Different countries have enacted laws to deal with Data Protection and Data Privacy. While the European Union views privacy of personal information as a fundamental right, the United States has sector specific laws on privacy of customer data. These include laws for protecting health information, and financial information. Processing of personal information of citizens of these countries by service providers (IT/BPO companies) in India and in other countries through outsourcing raises concerns about regulatory compliance. In view of the multiplicity of privacy legislations worldwide, the service providers in India are faced with a major challenge of demonstrating compliance with laws of countries where the data originates. DSCI believes that this is possible if they implement the best practices for data security and privacy protection.
DSCI Best Practices seek to promote dynamism in security in an organization through its Data Centric Approach, which is based on the security principles namely, visibility, vigilance, coverage & accuracy, discipline in defense, focus on strategic, tactical and operational layers, tactical mechanisms. This helps an organization become secure; with compliance demonstration as an outcome.
DSCI best practices for data protection take the form of DSCI Security Framework (DSF©) and DSCI Privacy Framework (DPF©).
DSF is comprised of 16 Best Practices, and draws upon the tactical recommendations made by several leading consultants around the world, and the recent experience of some of the governments that checklist based compliance does not necessarily enhance cyber security. In arriving at these practices, a number of regulations in different countries were analyzed. Hence, implementation of DSF will help in achieving regulatory compliance.
DPF is based on 9 Best Practices and 10 Privacy Principles. The privacy principles satisfy the requirements of Privacy laws and data protection directives of the European Union, the United States, and APEC countries. In the context of outsourcing, some of these principles may not be applicable since they would be the responsibility of the client – as a data controller. Once again, the proposed best practices can help an organization achieve not only regulatory compliance but also enable it to ensure privacy protection.