PRO M O TI NG DATA PRO TECTI O N

®
A NASSCOM Initiative

Consumer Data Privacy | 1

2 | Consumer Data Privacy
Table of Contents
1. Background 4

2. Introduction 5

3. Environments: Enterprise & Consumer 7

4. Security & Privacy Modeling of Consumer Data 12

5. Targeted Attacks on Consumer Data & their Ramification 14

6. Extreme Digitization & Consumer Data Privacy 15

7. Regulatory Standards yet to evolve to take care of Issues in the 16

consumer environment

8. Regulatory Standards Showing the Way Ahead 18

9. Recommendations 20

Citations 22

References 22

Consumer Data Privacy | 3

 1 Background

The momentum of digitization witnessed among various business sectors has led to unprecedented amount of
collection, processing, sharing and exchanging of consumer information. While data is central to the process of
digitization, it is important to incorporate data privacy centric designs for security and privacy, especially keeping
in mind the growing regulatory interventions in this space. While organizations tend to take adequate measures
to protect consumer privacy, consumer data is increasingly crossing the organizational boundary due to the
ubiquitous nature of digitization. Regulatory requirements, obligations and liabilities are increasingly making
organizations accountable for consumer privacy. For successful digitization, garnering confidence of consumers
and satisfying increasing obligations, enterprises should look for extending their reach of privacy protection
beyond their organizational boundary. They should enable consumers with instruments, tools and alternatives to
protect their data in diverse operating environments.

4 | Consumer Data Privacy

 2 Introduction
Digitization is proving its transformative impact on the global economy
and society alike. It has ushered in an era of intense competition, greater
consumer interaction, and technological advancements. This push for Consumer Data is
persistent advancement is making companies rethink their business central to the theme of
processes and models. Companies are taking efforts for crafting a Digitization. Consumer data
compelling customer experience, in which all interactions are expressly
is increasingly logged in
digital forms. Enterprises’
tailored to a customer’s preferences and behaviour. Digitization also
abilities of collecting data
unleashes a variety of new possibilities. The core aspect of digitization
has increased sharply and
is innovating and finding new ways of engaging with customers and
so are their data processing
the personal data of the consumer is central to this process. Personal
capabilities.
data is increasingly logged digitally by new forms of consumer centric
technologies and devices. On the other hand, enterprises’ abilities of
collecting data has increased sharply and so are their data processing
capabilities. Apart from the collected data, enterprises are increasingly
getting data from external sources, enriching their knowledge about consumers. Data is intuitively managed to
provide convenience and rich experience to the consumers. During the process, many new business possibilities
are emerging. Consumers are indulged with new products and services that are customized to their preferences
and behavior.

Strong waves of digitization are being witnessed in almost all sectors like e-commerce, e-governance, retail,
telecom and even oil and energy, with the BFSI sector seems taking the lead in it. Expansion of communication
and Internet services remains as a key driver behind this revolution. As per the recent IAMAI KANTAR-IMRB
report[1], the number of mobile Internet users in India are expected to reach 478 million by June 2018. This surge
of digitization has made a significant impact on the digital payment ecosystem as well. For the financial year
2017-18, the transactions using the Unified Payment Interface (UPI) numbered INR 856.59 Billion in value and
737.18 Million in volume (NPCI, Digital Payments Statistics, 2017)[2].

Mobile
478 Million
Internet
by June 2018
Users

FY 2017-18 – UPI Transactions

Value:
856.59 Billion Million Transactions

Consumer Data Privacy | 5

 Data collected from all possible sources is processed in a variety of ways. Access
to it is provided within and outside the boundary of the organization. It is further
Paradigm of shared for various purposes. This has become an important theme of digital
privacy protection economy and has invariably given rise to a new era of innovation, predictive
is now changing to analytics and machine learning. This collection and usage of information on the
make enterprises other hand, raises privacy concerns. Consumers and regulatory bodies are taking
more accountable note of it. These concerns are getting translated into privacy expectations,
for privacy obligations and liabilities to be imposed on enterprises that are in the business of
collecting and processing personal information. Privacy principles not only set the
expectations, but also create legal liabilities. Consumer centric privacy principles
like notice, choice, and consent ensure that the consumers are informed, choices are given to them and their
consents are sought before collecting the information. Other principles like use limitation and security emphasize
on protection of data in the enterprise environment.

