Insights from Abhishek Tiwari, Manager - KPMG India and member of ISACA
Startups are increasingly becoming vulnerable to data breaches. Looking at recent news reports, you’ll find that Juspay lost 35 million records, Unacademy lost over 20 million, and we don’t have to tell you about the data breach at Byju’s, which exposed sensitive student data, including loan details.
IBM Security’s ‘Cost of a Data Breach Report’ underscores the gravity of this issue – the average cost of data breach in India stood at ₹17.7 crore in 2023, a significant 28% increase since 2020. Considering the costs involved, we might think that digital-first firms are taking this seriously and actively seeking to prevent mishaps. But the recent State of Cybersecurity 2023 survey by ISACA, an international professional association focused on IT governance, reveals a different picture.
More than 40% of Indian respondents in the ISACA survey revealed that their cybersecurity teams are understaffed, and a whopping 69% responded that data breaches resulting in customer physical or financial harm were one of the top concerns related to a cybersecurity attack on your organization.
In an age where data is considered the new gold, digital-first companies must navigate the complex landscape of privacy and data security “to ensure compliance and safeguard reputation,” says Abhishek Tiwari, a member of ISACA and manager at KPMG India.
Abhishek is a seasoned cybersecurity professional with 14+ years of experience in privacy risk assessments, strategy development, and implementing privacy and information security programs across organizations. In a conversation with ProdWrks, he outlined key considerations and best practices for founders and leaders of digital-first companies to understand the privacy landscape and ensure a culture of privacy awareness.
Understanding the Data and Privacy Landscape
The problem with most digital-first companies is that they are ill-equipped to handle any kind of data or privacy-related issue as there is no plan in place. ISACA’s survey revealed that 28% of the workforce identified Data-related topics as the biggest skill gap they see in today’s cybersecurity professionals.
We asked Abhishek how he goes about his privacy audits, which other digital companies can follow and here are his inputs.
Assessing the Privacy Posture
Abhishek Tiwari emphasizes that understanding a company’s privacy posture is paramount for every product company. This initial assessment involves evaluating the firm’s data handling practices and identifying areas of compliance and non-compliance. Whether a company is starting from scratch or looking to enhance its existing privacy program, this assessment is a foundational step.
Speaking about his assessment methodology, Abhishek says, “We start by understanding the company – the domain, sector, and operational geographies. This helps us understand what exactly they are doing and what is the involvement of personal data in their firm itself. The operational geographical spread helps us understand which regulations will apply to them.”
Gap Assessment and Data Lifecycle
Abhishek stresses the significance of conducting a thorough gap assessment that covers all aspects of data privacy, from data collection to disposal. Understanding the data lifecycle is essential to ensure every step aligns with regulatory requirements, such as GDPR.
“Understanding the complete life-cycle of data within the company is essential to the discovery process. It helps us understand the role of data in the company, and we segregate it into personal and non-personal data. We must do this discovery process for each department within the company to track how they create, store, process, and dispose of data,” says Abhishek.
During this journey, Abhishek also gets an understanding of third parties involved with a firm and how they handle their data.
Third-Party Involvement
For companies that collaborate with third parties or outsource development and operations, Abhishek advises founders to assess how the parties handle data and whether they align with the company’s privacy principles.
“If a third party is associated and if you need to give them access to your internal data, the risk will be more,” says Abhishek and advises founders to write iron-clad contracts with third parties that “explicitly address data management, including data transfer and secure deletion.”
You’ll find more information below on best practices to follow while working with third parties.
The Cost of Non-Compliance
With Europe already strict in enforcing GDPR guidelines and India following suit with its own version – the Digital Personal Data Protection Act (DPDPA), we can see that governments globally are getting serious about protecting data and their citizens’ privacy. With so many regulations, it could be a difficult task to meet compliance. So Abhishek advises founders to be clear on the basics of all these regulations.”
“If you pick up any regulation globally, they strictly ask businesses to use user data only for its intended purposes, and once your purpose is met, you should delete the data. A fine for non-compliance could be huge, up to 4% of your global turnover. So, just a simple lapse could destroy a company financially and also induce severe reputational damage.”
He advises startup founders to run the data audit every year. But suppose a firm is aggressive in its data policy. In that case, an audit can be done every six months to check if its established data and security protocols are sustained and how to comply with new regulation changes.
Best Practices for Third-Party Outsourcing
Robust Contracts
Abhishek recommends founders start with robust contracts when outsourcing operations or development.
He says, “In the contract, talk about the data that will be transferred to them and how they must securely destroy or erase the data once the project is complete. Also, during the course of the project, clearly mention the technical measures they must take to ensure the safety and privacy of customer or developmental data you send them.”
Certifications
Companies should also inquire about the privacy and InfoSec compliance of third parties. Abhishek has a list of questions you must ask when outsourcing work.
“During the contracting process, ask the team if they are privacy compliant. If they are not, you can ask if they are InfoSec compliant. If they say yes, go one step ahead and ask them to share their ISO certifications. ISO has close to 90+ controls that talk about how you will securely store data and transfer access control to a secured environment.”
By asking these questions, Abhishek says that founders can ensure that the data they pass on to a third party for development or any other requirement is secure.
Security Checks
But there are chances where the firm may not have these certifications yet, but it can still be a good firm to work with. To establish safe data security practices of these firms, Abhishek suggests that founders can probably check their working environment itself.
