Data Privacy – Growing concern or a mere exaggeration?

How often are we coming across conversations around privacy of shared information these days? 1 in every 4 people are talking about the internet getting creepier by the day. We often share personal information on various sites such as Credit Card numbers, Bank Account details, Aadhar, along with Email IDs and Phone numbers. What most of us don’t realise is that this information is being used by organisations into developing intelligent technologies. Data drives technological innovation and there is no two ways about it. But, is this innovation really turning into an invasion of privacy and becoming growing concern or are we simply exaggerating because systems and software tools are getting intelligent by the day?

Is it a good thing that we are able to move into a phase where intelligent systems will be able to provide better solutions to problems which are too complex for the human brain? One could agree to this without blinking! But if the possibility of this intelligence surpasses the boundaries of being helpful in solving problems to creating some like ID theft and fraud, then information and cyber security becomes a growing concern. And that is exactly what everybody is talking about lately. If you have watched ‘The Social Dilemma” on Netflix, you would agree that nothing we share on the web is safe anymore. Knowingly or Unknowingly we are providing a free hand for platforms, systems and software to pick our personal information and turn it into money making data for organisations to use at their will. It has become acutely important to start thinking about securing the information being shared on the web. In the list of the worlds’ 70 largest platforms with respect to market capitalisation – America has 73%, China has 18% and Europe has 4% of the platforms. One of the primary drivers of value of these companies is their ability to collect and analyse data of users which often leads to network effects that help them grow and become very dominant actors in the economy. These companies have also been in the forefront of adopting AI to analyse this data.

It is proven without a doubt that we cannot live without the web or sharing information. We are a part of the generation that believes and thrives in digital transformation. On one side we have proponents of Data Democratisation. Believers of Data Democratisation strongly propagate the idea since it enables transparency, competitive advantage and empowers individuals at all levels of ownership and responsibility to use this data in their decision making. And then there are serious critics, individuals and professionals who have started voicing concerns about data being misused, misinterpreted and / or manipulated for commercial gains. Data exists in silos across the web, and with recent technologies organisations are able to gather this scattered data and compile it into useful, meaningful information which helps in decision making. The problem occurs when, this information is being misused for personal gains or cause security risks without maintaining the integrity.

There are many applications at various units of an organisation, that are used but not created with the principle of “Privacy by design”. Data collected from IoT devices are not necessarily considered private. Making a customer the Data Owner, letting the customer manage their privacy, providing the ability to revoke the rights to the data or right to forget is an afterthought or as in most cases not considered at all.

Similarly, the enterprise applications, off the shelf applications or SaaS applications, that almost always deal with sensitive, critical and PII data do not necessarily are built with “Privacy accountability”. There is no unified framework for all these data sets enforcing Data Security, Data Privacy and Data Governance. There are multiple solutions such as DLP, IRM, CASB, Data tokenisation, Data masking, access controls, among others are deployed. But they typically do not talk to each other. Most specifically, they do not know which policies, consent, access controls to be applied for various datasets in an organisation. Finally, digital transformation and innovation are hampered when there is a constant worry about data security, data privacy and data governance. Hence creating a real need to have an Automated system or a unified Data Security Governance framework in an organisation that helps them with digital transformation, innovation, staying competitive while ensuring data security, data privacy and data governance go hand in hand whilst enforcing appropriate policies, access controls, consent at the data level.

4 years ago, when data privacy and governance were rare topics of discussion at select forums, we understood that this is going to become one of the major concerns in the coming years. We invested heavily into understanding these issues closely and conducting in depth R&D to develop carefully curated systems which will not interfere with any individual or organisation’s operational will to share information. Our in-depth awareness about the risks and issues related to Data being unsecure led us to understand that Data Privacy is valuable to organisations beyond just meeting regulations.

This understanding and analysis encouraged us to develop systems that empower organisations and individuals with the ownership of the information that they have created. Data that you share can no longer be dispersed without your consent. If done so somehow, you are at the very least aware of what is happening to it. And that is how SecurelyShare came into existence.

After years of R&D, SecurelyShare has filed and obtained the following seven patent grants (USPTO):

With the introduction of new data privacy laws & regulation across the globe like GDPR, CCPA, PDP Bill, Aadhaar guidelines, etc., organisations need towards data management has changed significantly. The need to have a single comprehensive solution to address the end-to-end data security, privacy & governance solution for structured and unstructured sensitive information (PI/PII) has grown exponentially since then. It is now clear that investments on data privacy tools would help beyond just meeting the privacy regulations & compliance. Adequate measures would have to be developed in order to ensure that any data sharing framework does not dilute the protections afforded by the Personal Data Protection Bill, 2019 (PDP Bill).

With our patented approach towards data, the second step is to have a clear process to discover, separate, store and administer the sensitive, critical and PII data from the business / transaction data. When we take this approach, each dataset from various enterprise applications can be subjected to the most appropriate policies, access controls. When we embed this patented approach towards data and the process of separating sensitive data into enterprise applications and SaaS applications, we can make each of these applications pre-built with security & governance.

DSG Vault: Award Winning Platform for Privacy, Security and Governance

Barely a month after SecurelyShare emerged as one of the winners of the NASSCOM Emerge 50 Awards 2020, there’s more good news for us! SecurelyShare has successfully cleared the second stage of the DSCI Cyber Security Grand Challenge, thereby qualifying for the final stage of the Challenge. The second stage – the Minimum Viable Product (MVP) Stage – showcased our MVP, through our patented platform, DSG Vault.