The principles and corresponding obligations and liabilities would ensure that
enterprises take due care to protect the information in their environment. The
information collected and processed is also exchanged and shared with the Consumers equipped
consumer. Because of increasing digitization, the quantum, complexity and with techniques to
frequency of the shared information is rising significantly. However, in the secure their personal
consumer environment, information is likely to lose the level of protection information would
seen in the enterprise environment. Information in the consumer environment unleash many new
is emerging as a key cause of concern. Although regulatory standards are not possibilities of
digitization.
fully evolved to take care of privacy issues in the consumer environment,
they have been hinting in that direction. Adoption of ‘accountability’ as a
privacy principle gives testimony of that. The paradigm of privacy protection
is changing to make enterprises accountable for the protection of privacy. The new General Data Protection
Regulation (GDPR), which would be enforced in the EU in May 2018, has already adopted ‘accountability’ as a
principle of privacy. It advocates enterprises to have proactive approach for protecting personal information. It
hints that the enterprises should walk extra miles to protect consumer data. Traces of this paradigm is also
witnessed in other parts of the world. In India, a RBI circular published in July 2017, limits the customer liability
when unauthorized transactions occur because of a fraud, where the deficiency is neither with the bank nor with
the customer. It is also important to note that the Justice Shri Krishna committee established to frame a data
protection legislation for India has balancing privacy of individuals in an ever-evolving digital economy as its
fundamental task.

The new paradigm of shifting the liability of security and privacy to the enterprises is likely to demand protection
of data irrespective of where it lies. Organizations may have to go beyond their boundaries to protect consumer
data. If organizations are inventing ways to secure the consumer data, even though it leaves organizational
boundary and equip consumers with tools to protect their data, it would certainly help them stand high in their
compliances. Moreover, these positive actions will certainly instill consumer confidence on digitization. The
confidence of customer would certainly unleash many new possibilities of digitization.

6 | Consumer Data Privacy

 3 ENVIRONMENTS:
ENTERPRISE & CONSUMER
The enterprise and consumer environments are depicted in the figure below. Typical enterprise environment
involves applications, databases, networks, storages, servers, messaging systems, and endpoints. Business
processes and operations leverage them for collecting, processing and sharing personal information for various
purposes. They also generate data while processing transactions of the customers. Enterprises also leverage
various channels to interact and engage with its customers. They also deliver a variety of documents over these
channels to their customers. They also tend to provide links to the customer to access their data.

Enterprise Consumer
Environment Environment

Applications
Sharing

Sharing
Databases
Statements | Bills | Receipts
Transaction Notifications Endpoints
Networks
Processing

Accessing

Storages Email Internet Access

Delivering

Receiving

SMS
Messaging
Systems Web Access
Email System
Mobile App
Collection

Storing

Servers
Mobile App
Reports | Results | Returns
Endpoints Claims | Itineraries | Pay Slips

Consumer environment, on the other hand, typically involves endpoints, Internet connectivity, messaging systems
and possibly mobile applications. These systems receive documents delivered by the companies. Consumers
download and store these documents. The documents reside in the email box, local storages and mobiles of the
customer. They may share the document with third parties for various purposes.

Consumer Data Privacy | 7

 Exchange between Enterprise and Consumer Environments:
Use Cases
Many digital services online require consumer’s personal information. In the below sample use cases, it can be
seen how consumer data is exchanged between enterprise and consumer environment.

i Banking
Disruptive penetration of web and mobile technologies has ushered the growth of online banking.
Internet banking or virtual banking enables customers of a bank or financial institution to conduct wide
range of financial transactions through their websites. Convenience and ease of use has ushered the wide
adoption of online banking.

