Data PrivacyWhat Are Red Flags in ITeS companies under Data Protection?

What Are Red Flags in ITeS Companies Under Data Protection?

The red flags for ITeS companies worldwide including India can be summarised as under;

Lack of Compliance with Regulations

• Global: Non-compliance with DPDPA, PDPL, GDPR, CCPA, or other regional data protection laws.
• India: Non-compliance with the Information Technology Act, 2000, and the Digital Personal Data Protection Act,2023(DPDPA,2023).

Inadequate Data Security Measures

• Global: Lack of encryption, multi-factor authentication, or firewalls.
• India:  Data security has never been a concern due to lack of Data Protection law in place, which will change after the enforceability of the DPDPA,2023  in place.

Poor Incident Response Plans

• Global: Absence of a well-defined incident response plan or failure to notify affected parties in the event of a data breach.
• India: A habit is lacking to disclose and with DPDPA, 2023 to be enforced soon, such mindset should have to be evolved to report data breaches within stipulated timelines.

Ambiguous Contractual Terms

• Global: Contracts that lack clarity on data ownership, data usage, and data protection responsibilities.
• India: Contracts that do not specify compliance with Indian data localization requirements.They should be vetted and redrafted.

Inadequate Employee Training

• Global: Lack of regular training programs on data protection and cybersecurity.
• India: Failure to train employees on the specific requirements of Indian data protection laws.

Unvetted Third-Party Vendors

• Global: Lack of due diligence in vetting third-party vendors for compliance with data protection laws.
• India: Not evaluating the data protection measures of third-party vendors based in India or abroad.

Data Transfer Risks

• Global: Inadequate safeguards for cross-border data transfers, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
• India: Non-compliance with Indian data localisation requirements for sensitive personal data.

Lack of Transparency

• Global: Failure to provide clear and accessible privacy policies.
• India: Not providing privacy policies in local languages or not being transparent about data collection practices.

Over-collection of Data

• Global: Collecting more data than necessary for the stated purpose, violating the principle of data minimisation.
• India: Collecting sensitive personal data without explicit consent.

Automated Decision-Making Without Oversight

• Global: Use of automated systems for decision-making without human oversight or the ability for human intervention.
• India: Lack of disclosure about automated decision-making processes, which would be a requirement under DPDPA,2023 once notified for its enforceability.

Failure to Conduct Regular Audits

• Global: Not conducting regular audits to assess data protection measures.
• India: Failure to adhere to any mandatory audit requirements set forth by Indian authorities.

Non-Existence of a Data Protection Officer (DPO)

• Global: Not appointing a DPO where required by law.
• India: Not appointing a Data Protection Officer if mandated by the upcoming Personal Data Protection Bill.

These red flags can serve as a comprehensive checklist to assess the data protection posture of ITeS sector, both within India and globally.