Responsible Business Rankings

India’s Top Companies for
Sustainability and CSR 2021

Data Privacy (SDG 16)

2019-20 will be remembered as a world unified by its fight against a pandemic, which impacted every aspect of daily life of every person and organization around the world. Virtualization and cloud were adapted on war footing by organizations to get back to regular operations. As the workplace landscape changed, companies had to adapt to remote working and virtual collaboration making data protection/confidentiality imminent. The year also saw significant developments in FinTech and Healthcare companies.

Organizations had to demonstrate that they had in place a governance framework and monitoring structure, in line with the existing data privacy regulations and that confidentiality would not be compromised with remote working. As a step towards demonstrating sufficiency of data privacy, there are currently two assurance certifications:

  • ISO/IEC 27701:2019 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines1
  • BIS IS 17428: Part 1: 2020 Data Privacy Assurance Part 1 Engineering and Management Requirements and IS 17428: Part 2: 2020 Data Privacy Assurance Part 2 Engineering and Management Guidelines2

One such instance is of Infosys which in its Annual Report for the year 2019-20 has disclosed that it is among the first few organizations, to have its framework certified with accreditation, for the recently released ISO 27701 privacy information management standard.

Introduction of FinTech, Blockchain and AI in the financial sector with an objective to seamlessly exchange data and facilitate faster transactions also opens up possibilities of data breach. This requires systems designed with integrated data protection. Towards this end, in September 2020, Niti Aayog published draft framework of “Data Empowerment And Protection Architecture - A Secure Consent-Based Data Sharing Framework To Accelerate Financial Inclusion” for discussion by concerned stakeholders.3 The draft framework works on the premise that any digital data which can benefit individuals can be shared with third party institutions, but the use of such data should be consent based. The framework initially is set to cover financial sector especially FinTech companies. The framework will augment RBI’s guidelines to regulate data in the financial sector. We found that financial companies and IT companies that were part of the study have reported that they have Information management and data security systems to ensure safety of consumer data.

The year also saw a sharp rise in the health-related data, raising concerns about safeguarding data collected and processed by multiple third parties like pharmaceutical companies, Insurance companies, Healthcare organizations to name a few. To combat the pandemic, health-related data had to be shared amongst multiple third-party institutions. To expeditiously deploy health initiatives, multiple applications were developed, and existing social media platforms were leveraged to spread awareness around the country. The vaccination of Indian populace is considered as one the biggest drives in the world and the sheer volume of data generated required a guideline for protecting data privacy. Ministry of Health and Family Welfare under the aegis of GOI has approved Health Data Management Policy to regulate person’s digital health data.4 We found that 100% of healthcare companies in the study have disclosed provisions of data privacy in their operations.

Enactment of “The Personal Data Protection Bill, 2019”, will provide comprehensive regulation of data privacy, but till then The Information Technology Act, 2000 (amended in 2008) and Information Technology5 Rules, 2011 will continue to regulate data privacy.

We found that amongst the Indian companies that we studied, around 86% of the companies have clauses on customer data privacy, either as a separate policy or as part of their code of conduct.

Customer data privacy