˩˩ Many banking institutions deliver account statements, credit card bills, transaction statements,
bank balance, etc. to consumers through email attachments and downloadable links.

˩˩ The digitization push has increased the frequency and volume of transactions. The transaction
generated data reveals critical information of consumers, from his or her financial status to spending
behavior. Often such data is stored locally on the consumer’s devices.

˩˩ Consumers tend to share the data files with third parties like financial consultants, wealth
managers, etc. This data is also sought for various purposes such as availing loans or getting high
value financial products.

II Other Financial Institutions

Digitization is also driving other financial sectors such as insurance, capital market, non-banking financial
companies, pension funds, etc.

˩˩ Insurance sale is increasingly becoming digital; policies are delivered to the customers over
electronic channels. Various set of information is delivered to the consumer during the tenure of the
policy. Access is provided to the customer for viewing and downloading information. Customers use
downloaded policy documents for various purposes.

˩˩ Mutual fund houses or associated aggregation agencies deliver documents to its customers at a
regular interval, informing the status and performance of investment.

˩˩ In the consumer environment, these documents can be found either on consumer devices or in their
emails.

8 | Consumer Data Privacy

III Employee Benefits

Many organizations have modernized their internal operations for better employee experience and care.

˩˩ Organizations share personal financial information of their employees like Pay slips, Income Tax
returns, Health Benefits related claims, etc.

˩˩ The information is delivered either as email attachments or downloaded from an internal portal.

˩˩ These documents would reside on the devices or in the emails of the employees. They would possibly
share these documents for various purposes, as any consumer would do.

IV Healthcare

Hospitals and health care organizations like diagnostic centers embrace digitization to provide better
patient care.

˩˩ Hospitals provide digitized copies of reports, diagnosis results, treatment schedules, etc. to patients.

˩˩ Rise of personal digital health technologies contribute towards generating health information. This
information is delivered through various forms.

˩˩ Continuous health monitoring requires collection, transmission, syncing and storing data on multiple
devices. Hospitals would either do it on their own platform or use third party platforms. Patients
are often given access to these platforms from where they would download these documents on
their devices. Health sensitive documents would reside on the consumer’s device or in their emails.
The platforms may provide them the facility of providing access to information to other hospital or
doctors as well.

V E-Governance

Governments and their affiliated organizations also embrace digitization to provide citizens better
Governance.

˩˩ Many government agencies collect consumer information for providing various services like:

o Filing tax returns

o Paying property taxes

o Employee provident fund

Consumer Data Privacy | 9

 ˩˩ Apart from conventional services, the effort of Digital Governance led to offering 183 services
on the Government of India’s ‘Umang’ application. These services are offered by 36 government
departments and 6 states. A representative list of services are as follows:
o Residential certificate
o Land records
o Salary records and pay slips of government departments
o Crop insurance
o CBSE exam results
o Digital life certificate
o Pension systems
o Employment and skill
o Soil health card

˩˩ Digital locker services introduced by the central government provide a platform for storage, sharing
and verification of documents and certificates. DigiLocker platform already enlists 36 document
issuers. Government departments or agencies, educational institutions and financial institutions
registers themselves as an issuer on the platform. Central Board of Direct Taxes [CBDT], education
board like CBSE, driving license issuing authorities, vehicle registration, etc. are some examples of
issuers and verifiers on the DigiLocker.

˩˩ Citizens avail these services either by going to digital delivery channels of the individual publics
service providers, issuer and verifier or rely on public service aggregator applications like Umang.

˩˩ Mobile has emerged as a key channel for delivery of such services. The digital documents delivered
by public authorities are critical for the citizens. These documents are either delivered over the
email or available for download on the websites and mobile applications. These documents reside
on consumer devices and in their emails. These documents would be extensively shared by the
citizens.

