Insights from Abhishek Tiwari, Manager - KPMG India and member of ISACA
Startups are increasingly becoming vulnerable to data breaches. Looking at recent news reports, you’ll find that Juspay lost 35 million records, Unacademy lost over 20 million, and we don’t have to tell you about the data breach at Byju’s, which exposed sensitive student data, including loan details.
IBM Security’s ‘Cost of a Data Breach Report’ underscores the gravity of this issue – the average cost of data breach in India stood at ₹17.7 crore in 2023, a significant 28% increase since 2020. Considering the costs involved, we might think that digital-first firms are taking this seriously and actively seeking to prevent mishaps. But the recent State of Cybersecurity 2023 survey by ISACA, an international professional association focused on IT governance, reveals a different picture.
More than 40% of Indian respondents in the ISACA survey revealed that their cybersecurity teams are understaffed, and a whopping 69% responded that data breaches resulting in customer physical or financial harm were one of the top concerns related to a cybersecurity attack on your organization.
In an age where data is considered the new gold, digital-first companies must navigate the complex landscape of privacy and data security “to ensure compliance and safeguard reputation,” says Abhishek Tiwari, a member of ISACA and manager at KPMG India.
Abhishek is a seasoned cybersecurity professional with 14+ years of experience in privacy risk assessments, strategy development, and implementing privacy and information security programs across organizations. In a conversation with ProdWrks, he outlined key considerations and best practices for founders and leaders of digital-first companies to understand the privacy landscape and ensure a culture of privacy awareness.
Understanding the Data and Privacy Landscape
The problem with most digital-first companies is that they are ill-equipped to handle any kind of data or privacy-related issue as there is no plan in place. ISACA’s survey revealed that 28% of the workforce identified Data-related topics as the biggest skill gap they see in today’s cybersecurity professionals.
We asked Abhishek how he goes about his privacy audits, which other digital companies can follow and here are his inputs.
Assessing the Privacy Posture
Abhishek Tiwari emphasizes that understanding a company’s privacy posture is paramount for every product company. This initial assessment involves evaluating the firm’s data handling practices and identifying areas of compliance and non-compliance. Whether a company is starting from scratch or looking to enhance its existing privacy program, this assessment is a foundational step.
Speaking about his assessment methodology, Abhishek says, “We start by understanding the company – the domain, sector, and operational geographies. This helps us understand what exactly they are doing and what is the involvement of personal data in their firm itself. The operational geographical spread helps us understand which regulations will apply to them.”
Gap Assessment and Data Lifecycle
Abhishek stresses the significance of conducting a thorough gap assessment that covers all aspects of data privacy, from data collection to disposal. Understanding the data lifecycle is essential to ensure every step aligns with regulatory requirements, such as GDPR.
During this journey, Abhishek also gets an understanding of third parties involved with a firm and how they handle their data.
For companies that collaborate with third parties or outsource development and operations, Abhishek advises founders to assess how the parties handle data and whether they align with the company’s privacy principles.
You’ll find more information below on best practices to follow while working with third parties.
The Cost of Non-Compliance
With Europe already strict in enforcing GDPR guidelines and India following suit with its own version – the Digital Personal Data Protection Act (DPDPA), we can see that governments globally are getting serious about protecting data and their citizens’ privacy. With so many regulations, it could be a difficult task to meet compliance. So Abhishek advises founders to be clear on the basics of all these regulations.”
He advises startup founders to run the data audit every year. But suppose a firm is aggressive in its data policy. In that case, an audit can be done every six months to check if its established data and security protocols are sustained and how to comply with new regulation changes.
Best Practices for Third-Party Outsourcing
Abhishek recommends founders start with robust contracts when outsourcing operations or development.
Companies should also inquire about the privacy and InfoSec compliance of third parties. Abhishek has a list of questions you must ask when outsourcing work.
By asking these questions, Abhishek says that founders can ensure that the data they pass on to a third party for development or any other requirement is secure.
But there are chances where the firm may not have these certifications yet, but it can still be a good firm to work with. To establish safe data security practices of these firms, Abhishek suggests that founders can probably check their working environment itself.
Abhishek also advises founders to create a secure environment to store and share data when outsourcing. Give access to the third party to only that closed and secure data environment so that the data remains within your organization where you have control.
Data Breaches and Breach Response
Despite precautions, we do see that data breaches happen, and it could be for a variety of reasons. So, having a breach response plan is crucial.
In the event of a data breach, Abhishek recommends a structured response plan. He emphasizes the importance of not panicking.
Once the breach assessment is done, Abhishek explains that the next and most crucial step in breach management is to notify stakeholders. Timely communication is paramount. This includes notifying data controllers, processors, and supervisory authorities as required by regulations like GDPR.
But before the authorities are notified, the data controller and processor must perform the breach assessment mentioned above.
Once the regulatory authorities are informed, the data controller takes a call to notify the subjects or the customers with whom they have collected the data. The messages you see in email or social media informing you about a company breach come from that particular company’s data controller.
Handling Multi-Geographical Data Breaches
When operating in multiple geographies, Abhishek advises addressing breaches on a case-by-case basis. Notifying affected individuals should be specific to those regions where breaches occur, ensuring that the company’s reputation remains intact in unaffected areas. So, identifying the nature of data breaches is once again the key here.
First Principles of Data Security for Product Companies
Ensuring Privacy by Design
Abhishek underscores the importance of implementing privacy by design principles. When designing any product, you design it keeping privacy in mind and how it impacts users.
Implementing Data Minimization
He further explains that understanding the product’s purpose is key to collecting the right amount of data. Collecting excess data just for the sake of analytics can lead to unnecessary risks and regulatory issues.
Building a Culture of Privacy Awareness
Abhishek advises tailoring privacy training to different roles within the organization. Training content should align with employees’ responsibilities, ensuring they understand how privacy principles apply to their daily tasks.
Multiple Communication Channels
Companies should use various communication channels to foster privacy awareness, including in-person training, virtual sessions, emails, posters, and roadshows. These efforts should aim to engage employees and make privacy a part of their everyday mindset.
Monitoring and Continual Improvement
Companies should regularly monitor privacy awareness and create an environment where employees feel comfortable reporting privacy concerns. Continuous improvement in privacy practices should be a shared goal.
Clear Segregation of Duties
Abhishek points out that clear segregation of duties is often overlooked, especially in startups. This lapse can lead to data security issues, making it crucial to establish well-defined roles and responsibilities.
Lastly, he emphasizes the importance of maintaining awareness even after initial training. Regular updates and ongoing communication help employees stay vigilant against evolving privacy threats.
Abhishek Tiwari’s insights shed light on the multifaceted world of privacy and data security. For founders and leaders of startups and digital-first companies, his advice serves as a roadmap for establishing and maintaining a robust privacy program. In a digital age where data protection and privacy are paramount, understanding these principles is not only a legal requirement but also a moral and ethical one.