, such as reputational risks extending from individuals to companies or to society in general. Then, we would have to think about the ethical principles these models are being trained on – would the models’ use of UNESCO, OECD, Fair Information Practices, or EU Court of Human Rights render their output more meaningful to humanity?
Ethics is an important aspect in which privacy is embedded. Who is governing this aspect is crucial, so we should be careful in selecting our source of information from legitimate scholars, not minute entrepreneurs riding the latest wave.
Finally, we would have to think of the laws interacting with the use of AI. Privacy and data protection principles and rights have become laws in most parts of the globe, and AI is likely to follow. How would these domains interact and overlap? It is both interesting and terrifying to see these domains transform, as one can see the good intentions of evolution take a back seat to the realities of our society today.
The bottom line is that all usage of these technologies in organizations must be done lawfully. Also, the usage must be within an approved legal framework. Dedicated teams of experts from multiple functions must support the business units in successfully identifying and mitigating the risks associated with the deployment of this technology.
[Ruby]: In your opinion, what are the significant challenges and potential risks that individuals and organizations like Nagarro may face concerning data security in the coming decade?
[Shailendra]: In today's dynamic digital landscape, security is a real puzzle, and organizations worldwide are grappling with challenges in safeguarding their information assets. Data is pervasive and spreads across a multitude of devices, both managed and personal.
Striking a delicate balance between robust security, user-friendly functionality, and privacy is key. This is not just a technology challenge but a more complex socio-technical issue. There already exists an asymmetry in the cyber realm, with threats often surpassing the available defensive capabilities. This gap will become even bigger with the usage of AI in attack methodologies.
Security is like good health; we don’t notice it until it’s not there. We must remain nimble as individuals and as organizations to keep up and stay safe in this ever-changing digital world.
[Egemen]: Data breaches have become alarmingly common. What are some key practices and strategies that organizations like Nagarro should adopt to fortify their data security and prevent data breaches?
[Neeru]: In today’s world of business, decisions revolve around data. Data has become a goldmine that provides business insights. Business strategies are focused on data-driven approaches. Hence, there is a lot of demand for the data generated every second based on what consumers are interested in, how consumers are buying products, and how they are using the products and services. Customizing and personalizing products and services is another factor that makes data valuable to companies. This explains why companies are collecting personal information.
Once this data is collected, companies need to put strategies in place to make predictable analyses of this data that can drive business intelligence. Many vendors come into play and access this data to provide services to companies. These vendors may or may not have mature data security and data governance practices.
This opens the door for security breaches, and if this involves personal data, there can be huge repercussions. On the dark web, personal data, especially sensitive data on health and finance, is in huge demand and attracts a lot of hackers. On the other hand, it exposes user’s personal lives to malicious actors, which can result in impersonation and other frauds.
In the complex business landscape, companies and users must exercise caution and take proper safeguards. Here are some tips for companies:
- Build a strong focus on data security.
- Implement data governance strategies.
- Deploy data principles – minimum data collection, sharing, processing, and retention policy.
- Perform vendor assessment for critical vendors.
- Establish a robust data subject access rights mechanism. Ensure that users are kept informed about their data usage, and they have the freedom to exercise their data rights.
[Shailendra]: Once every couple of years, the security team sits down and identifies the most pertinent security risks for Nagarro and how to mitigate them. Earlier this year, we did a similar workshop seeking inputs from dozens of people across geographies, functions, and roles to help us arrive at our top five security priorities for the next two to two and a half years. These include:
- Focus on improving our security data loss prevention capabilities in our cloud infrastructure as adoption grows.
- Focus on further improving our laptops' data loss prevention capabilities, especially in a WFA mode of working.
- Focus on making security integral to software development in our client engagements.
- Strengthening our 24x7 security monitoring and incident response capabilities at a global scale.
- Fostering a culture of security.
[Ruby]: A lot of our Nagarrians are based out of India, hence, let's take the Indian scenario. India has reached a milestone when it passed its first data privacy law. In your view, how will this privacy law affect businesses and consumers in India and worldwide?
[Neeru]: We are living in an interesting time. This is a digital era wherein we, as a consumer, witness digital influence in every part of life – fun, entertainment, education, travel, and work.
Now, we are rapidly being exposed to the digital world. Hence, the important aspect of life, our privacy, cannot be ignored. This is a commendable effort by Indian lawmakers to relentlessly work on unique and suitable data privacy legislation for India. Almost 65% of the world’s population is already covered under privacy regulations.
Companies in India and around the world (doing business in India) must comply with the law of the land. They need to update their privacy policy, data collection, and consent management to meet the compliance requirements.
[Egemen]: How can individuals decide to share their personal data with organizations like Nagarro? Have you encountered any instances where your personal data was used in ways that you didn't expect or consent to? How did you handle the situation?
[Neeru]: Talking in the Indian context again, here the right to privacy is a fundamental right. Creating awareness about data privacy and exercising data rights is important. All of us have seen how data is collected and shared freely without the knowledge of individuals.
I remember an instance when I entered a store of a big grocery brand, and a security guard asked me to provide my name and phone number. He has no purpose in collecting such information, but many individuals have provided him with the information without questioning him. This needs to be changed.
Consumers need to be more aware and need to ask the questions: why would anyone need his/her information, and how will they use my information?
Till the time people are not made aware of their rights, this law will remain a piece of paper. The Data Protection Board of India needs to take on this humongous task of user awareness in this huge and diversified country.
Individuals need to make informed decisions about sharing their data with companies, and they shall be more aware to prevent their data from data breaches. Here are my two cents:
- Provide only mandatory information while registering for online apps and forms
- Use browsers such as Safari and Brave, other privacy-sensitive extensions
- Ask your data to be deleted data when you are no longer using services
- Don’t provide consent for marketing and other optional services. Don’t accept all cookies on the websites. Spend an extra milli-second, accept only necessary cookies, and protect your online privacy.
- Be careful and provide only limited identification documents for KYC. Stay tuned to the latest advisory issued by local law enforcement agencies.
Conclusion
We extend our heartfelt thanks to our experts, Alina, Neeru, and Shailendra, for illuminating the intricate landscape of data security and privacy. Their insights underscore the profound socio-technical nature of these issues while emphasizing the vital role of ethical and legal frameworks, especially in the AI era. As we venture into this ever-evolving digital realm, we must remember that a multi-disciplinary approach is our compass, guiding us toward responsible data stewardship in our interconnected world.
As technology continues to outpace legislation, we must collectively ponder how our definitions of 'privacy' and 'security' will evolve and what new paradigms await us on this transformative journey, both as individuals and organizations.