VI Travel

Online travel booking has made it very easy to plan personal vacations or business trips. These services
are also mostly delivered digitally.

˩˩ Digital agencies that provide travel and hotel services collect personal information from their
consumers for travel booking and providing travel itineraries

˩˩ Travel itineraries and plans are delivered to the users over email, SMS and mobile applications

˩˩ Hospitality platforms also provide a whole new experience to the travelers by aggregating inventories
available for their stay. They exchange data with consumers on their bookings and bills.

10 | Consumer Data Privacy

VIII Utility Bills

Utilities sector is also increasingly adopting digital payment methods.

˩˩ Statement of bill is generated digitally and delivered to consumers over email and through links for
downloading the bills.

˩˩ Utility bills are also critical for consumers, as in many cases, they are treated as an address
verification proof.

˩˩ The digital copies of the bill often reside on the devices and in the emails of the consumer.

Consumer Data Privacy | 11

 4 SECURITY & PRIVACY MODELING OF
CONSUMER DATA
In the current context, typically followed security measures are deployed to protect consumer data. This section
accesses their efficacy of providing data protection in the consumer environment.

Password Protected Files

Data disseminated by organizations to consumers (especially financial data) is currently delivered through
password protected files. The files are protected usually by static preset passwords (based on PAN number or
date of birth) or similar patterns. This offers poor protection against brute force attacks. It is proven by number of
password extractors available online that such mechanisms offer poor or rather nil protection putting consumers
data at risk. Password protected file is vulnerable to brute force/dictionary attacks unless the password is long
and complex.

Disk Encryption
Full Disk Encryption (or Folder/File level encryption) is another promising technology for safeguarding consumer
files. Although such techniques offer good security locally, there is no guarantee that consumer would encrypt his
or her disk. Even if consumers encrypt their local disk, it would not work when files need to be shared with a third
party (ex: Tax Consultant). Files once shared; consumers do not have control over the data. The receiving party
may not enable necessary protection. Also, numerous challenges such as complicated user experience, tedious
key management and lack of necessary expertise among the consumers make usage of the current encryption
techniques very difficult.

Enterprise Device Management

Many organizations deploy Enterprise Device Management solutions that offer ‘remote wipe off’ of data on the
devices in case of compromise. But such solutions could be installed only in devices they have control, for example
employees or partners devices. This measure is not applicable in the consumer environment.

Data Leak Prevention

Data leak prevention is another technology deployed by organizations to prevent data exfiltration from the
devices. But since consumers are off the organization’s network perimeter and beyond their control, such
measures cannot be deployed.

Cloud Storage
Rapid explosion of Cloud Storage services like DropBox, Box, Google Drive, etc. make it very easy to share data
with others and ensure backups. While these platforms offer security capabilities, consumers lose control over
the offline copies made by third parties after sharing and syncing. Also, numerous breaches have been reported
in recent past where consumer’s data has been publicly exposed on the Internet.

12 | Consumer Data Privacy

Issues Associated with Shared Data Files

Shared data files expose consumers to various security risks as mentioned below:

(i) Opening, storing and sharing document with one password jeopardize security of data within the
file

(ii) Data files shared with different entities often remain with them even when the purpose is over

(iii) Once shared, consumers would loose control over the security of data files

(iv) Tracking the files shared and stored over devices may not be easy for the consumer

(v) Assurance over security of the files shared on channels like email clients may not be easy

Consumer Data Privacy | 13

 5 TARGETED ATTACKS ON CONSUMER
DATA & THEIR RAMIFICATION
As seen in previous use cases and many more, there is ample amount of consumer’s personal data awaiting
adequate measures to safeguard it from threat actors. Critical data belonging to consumers is under constant
threat from numerous attack vectors like mentioned below:

(i) Identity Theft

Identity Theft involves threat actors passively or actively snooping for private information of targeted
consumers. Subsequently, such information is used to impersonate the consumer and gain advantage. For
example, access to private information such as last few transactions on a credit card can help in tricking a
call center executive of the bank as a legitimate user.

