Data Protection is Good for Everyone

When it comes to data, the interests of individuals and those who control their data are aligned.

Over the past few days, the status of an individual in India has been at the centre of some important Supreme Court judgments. First, there was the ruling on the issue of triple talaq. Close on its heels was the mammoth judgment in the Right to Privacy case. There will no doubt be more such cases to grapple with in the times to come. The issue of data protection, with another Supreme Court judgment looming in the near future, will be one of them.

The conventional discourse around data protection has the individual at its centre. This is understandable: it is the data of the individual that is sought to be protected. Data protection policies aim to secure an individual’s interests by imposing obligations and liabilities on data controllers, the entities that collect and process such data. Data controllers wield considerable power over an individual when they are in possession of the latter’s data. It is reasonable to expect them to exercise this power with caution.

Is it possible, though, that this approach might create a narrative where it is easy to think of data controllers as the ‘other’? This is a narrative in which an individual’s data is being protected from the data controller. Would it be problematic if data controllers themselves begin to consider their responsibilities as a burden? Is there no value in data protection that accrues to data controllers?

In fact, there is. Individuals and data controllers can be in the same boat when it comes to data protection. There are scenarios in which their interests are aligned. A prime example of this are the recent instances of ransomware attacks around the world. The threat to an individual’s data can come from an entity unrelated to the data controller. Robust data protection in such cases is as beneficial to data controllers as it is to individuals.

Data Protection is a Matter of Financial Prudence

There is little doubt that insufficient data protection can result in harm to individuals. A data breach or a viral attack can compromise an individual’s privacy and open up personal information for abuse.

What is also true is that data controllers often pay a high price when such incidents take place. This was seen in the case of FedEx, the logistics company, which suffered a cyber attack recently. The company has admitted that the attack has resulted in revenue losses due to reduced transactions and the scramble to implement contingency plans and measures to prevent future attacks. These losses are exacerbated by the lack of insurance coverage to address such eventualities. All this, according to the company, will have an impact on its year-end financial results.

This is but one example. Extrapolate it over multiple entities, and a significant impact on the overall economy is likely to result. Thus, data protection can no longer be considered a matter that is of interest only to individuals.

The Role of Reputation

Data controllers in a competitive market will be sensitive about their reputations. It pays to be considered as trustworthy by a potential customer. It may well be that a great product or service is insufficient by itself to draw customers if it is not accompanied by a high standard of data protection.

Given this, any event that compromises the data of  customers can have a profound impact on the reputation of a data controller. The fallout, in sheer financial terms, might be very difficult to estimate. The film studio, Sony Pictures, which suffered a massive computer hack a few years ago, did not just face massive expenses in setting its systems right in the aftermath of the attack. It also ran the risk of losing clients and collaborators to its rivals for future projects.

This element of trust can be a double-edged sword. It is inevitable that data controllers will fret about the damage their reputations will sustain in the event of such an attack. However, this also gives them a unique opportunity to set themselves apart from their competitors. A data controller that adopts the most up to date data protection systems can use this fact to lure more customers. In what can be best described as a race to the top, individuals stand to gain as much as the ones running the race.

Data Controllers Need to be More Proactive

The benefits of data protection highlighted above are not novel. Yet, it is seen time and again that data controllers have not bought into the idea of data protection as seriously as they should. They underestimate the risks and are overconfident about the sturdiness of their systems. As a result, they under-invest in data protection.

Data protection as a subject is garnering attention all over the world. Newer models of data protection will be more stringent about the duties that data controllers owe to individuals. This is already the case in Europe, with the General Data Protection Regulation (GDPR) poised to come into effect from next year. India is also looking to implement a data protection regime soon.

These developments should spur data controllers to be more proactive when it comes to data protection. They should test their systems for weaknesses, upgrade them as often as possible, hedge their risks using insurance, and be careful in their processing of an individual’s information to prevent unscrupulous third parties from accessing it. A small amount of foresight now will stand them in good stead for the long term.