What Are Red Flags in ITeS Companies Under Data Protection?
The red flags for ITeS companies worldwide including India can be summarised as under;
Lack of Compliance with Regulations
- Global: Non-compliance with DPDPA, PDPL, GDPR, CCPA, or other regional data protection laws.
- India: Non-compliance with the Information Technology Act, 2000, and the Digital Personal Data Protection Act,2023(DPDPA,2023).
Inadequate Data Security Measures
- Global: Lack of encryption, multi-factor authentication, or firewalls.
- India: Data security has never been a concern due to lack of Data Protection law in place, which will change after the enforceability of the DPDPA,2023 in place.
Poor Incident Response Plans
- Global: Absence of a well-defined incident response plan or failure to notify affected parties in the event of a data breach.
- India: A habit is lacking to disclose and with DPDPA, 2023 to be enforced soon, such mindset should have to be evolved to report data breaches within stipulated timelines.
Ambiguous Contractual Terms
- Global: Contracts that lack clarity on data ownership, data usage, and data protection responsibilities.
- India: Contracts that do not specify compliance with Indian data localization requirements.They should be vetted and redrafted.
Inadequate Employee Training
- Global: Lack of regular training programs on data protection and cybersecurity.
- India: Failure to train employees on the specific requirements of Indian data protection laws.
Unvetted Third-Party Vendors
- Global: Lack of due diligence in vetting third-party vendors for compliance with data protection laws.
- India: Not evaluating the data protection measures of third-party vendors based in India or abroad.
Data Transfer Risks
- Global: Inadequate safeguards for cross-border data transfers, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
- India: Non-compliance with Indian data localisation requirements for sensitive personal data.
Lack of Transparency
- Global: Failure to provide clear and accessible privacy policies.
- India: Not providing privacy policies in local languages or not being transparent about data collection practices.
Over-collection of Data
- Global: Collecting more data than necessary for the stated purpose, violating the principle of data minimisation.
- India: Collecting sensitive personal data without explicit consent.
Automated Decision-Making Without Oversight
- Global: Use of automated systems for decision-making without human oversight or the ability for human intervention.
- India: Lack of disclosure about automated decision-making processes, which would be a requirement under DPDPA,2023 once notified for its enforceability.
Failure to Conduct Regular Audits
- Global: Not conducting regular audits to assess data protection measures.
- India: Failure to adhere to any mandatory audit requirements set forth by Indian authorities.
Non-Existence of a Data Protection Officer (DPO)
- Global: Not appointing a DPO where required by law.
- India: Not appointing a Data Protection Officer if mandated by the upcoming Personal Data Protection Bill.
These red flags can serve as a comprehensive checklist to assess the data protection posture of ITeS sector, both within India and globally.
For any query or feedback, please feel free to get in touch with email@example.com or firstname.lastname@example.org