(ii) Malware
Modern malware is much more sophisticated in its ways, especially in data exfiltration. Malicious programs
like keyloggers once installed in consumer devices can steal critical data and upload to a remote server of
attacker’s choice.

(iii) Ransomware
Ransomware is another powerful form of Malware that can be destructive and devastating in nature as
seen in recent times. Consumer’s data could be held for a ransom amount and unlocking it may not be
always ensured despite paying the ransom. Further, data once destructed is hard to recover unless necessary
backups are maintained.

(iv) Cybercrime
Lack of adequate controls on private data also rises many forms of cybercrimes like cyber bullying, online
trolls, credential abuse, etc. If data is leaked, the consumer may experience much serious harm.

14 | Consumer Data Privacy

 6 EXTREME DIGITIZATION &
CONSUMER DATA PRIVACY
The equation of consumer data privacy would change significantly due to the fast paced and voluminous
digitization drive as mentioned below:

(i) Digitization opens organization to a variety of new possibilities and purposes, which would make access to
data quite liberal. It might require sharing data with new entities, providers and ecosystem partners. The
data would be moving out of the organization’s boundary quite often. It might move to an environment that
is not inherently secure or not equipped with tools to secure the data.

(ii) Continual and forceful drive for digitization would invent new channels and ways to share or deliver data.
Extending existing security and privacy controls to this channel may not be easy. However, without it,
consumer data may not get the necessary protection.

(iii) The regime of data centric digitization drive would generate volumes of data. The data set would be
increasingly complex and interdependent. Satisfying security and privacy expectations in increasing volume
and complexity of data would be difficult. Because of privacy liabilities, enterprises are likely to deploy
necessary safeguards for consumer data in their environment. However, once data leaves its boundaries, it
leaves behind the protection. Because of the quantum and complexity, if protection is not extended beyond
the boundaries of the enterprises, it would lead to serious consequences.

(iv) Ecosystem players in the drive of digitization would also be delivering data. Data files would be increasingly
exchanged with these players for various purposes like identification and verification. Data will be exchanged
between multiple environments; not only among the enterprise and consumer environments. If the desired
level of protection doesn’t travel along with data, it would raise many doubts on the extending ecosystem
and players innovating under it

(v) Number of interactions with the consumer would be increasing multifold.

Maintaining security and privacy of each interaction and exchange in
conventional ways would not be possible. The equation of
consumer data
(vi) Consumers would be sharing his or her information quite actively to privacy would change
take benefits of digitization. Increasing instances of sharing of personal significantly due
information may jeopardize security and privacy posture. to the fast paced
and voluminous
(vii) In the fast-paced digital transaction age, consumers may not be always digitization drive
in the right frame of mind, ensuring his security and privacy when he
engages in a transaction involving his or her personal data. If the design of
security and privacy is relying on consumer actions, possibility of failures
are more.

Consumer Data Privacy | 15

 7 REGULATORY STANDARDS YET TO
EVOLVE TO TAKE CARE OF ISSUES IN
THE CONSUMER ENVIRONMENT
In the current context, numerous standards, frameworks and best practices exist for guiding and driving
protection of data within the organization’s perimeter. Often, the recommendations and guidelines for protection
of consumers data ‘off the perimeter’ are either completely ignored or ambiguously defined. Below we examine
few such popular frameworks and standards.

(i) Cybersecurity Framework - RBI

Recent guidelines released by the Reserve Bank of India (RBI) addresses the distinct cyber security policy
for all the banks in India. Ensuring the protection of Consumer Information has been one of the important
priorities as described in the framework quoted below for reader’s convenience.

