A Wipro whitepaper on mobile data challenges in 2013-14

Telcos across markets are called upon to strengthen their  privacy protection standards in the wake of increasing legal  compliance burden and customer awareness

In most developed nations, privacy – both information and data are regulated by law. Many countries have specific privacy acts that regulate how government and private organizations  collect, use/process and disclose personal information. These laws also provide individuals with the right to access the  information about them that is stored by organizations and the right to request that any erroneous information be corrected.

Unlawful storage of personal data, storage of inaccurate personal data and the abuse or unauthorized disclosure of such data is considered a violation of privacy in some European countries and the United States. User awareness around privacy is ver y high in these countries. In 2010

Google had to turn in/off Wi-Fi data collected by its Street View cars after privacy concerns were raised in Germany  and some other countries. While it is considered perfectly normal in some countries like India for someone to ask for another person’s salary, date of bir th and other such personal information, such questions would be completely outside the  boundaries of propriety, and the law, in many Western countries.

 

This paper dwells upon some fundamental issues around privacy and takes a look at the telecom sector as a specific  case. However, the essence of the discussion here applies to most other sectors.

Personal information or personally identifiable information  (PII) is something that helps to identify an individual or directly points to a person’s attributes. This ‘something’ may be a telephone number or an email address or anything apar t from the obvious name of the individual. So, first and foremost, it is necessar y to define what constitutes the PII of an individual – a consumer, an employee, a contractor associated with your organization, or anyone else.

Next,  privacy  requirements should  cover  information and   data. Information and data are frequently used interchangeably.  Information denotes processed data and hence is more clear, useful and contextual. Data is the raw element lying in the technology system (it could be anywhere) which requires crunching to make it more meaningful and actionable. Therefore, an information privacy program would cover the entire information management system and communication channels, with data protection treatment within the technology ecosystem. As a matter of fact, we often see that organizations have multiple policies – information security policy,  information privacy policy  and  online privacy policy – to cover all possible avenues of privacy treatment.

Privacy vs. Confidentiality

There are two schools of thought here.  First, privacy is covered under the confidentiality aspect of the security triad and is governed by the classification of information. This makes confidentiality a bigger umbrella under which privacy  requirements are addressed and remains the responsibility of the chief security officer.

The  second school of thought suggests that confidentiality  is an extension of privacy.   This school argues for  protecting identifiable private information by making its access and disclosure strictly governed by an agreement with the person whose information is involved.  In other words, privacy concerns people (right to personal information) and  confidentiality concerns data  (the  way  secrecy of  personal information is managed).   Thus, in some  organizations a separate position is established for dealing  with privacy – to super vise the application  of  the privacy  policy against a  continuously changing regulator y landscape.

Indian Telecom Scenario

The Indian telecom industr y is being discussed here as it has been the fastest growing industry in India over the last decade, and has attained maturity, alignment with global practices and regulator y compliance ver y quickly.

The Approach

The shor t answer is a risk-based approach to do an impact assessment. Essentially there are four critical things to do. 1) It is impor tant to define the privacy and PII elements as well as to identify the drivers. 2) Create the PII inventor y to map business processes and underlying applications and infrastructure 3) Carr y out an impact assessment and determine critical processes, their boundaries and touch points. This assessment will enable to assess and refine the existing controls and to determine the level of protection required. 4) Enforcement through policy and framework to comply with the impacting regulation will remain central to the solutions approach.

The Challenge

Implementing the appropriate enterprise-wide privacy framework and adopting the right technology are critical.   For example, initially it is necessar y to discover the PII data within the systems and then build the technical options for data protection.  Other areas that are equally demanding are user awareness and training as well as privacy enhancing technologies that provide a degree of anonymity (which in turn help build trust and reduce risks), and monitoring and repor ting violations. At a higher level, end-user entitlements, data storage at rest and in transit, and third-par ty  agreements driven through the procurement and vendor relationship cells should not be overlooked.

Conclusion

Maintaining privacy and protecting customer and employee personal information is a risk-management issue for all organizations. It goes beyond the regulator y requirements because customers expect their data to be protected to avoid identity thefts; it impacts an organization’s reputation and leads to financial loss due to lost revenue and litigation. Above all, customer confidence in the brand is impacted if there is no framework to deal with customer privacy.

 

By Manohar Ganshani, head Governance Risk & Compliance Practice, Wipro Consulting Services

editor@telecomlead.com

Comments are closed.

x

Sign up for our Newsletter