“Check if the laptops or the IT assets of the employees in these firms are personal or company provided. If it is a company-owned asset, there may be security measures where the data will remain in company devices. But if they are using personal devices, we must be wary about data leakage. The outsourced firm should have a policy on imposing restrictions on the download of secure data. There must also be restrictions on sending documents to an external IDs and consider disabling USB system.”
Abhishek also advises founders to create a secure environment to store and share data when outsourcing. Give access to the third party to only that closed and secure data environment so that the data remains within your organization where you have control.
“Understand that in case of a breach, the firm to which you have outsourced your data will not be found liable. So your data and your reputation are at stake here, and you have to protect it.”
Data Breaches and Breach Response
Despite precautions, we do see that data breaches happen, and it could be for a variety of reasons. So, having a breach response plan is crucial.
Breach Assessment
In the event of a data breach, Abhishek recommends a structured response plan. He emphasizes the importance of not panicking.
“Whenever any breaches occur, everyone goes into panic mode. It’s imperative not to panic. The first step is to understand and distinguish whether it is a security or personal data breach. Once you have identified it, quickly assess the severity of impact or damage caused by the breach.”
Notification
Once the breach assessment is done, Abhishek explains that the next and most crucial step in breach management is to notify stakeholders. Timely communication is paramount. This includes notifying data controllers, processors, and supervisory authorities as required by regulations like GDPR.
“In the data privacy world, there are two major players - one is the data controller (the owner who is collecting the data) and data processor (third parties you have contacted and sent the data). If your firm is a data processor, you must immediately inform the data controller, who will notify the regulatory authorities. The data processor cannot reach out directly to the authorities,” Abhishek explains.
But before the authorities are notified, the data controller and processor must perform the breach assessment mentioned above.
“The GDPR clearly mentions that once you become aware of the breach, you must inform the supervisory authority within 72 hours. The controller must inform the supervisory authorities about the nature of the breach, the impact, and plans to mitigate the breach. The regulation mandates that firms have a breach-management policy in place.”
Once the regulatory authorities are informed, the data controller takes a call to notify the subjects or the customers with whom they have collected the data. The messages you see in email or social media informing you about a company breach come from that particular company’s data controller.
While explaining these nuances in breach response, Abhishek reiterates the importance of not panicking. He says, “Whenever companies identify a breach, they panic and immediately reach out to the supervisory authorities. Before reaching out to the authorities, you must be aware of the nature of the breach and impact - this includes knowledge of whether it’s a single-person or a large data breach and if it has happened in multiple geographies.”
Abhishek says that having a data privacy policy helps avoid panic and take a structured approach. Transparent and swift action helps mitigate damage to a company’s finances and minimize reputational damage.
Handling Multi-Geographical Data Breaches
When operating in multiple geographies, Abhishek advises addressing breaches on a case-by-case basis. Notifying affected individuals should be specific to those regions where breaches occur, ensuring that the company’s reputation remains intact in unaffected areas. So, identifying the nature of data breaches is once again the key here.
He says, “Only notify those users where a breach has happened. You cannot release a generic statement that your company has a breach and everyone is at risk. This shows immaturity and brings reputational damage.”
First Principles of Data Security for Product Companies
Ensuring Privacy by Design
Abhishek underscores the importance of implementing privacy by design principles. When designing any product, you design it keeping privacy in mind and how it impacts users.
“For example, you can design a system in place in your product which will automatically remind you to delete user data after five or ten years - a certain period that regulators mandate, after which you must delete their data. This approach not only ensures compliance but also builds trust with customers.”
Implementing Data Minimization
He further explains that understanding the product’s purpose is key to collecting the right amount of data. Collecting excess data just for the sake of analytics can lead to unnecessary risks and regulatory issues.
“You must understand what your product is all about. I’ve seen startups get greedy and collect more data to do certain internal analytics in the background. Sticking to the purpose of your application and what is needed to run the product is vital. The less data you collect, it will be less trouble for you, and less effort to maintain that data.”
Building a Culture of Privacy Awareness
Targeted Training
Abhishek advises tailoring privacy training to different roles within the organization. Training content should align with employees’ responsibilities, ensuring they understand how privacy principles apply to their daily tasks.
Multiple Communication Channels
Companies should use various communication channels to foster privacy awareness, including in-person training, virtual sessions, emails, posters, and roadshows. These efforts should aim to engage employees and make privacy a part of their everyday mindset.
Monitoring and Continual Improvement
Companies should regularly monitor privacy awareness and create an environment where employees feel comfortable reporting privacy concerns. Continuous improvement in privacy practices should be a shared goal.
Clear Segregation of Duties
Abhishek points out that clear segregation of duties is often overlooked, especially in startups. This lapse can lead to data security issues, making it crucial to establish well-defined roles and responsibilities.
Ongoing Awareness
Lastly, he emphasizes the importance of maintaining awareness even after initial training. Regular updates and ongoing communication help employees stay vigilant against evolving privacy threats.
Abhishek Tiwari’s insights shed light on the multifaceted world of privacy and data security. For founders and leaders of startups and digital-first companies, his advice serves as a roadmap for establishing and maintaining a robust privacy program. In a digital age where data protection and privacy are paramount, understanding these principles is not only a legal requirement but also a moral and ethical one.