“Banks, as owners of such data, should take appropriate steps in preserving the Confidentiality, Integrity
and Availability of the same, irrespective of whether the data is stored/in transit within themselves or with
customers or with the third-party vendors; the confidentiality of such custodial information should not be
compromised at any situation and to this end, suitable systems and processes across the data/information
lifecycle need to be put in place by banks.” [3]

Although it is commendable that the framework brings out the much-needed attention to protection of the
data with consumers off the network. The framework does not elaborate beyond on how such measures
could be achieved. RBI’s guidance on limiting liability of consumers is a welcome step. However, it may need
to evolve further to address specific issues of privacy in consumer environment.

(ii) PCI Standards

Payment Card Industry Security Standards Council (PCI) is another Current standards
popular set of security standards. Different set of standards have been are written from
provided by the council as mentioned below: Organization’s
perspective not
˩˩ PCI-DSS is for organizations who process, store and transmit Credit from Consumer’s
Card information to deliver their digital services. perspective.

˩˩ PCI PTS is a set of security requirements focused on characteristics

and management of devices used in the protection of cardholder
PINs and other payment processing related activities

˩˩ PA-DSS is for software vendors and others who develop payment applications that store, process or
transmit cardholder data and/or sensitive authentication data as part of authorization or settlement,
when these applications are sold, distributed or licensed to third parties

16 | Consumer Data Privacy

 No standards or guidelines have been provided for handling the credit card and/or transactions data that is
delivered by the agencies to Consumers.

(iii) HIPAA
Health Insurance Portability and Accountability Act (HIPAA) has been enacted by the United States Congress.
HIPAA allows use and/or disclosure of Protected Health Information(PHI) for treatment, payment and
health care operations by hospitals and healthcare organizations. HIPAA verbosely defines patient rights for
disclosure of PHI information. HIPAA does not provide recommendations on data protection once the PHI is
delivered to Consumers.

(iv) GLBA
The Financial Services Modernization Act of 1999 or GLBA addresses financial data privacy and security by
establishing standards for safeguarding customers’ ‘non-public personal information’ (NPI) or personally
identifiable financial information stored by ‘financial institutions’, and by requiring financial institutions to
provide notice of their information-sharing practices. In addition, financial institutions can disclose your
information to credit reporting agencies, financial regulatory agencies, as part of the sale of a business, to
comply with any other laws or regulations, or as necessary for a transaction requested by the consumer.
However, there is no specific mention of how security is guaranteed when the information is delivered to
other organizations.

Consumer Data Privacy | 17

 8 REGULATORY STANDARDS
SHOWING THE WAY AHEAD
(i) EU GDPR
The EU General Data Protection Regulation has promogulated adoption of ‘accountability’ as a key principle
of privacy implementation, which can be evolved to derive practices for protecting information in the
consumer environment. The principle advocates concepts like ‘privacy by design’ and ‘privacy enabling
technology’. Equipping the consumers with necessary tools and instruments to take care of their privacy
have been emerging as one of the important aspects of enterprise assuming accountability of privacy
protection. Efforts in this regard may help enterprises to gain high standing in their compliances.

(ii) UK Data Protection Bill, 2017

The new UK Data Protection law that looks to update the existing UK Data Protection Act, 1998, has
recognised security of data processing an essential element of Data Privacy as well. Section 66, of the bill
discusses imposition of appropriate technical and organisational measures to reduce the risks associated
with the processing activity. This might get graduated to involve the measures to protect data in consumer
environment.

(iii) Qatar: Protection of Privacy of Personal Data Act

Article 8(3) of the Qatar Protection of Privacy of Personal Data Act, set to come into force this year, mandates
the use of appropriate administrative, technical and physical precautions as necessary to protect personal
data. Article 13 of the Act also instructs the controller and the processor to adopt all necessary precautions
to protect personal data against loss, damage, change, disclosure and/or illegal/inadvertent access thereto
and/or use thereof. Protection of data in the consumer environment might be termed as a necessary
precaution.

