Personal data protection and information security are different concepts

At its core, personal data protection focuses on ensuring that personal data remains confidential and protected from unauthorised access or misuse.

The Indian Parliament passed the much-awaited data privacy legislation known as the Digital Personal Data Protection Act, 2023 (DPDP Act) in August 2023. It has received the President’s assent and has been published in the official gazette. However, various provisions of the DPDP Act have not come into force as yet as its implementation is to be carried out in a phased manner. Unlike the European Union which gave organisations a period of two years to comply with their data protection legislation known as the ‘General Data Protection Regulation’ (GDPR), the Indian government is looking at a timeline of 6-8  months for the industry to comply and align business practices with the new personal data protection law. The DPDP Act has been largely influenced by the GDPR and drafted based on the same underlying principles such as lawfulness, fairness, transparency, purpose limitation, storage limitation, accuracy, data minimisation, integrity and confidentiality as well as accountability.

One of the prevailing misconceptions regarding the personal data protection law is that ‘information security’ and ‘personal data protection’ or ‘data privacy’ are essentially the same concepts and can be used interchangeably. The thought process is that implementing appropriate information security practices for the protection of data by itself fulfils the requirements of the DPDP Act. However, it is critical to note that ‘personal data protection’ and ‘information security’ are different concepts and not interchangeable. Though data privacy and information security have a close and critical relationship, they represent distinct aspects of safeguarding personal data. Understanding these nuances is crucial for organisations seeking to protect personal data in an increasingly interconnected world and to comply with the provisions of the DPDP Act.

Guarding Data Privacy

Personal data protection or data privacy primarily concerns the appropriate handling, usage and management of personal data. It revolves around the rights of individuals to control how their personal information is collected, processed, stored and shared. At its core, personal data protection focuses on ensuring that personal data remains confidential and protected from unauthorised access or misuse. The DPDP Act outlines requirements for organisations regarding the collection, storage and use of individuals' personal data.

Compliance with the provisions of the DPDP Act involves obtaining explicit consent for data collection and processing, providing individuals with access to their data along with facilitating other data principal rights and implementing technical and organisational measures to secure this information from breaches or unauthorised access. Essentially, data privacy revolves around respecting an individual's autonomy and ensuring their personal data is not used in ways they have not permitted or anticipated.

Safeguarding Confidentiality, Integrity and Availability of Data

On the other hand, information security encompasses broader measures to protect data from a spectrum of threats, including unauthorised access, theft, destruction or alteration. It is a comprehensive framework that includes various strategies, policies and technologies aimed at safeguarding the confidentiality, integrity and availability of data. Information security goes beyond just personal data and extends to all types of information, including proprietary business data, financial records, intellectual property and more. It involves implementing measures such as encryption, access controls, firewalls and regular security audits to mitigate risks and prevent unauthorised access or breaches.

While personal data protection focuses on the rights of individuals regarding their personal information, information security takes a holistic approach, encompassing technical, procedural and physical safeguards to protect data regardless of its nature.

The Interplay

While distinct, personal data protection and information security are interdependent. Robust information security measures form the foundation for ensuring data privacy. Without adequate security protocols, maintaining data privacy becomes challenging, as personal data becomes vulnerable to breaches or unauthorised access. Similarly, compliance with personal data protection regulations often necessitates the implementation of stringent information security measures. Organisations must secure data through encryption, access controls and other security protocols to honour individuals' privacy rights and prevent data misuse or unauthorised exposure. One of the many compliances on data fiduciaries under the DPDP Act is to implement reasonable security safeguards to prevent personal data breaches. However, reasonable security safeguards are only one of the many requirements under the DPDP Act that data fiduciaries are required to comply with respect to the collection, storage and processing of personal data of individuals. Therefore, information security is merely one of the various facets of the DPDP Act.

The DPDP Act involves a wider set of obligations and compliances for data fiduciaries whereas information security is limited to ensuring the confidentiality, integrity and availability of data. Businesses are required under the DPDP Act to comply with numerous obligations such as purpose limitation, data minimisation, lawful fair and transparent processing, retention limitation, accuracy, accountability etc., which information security by itself does not address. Appropriate reasonable security safeguards address only the requirement of ensuring integrity and confidentiality of personal data, which is one of the many but critical requirements of personal data protection legislation.

Considering that information security is a critical requirement of the DPDP Act which provides for hefty penalties in case of a data breach, it is important that the privacy department and the information security department of organisations diligently work together to ensure that privacy and security are being effectively and efficiently implemented. It is important to create a strong partnership between the privacy and information security departments to ensure compliance with the provisions of the DPDP Act. Alignment and support between both departments are necessary to ensure that an organisation fulfils its obligations particularly the requirement to have reasonable security safeguards in place and to notify the data protection board as well as each affected data principal within a specified period of time of an organisation becoming aware of a personal data breach. Failure of an organisation to comply with the above-mentioned requirements may result in hefty penalties as well as loss of reputation and consumer trust.

In conclusion, while personal data protection and information security are separate concepts, they are intrinsically linked in safeguarding personal data. Data privacy is about respecting individuals' rights regarding the collection and processing of their personal information, while information security involves comprehensive measures to protect all types of data from various threats. However, it is important to note that information security is but one of the many requirements of the DPDP Act which businesses are required to comply with.

Akshayy S Nanda is Partner, Saraf and Partners. Views are personal, and do not represent the stand of this publication.