But first, how did we get here?

Let us take a step back and understand the problem we’re here to solve. Imagine a situation in which you have a prescription for some medication, which you upload onto a pharmacy’s app. The back-end of the app processes your prescription and proceeds to enable delivery of the medication to you. What’s happened here is, simply put, an exchange of data. In your case, data include your personal details, address, prescription and related medical records. In the pharmacy’s case, data include inventory, distribution channels and customer records. From both sides, one can surmise that the information represented by the data is private and not only needs to be secured against any breach but the data needs to be guarded to ensure that the privacy of the consumer is handled as per the laws. It is with situations like these that SecurelyShare comes in.

Are there any safeguards right now?

Governments across the world have understood the need to have safeguards for critical data in order to protect citizens from losing control over their personal data. The European Parliament adopted the General Data Protection Regulation (GDPR) in 2016 (made enforceable in 2018) for ensuring data security and privacy in the European Union and the European Economic Area. Two aims were achieved with this move: individuals gained greater control of their data, and organisations were regulated centrally and in a unified manner. Along similar lines, the California Consumer Privacy Act (CCPA) was adopted in the United States in 2018. Data privacy laws have also gained traction in countries such as Russia, Japan, China, Brazil and Australia.

A brief about our patented DSG Vault platform

SecurelyShare has taken a patented approach to embed security, access controls, usage policies, consent and constraints at the data level. This unique approach is the foundation for our platform DSG Vault. This platform provides for a robust API Gateway and comes with dynamic and policy-driven encryption, tokenization, masking, watermarking and built-in Information Rights Management (IRM) capabilities, and provides the flexibility in deployment (either on premise or over a cloud), everything any organization would look for in the vast labyrinth of data security options. This “Inside Out” approach towards the data is what makes our platform solve any number of use cases around security, privacy and governance.

So, where does SecurelyShare come in here?

Through its MVP – built with the DSG Vault platform – SecurelyShare has developed an automated system that enables privacy-preserving analytics and forensics. The primary aim of this MVP is to demonstrate how organisations can quickly comply with regulations that cover data security and privacy, such as the PDP Bill, GDPR and CCPA.

As the next step, SecurelyShare will build and offer data security software as a service to ensure rapid compliance by organisations to these regulations. A significant off-shoot of this service would be the provision of a secure environment that enables organisations to store, share and process Personal Information (PI) and Personal Identifiable Information (PII) data. The generally accepted definitions are that PI refers to data that can be linked with a consumer or a household, while PII refers to data that can be linked to a wholly unique identity.

Our vision is to cover all aspects of Privacy Management answering concerns of consent management, security, access, control, operations, maintenance, monitoring and auditing – through a unified platform. The platform becomes the foundation for privacy-enabled analytics, computing and sharing of the data.

For whom is this solution?

Any organization that deals with critical and confidential data, really. These could be organisations in the banking and financial services sector, the healthcare industry, the pharmaceutical sector, manufacturing industries… to name a few. With the world connected digitally in a big way, governments have found the necessity to find common ground as far as regulation of data is concerned, so it was only logical to come up with a one-stop-shop to address all these compliance needs.

DSG Vault ensures that PII data remain anonymised and encrypted while being a subject of analytics, thereby preventing the risk of re-identification and consequent exposure of confidential information. We see great value in working alongside data management, analytics and infrastructure providers to on-board a wider variety of organisations in need of such a solution.

We built the MVP to demonstrate the core competencies of our platform and to meet the objectives of the DSCI Challenge. The MVP was particularly based on the data-sharing and privacy-enabled computing for the food delivery industry.

For the final stage of the competition, the MVP will be enhanced to handle multiple use cases across multiple industries. We will introduce connectors to multiple sources, an ability to dynamically select attributes, an ability to set attribute-based access controls and anonymisation, among other things. Our vision is to make the DSG Vault platform capable of handling any type of use cases in secure data analytics, privacy-enabled data sharing and data management. This will enable quick compliance to regulatory requirements through our final product offering, so it echoes these regulations as far as maintaining the integrity of data and data protection measures are concerned.

After all, as 2018 Global Chief Information Security Officer Of The Year Stéphane Nappo said, “It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.”

India is well on the way to bringing in stringent regulation with regard to data security and privacy. In 2019, the Ministry of Electronics and Information Technology tabled the Personal Data Protection (PDP) Bill, 2019, which is expected to be enforced in early 2021.

So, what does the PDP Bill oversee? As it stands, the PDP Bill aims to provide safeguards to individuals’ personal data, thereby ensuring privacy. The PDP Bill also calls for regulation of flow and use of personal data with the objective of protecting the fundamental rights of individuals who are owners of such data. In addition, the PDP Bill seeks the establishment of a “Data Protection Authority of India” to oversee its implementation when it has been through the discussions leading to it becoming a Law.

The industry has witnessed tremendous disruption after GDPR and CCPA came into the picture, drastically changing how organisations handle data. These regulations are aggressive in the way they protect private information, and have strict compliance requirements, leading to organisations scrambling to achieve full compliance. The necessity for speedy compliance will likely be seen here in India too with the PDP Bill.

In short, the PDP Bill, like its European and US counterparts, looks to ensure individuals retain some autonomy on the data they provide organisations, so that organisations can only make use of the data they need for operation, while “anonymising” the source of the data.