Modern data protection laws seek to find a good balance between the rights of the individual and the interests of organisations who process personal data.
VFS Global is a technology services company that provides visa processing and passport issuance related services, including biometrics data, for over 175 million people globally, and has contracts with over 60 governments globally. Barry Cook, Group Data Protection Officer, VFS Global, spoke to Moneycontrol.com about what it means to be GDPR compliant, what the draft data protection bill in India would mean for VFS and how they manage sensitive personal data of millions of people.
Edited excerpts:
Q: What does your job as data protection officer entail?
A: A data protection officer has an independent governance role that manages a company’s compliance with the existing data protection laws of the land in which the company operates. It is not part of the operational team and has a reporting line directly to the highest level of management.
In my case, it means I’m responsible for ensuring VFS Global handles personal data of visa applicants and VFS Global employees in a manner that is compliant with the law and with our own internal data protection policies.
Q: What does it mean to be GDPR-compliant from a personal data perspective?
A: As a company that handles large volumes of applicant information (for visas and citizen services), VFS Global is one of just 15 percent of global companies that are GDPR compliant, as per an independent report by Capgemini.
From a citizen’s perspective, consumers now have enhanced rights regarding personal data, i.e. there are more safeguards in place and a higher level of transparency in how the data is processed by an organisation, and more obligations put on those companies in processing this data.
Q: What is the potentials of misuse of personal data that is not stored properly, especially biometric data that may be collected as part of visa processing?
A: Generally speaking, the scope of misuse of personal data can be quite wide, ranging from identity theft, going through to potential financial fraud – for example, applying for a credit card in someone else’s name and using that card to make purchases. The person whose information is used will get the credit card bill.
This is why the protection of the personal information is at the core of our business. We are very much aware of the impact that personal data misuse can have on the individual.
At VFS Global, we mitigate this risk of identity theft by not holding on to this data for longer than is necessary, typically no greater than 24 hours, or as per a duration specified by the governments we work with.
With regards to the collection of fingerprints as biometric data, this information is encrypted at the point of collection, so it’s difficult to misuse, because it takes a certain level of technology to use this information and that’s not readily available.
Q: In the recently released draft of the Data Protection Bill in India, there is stress on consent and data localisation. If the provisions were to be passed into law, how would VFS Global ensure consent across different stages of processing personal data?
A: Embracing the new law in India means companies, even those that are GDPR compliant, will have to revise standard operating procedures as per the fresh requirements, so customers are aware where their data is being processed.
VFS Global already uses different methodologies to make it clear to applicants that the consent we are taking is related to collection of specific personal data.
In accordance with what the law finally mandates, we will use technology to take that a little further to use techniques such as "just-in-time" consent, which enables our visa applicant clients to fully understand the scope of what they are consenting to.
Q: How do you view the issue of data localisation? Do you see merit in the argument that it is detrimental for small businesses and raises costs for them and the end user?
A: I am fairly confident that by enacting and successfully implementing a data protection law, the Government of India will provide a springboard to the outsourcing and data-driven sectors as it makes it easier for all countries with similar laws to transfer data for business purposes among each other.
With regards to data localisation, the critical question we should ask is: what is the scope of data to be localised? This is still a moot point, and the draft bill leaves this open for further discussion. More often than not, the reality is that data protection laws the world over do not mandate a blanket localisation of all data, but rather of only some data.
What some companies have often done in other parts of the world to comply with this requirement, is set up small data centres within the country of operation to hold the data locally, and then replicate it in their main databases outside the country, which in some ways negates the concept of localizing the data but still complies with the requirements of the law.
For multinational companies who operate in countries which have data localisation requirements, the increased cost of operation will, without a doubt, be taken into consideration when deciding to invest in operations in that country.
Q: From a data protection perspective, what is the best case scenario that can be adopted to ensure easy cross border data flows and security of personal data?
A: In my opinion, the best case scenario for cross border data flow, while also ensuring security of personal data, is based on the standard of "adequacy of transfer". This means one country or jurisdiction must determine that another country has sufficient data protection safeguards to ensure that the rights and freedoms of individuals travel with their data.
To transfer to countries that do not have robust data protection legislation, an informed consent-based model is best, where the individual is made fully aware of where the data will be shared, and what is the scope of the consent given.
Q: How do you look at the future of data processing and security conversations?
A: In the last few years, the conversations around data protection and data privacy have rapidly grown with the greater realisation that personal data actually belongs to the individual concerned. It is important to remember that organisations simply ‘borrow’ an individual’s personal data for the purposes of performing a task.
Organisations are not at liberty to do what they wish with personal data. Data protection legislation puts the control of personal data usage firmly back in the hands of the individual. Modern data protection laws seek to find a good balance between the rights of the individual and the interests of organisations who process that data.
That said, there’s no doubt in my mind that this act will be a big boost to the data processing industry in India, because internationally, many countries are writing articles into their data protection laws that make it difficult to transfer data to countries that do not have robust data protection laws and, in my opinion, rightly so.
Get access to India's fastest growing financial subscriptions service Moneycontrol Pro for as little as Rs 599 for first year. Use the code "GETPRO". Moneycontrol Pro offers you all the information you need for wealth creation including actionable investment ideas, independent research and insights & analysis For more information, check out the Moneycontrol website or mobile app.