(iv) Australian Data Privacy Framework

Data privacy/protection in Australia is currently made up of a mix of Federal and State/Territory legislation.
The Federal Privacy Act 1988 (Privacy Act) and its Australian Privacy Principles (APPs) apply to private sector
entities with an annual turnover of at least A$3 million and all Commonwealth Government and Australian
Capital Territory Government agencies.

An APP entity must take reasonable steps to protect personal information it holds from misuse, interference
and loss, as well as unauthorised access, modification or disclosure.

Steps and strategies which may be reasonable to take appropriate security safeguards and measures
for protecting personal information need to be fully considered in relation to all of the entity’s acts and
practices. The protection of data in the consumer environment might fall under reasonable and appropriate
security safeguards and measures.

18 | Consumer Data Privacy

(v) Canada
In Canada, there are 28 federal, provincial and territorial privacy statutes (excluding statutory torts, privacy
requirements under other legislation, federal anti-spam legislation, identity theft/ criminal code, etc.) that
govern the protection of personal information in the private, public and health sectors. Each of the Canadian
Privacy Statutes contains safeguarding provisions designed to protect personal information. These provisions
require organisations to take reasonable technical, physical and administrative measures to protect personal
information against loss or theft, unauthorised access, disclosure, copying, use, modification or destruction.
Extending protection to the data in consumer environment might emerge as a reasonable measure.

(vi) Japan
The Act on the Protection of Personal Information (“APPI”) requires that business operators prevent the
leakage of personal data. The APPI does not set forth specific steps that must be taken. Ministry guidelines
impose specific steps that business operators should take to ensure that personal data is secure. The
guidelines on this point are under preparation. These guidelines might evolve in the future to incorporate
aspects of consumer environment.

(vii) Shri Krishna Committee on Data Protection in India

The whitepaper published by the committee on the proposed data protection law in India deliberates
use of ‘accountability’ principle for privacy implementation. The whitepaper states that the principle of
‘accountability’ demands proactive actions from organisations, including continuing investments to ensure
that security safeguards are up-to-date. It illustrates on how empowerment of customers with tools and
technologies to protect their data would help the cause of privacy.

Consumer Data Privacy | 19

 9 RECOMMENDATIONS

Objectives of data privacy should be changed to include the requirements of protection in the consumer
environment. The digitization plans wouldn’t get materialized if consumer data is insecure, no matter it lies
within or beyond boundaries of enterprises. Utility of the data generated by processing consumer transactions is
increasingly becoming important for digitization. As the data provides insights of the consumers’ behavior and
their spending characteristics, new financial products would be increasingly designed to match the behavior and
characteristics. This would increase sharing of transaction generated data multi-fold. Public service authorities
are likely to add significant volume and complexity to the data that would be shared. In fact, the dream of one
trillion-dollar digital economy lies in the ability of sharing data in more elastic ways. However, it would have
to satisfy the condition of maintaining the desired level of security and privacy. Security of data in consumer
environment would play an important role. The figure below illustrates the data privacy objectives for providing
protection in the consumer environment.

Objectives of Data Privacy

Protection in the Protection in the
Changing to include
Enterprise Environment Consumer Environment

Incorporation of aspects in the Consumer Environment

ENTERPRISES REGULATOR
As key differentiator & to stand Digital Rights
Adoption of Accountability
high on privacy compaliances Management
principles for privacy implementation
To gain confidence of consumer
Promotion of evolving
for realizing digitization possibilities Customer
practices of consumer privacy
Centric File
Security Advocacy of positive actions:
privacy by design & privacy
enabling technologies
CONSUMER Handing over
the Controls Compliance recognition
Use tools, instruments & adopt to the Consumer of technologies promising better
best practices to secure data consumer privacy
Assess enterprises providing better
alternate to secure data

Roles & Responsibilities Technology Policy Intervention

20 | Consumer Data Privacy

Enterprises are likely to adopt practices and technologies to secure data in the consumer environment as a key
differentiator. Gaining the continued trust of the consumer through using technologies that communicate respect
for the consumer’s privacy is the key for realizing new possibilities of digitization. As privacy liabilities are tied
up to the ability to prove due diligence, actions on protecting data even if it leaves enterprises’ boundary, would
help them to stand high on privacy compliances. Technologies that would bring customer centrality in offering
protection are bound to get significant traction. Their ability of handing over controls to the consumer would go a
long way in realizing the benefits of digitization. This will certainly need policy intervention that should not only
recognize this effort while seeking compliances, but also foster innovation in consumer data privacy.

