By Jospeph Thavaraja
Note: The below is written based on the insights gathered during the FITIS – ICTA online Webinar held on the 17th of June 2021.
TYPES OF DATA
In general, two types of data come into play in the current context- Primary data such as a person’s name and credit card number and the Secondary data- the expanded data of a person such as their browser histories, online behavior, and info on online purchasing etc.
Today, organizations are able to track activities of customers especially in situations such as the pandemic we are going through which results in a Data Explosion. This creates opportunities for value creation. Data of customers is a valuable asset of any organization. Each company has to abide by the Data Protection bill since it is the law of the nation. The law pertains to the collection, structuring, using, storing and more importantly sharing and disclosing of data.
DATA STORAGE AND USAGE
The Telecom sector believes that personal data of customers need to be handled in a friendly and a responsible manner. The use of data could be either from a customer perspective or organizational perspective. From a customer point of view, the processing of their data has to be based on a defined purpose and once the purpose is met the data cannot be stored with the organization anymore. The organization should be honest and open about how data will be used and the customers also have in the right to acquire the knowledge on how the data is used. Also, organizations must store personal data only as long as they are necessary and should maintain proper documentation. From the customer point of view, the use of their personal data ought to be legal and be conducted within the regulated framework for the data processed. If processing is not in accordance with the Data Protection framework, then such use of data is unlawful.
When it comes to the Banking sector, duty of confidentiality towards customers have been prioritized even before Data Protection laws were introduced. Banks always maintain customer information confidentially and they were shared only with the respective customer. It was decided in the famous case Hardy v Veasey (1868) the Banker will not divulge information to a third person without the consent of the customer (unless the bank is compelled to do so by court order, if protection of bank’s own interest becomes a priority or circumstances necessitate that the information be published in the public interest). The Banking Act also shows situations of disclosure.
Today banks collect data digitally and not only banking data but personal data as well such as whether the customer owns a vehicle or his / her current property etc. A strict framework is therefore needed to manage these data and the Banking Act alone is not sufficient.
The “Message” chapter in the DP bill is of high importance in this digital era. This implies that the company can send any digital message to the Customer but needs to be sent them with an opt out option as per their convenience.
The bill sets a penalty up to LKR 10 million for non-compliance. This is far less in comparison to General Data Protection Regulation (GDPR) where the penalty is Euro 24.5. It is suggested that the Sri Lankan companies adopt the proposed DP bill –especially if they are transacting with companies based in EU.
The BPO industry will have improved procedures to follow when the DP bill is enacted. Many new employment positions such as Data Controllers will open and the companies will be required to appoint Information Protection Officers. The companies need to review their data policies to suit the current context of business and consumer behaviors as well as the technological advancements. Since most Lankan software and BPO companies are already dealing with an international clientele and are compliant with these procedures there is a good state of preparation in them though more work needs to be carried out to improve further.
In response to the practices that would be adopted post enactment of the DP bill, the local firms in international trade will need to be compliant with the GDPR – both as part of information security policy and compliance to the regulatory framework.
As for the differences between the proposed Bill vs the GDPR, no major deviations are observed since the local IT firms already follow the best practices though some differences are apparent in the extra-territorial scope, data classification and cross border data flow. The local companies also need to be compliant and agree with the DP laws of international company’s jurisdiction.
The ISO 27001 standard in DP regard is very helpful and its security forum, reporting forum, chief information officer’s presence are all highly relevant to the present times. Specific areas of focus here will be documenting consent, and data masking / encryption etc.
Challenges identified to local companies in compliance to the DP Bill include operational challenges such as acquiring customer consent from their large number of bank’s existing customer accounts, making sure outsourced service providers too are compliant, making internal infrastructure changes to meet the needs of the Bill, need for funding to meet new costs and administrative preparations and seeking additional approvals from regulator (Central Bank) such as cloud-based data handling.