The role of regulator, enterprise and consumer in improving data privacy posture in the consumer environment is
illustrated in the figure below.

REGULATOR ENTERPRISES CONSUMER

Bring consumer privacy on the
regulatory agenda
Accountability, recognized as a
key privacy principle. Adopt it to
shift responsibility
Focus on consumer environment
creates larger ramification
for privacy
Ensure actors dealing with
consumer data invest
proportionately in security
Foster open innovation to address
consumer privacy concerns
Incorporate issues of consumer
data privacy in the assurance
checks
Recognize the changing paradigm
towards consumer privacy
Put consumer central to
the design of security
Reflect on instances, diversity,
scale & volume of consumer
interactions
Evaluate & adopt technologies
that manage delivery of
data securely
Evaluate how your consumers
behave. Educate them on practices
of safeguarding their data
Use strong encryption controls,
move on from password protected
files
Exercise your choice - prefer
organizations which offer better
alternatives
Save data using strong
confidentiality controls
Be selective while sharing the
data
Enable multi-factor authentication
for critical information
Revoke access to data after
use
Safely dispose data after its
use
Maintain frame of mind of security
while doing data transactions

Consumer Data Privacy | 21

Citations
1. Mobile Internet Report 2017- IAMAI
http://www.iamai.in/sites/default/files/research/pdf/Mobile%20Internet%20Report%202017.pdf

2. NPCI, Digital Payments Statistics, 2017) - Retail Payments Statistics on NPCI Platforms
https://www.npci.org.in/statistics

3. Cybersecurity Framework for Banks - Reserve Bank of India.

https://rbidocs.rbi.org.in/rdocs/notification/PDFs/NT41893F697BC1D57443BB76AFC7AB56272EB.PDF

References
1. Payment Card Industry Data Security Standards (PCI-DSS)
https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_2.pdf

2. Health Insurance Portability and Accountability Act – U.S. Dept. of Health Sciences.
https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

3. Financial Services Modernization Act- USA Federal Law

https://www.congress.gov/106/plaws/publ102/PLAW-106publ102.pdf

4. General Data Protection Regulation (EU) - Regulation (EU) 2016/679

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

5. Protection of the Privacy of Personal Data Law, 2016- Qatar

https://qatarlaw.com/wp-content/uploads/2017/05/Personal-Data-Privacy-Law-No.-13-of-2016.pdf

6. Act on the Protection of Personal Information, 2003 (APPI) -Japan

http://www.cas.go.jp/jp/seisaku/hourei/data/APPI.pdf

22 | Consumer Data Privacy

Consumer Data Privacy | 23
 About DSCI
Data Security Council of India (DSCI) is a premier industry body on data protection
in India, setup by NASSCOM®, committed to making the cyberspace safe, secure
and trusted by establishing best practices, standards and initiatives in cyber
security and privacy. DSCI brings together governments and their agencies,
industry sectors including IT-BPM, BFSI, Telecom, industry associations, data
protection authorities and think tanks for public advocacy, thought leadership,
capacity building and outreach initiatives.

DATA SECURITY COUNCIL OF INDIA

NASSCOM CAMPUS, 3rd Floor, Plot. No. 7-10, Sector 126, Noida, UP - 201303
For any queries contact
P: +91-120-4990253 | E: info@dsci.in | W: www.dsci.in

24 | Consumer Data Privacy

All Rights Reserved © DSCI 2018