Aug 4 / Punit Bhatia, Vinayak Godse

Data Privacy Landscape in India

Drag to resize

Data Privacy Landscape in India

We always say that privacy and security are interrelated and there is no privacy without security. What is the role of the Data Security Council of India in terms of the security and privacy of people in India? How is innovation contributing to privacy implementations?
And who better than CEO of DSCI Vinayak Godse to discuss all these aspects and the data privacy landscape in India.  
  • Intro
  • What is GPDR in one word?
  • GPDR beyond the legal and technological aspect
  • What is the current Indian privacy landscape?
  • The role of Data Security Council of India
  • What are the challenges in India when it comes to privacy?
  •  Message to organization regarding data security and privacy
  • Closing 

Transcript of the conversation

Punit Bhatia  00:00 

We always say that privacy and security are interrelated. And we also know there is no privacy without security. And in that context, the Data Security Council of India has been playing an active role in guiding organizations guiding the governmental institutions and many others in terms of how to steer this journey of privacy and security, especially in a context of India, where in its complex, 1.4 billion people, lots of news, lots of variety in terms of thinking about privacy and security and so on. In that context, I have the privilege and pleasure to meet and discuss all these issues with none other than Vinayak Godse, who's the CEO of Data Security Council of India.And also, we both worked in TCS long back.So let's go and talk to him and understand what does hethink about privacy? What are the challenges in Indian landscape? What role is Data Security Council of India playing? And how is innovation contributing to privacy implementations? 

Punit Bhatia  01:41 

So here we are with Vinaya Godse. I welcome Vinayak to Fit4Privacy podcast. 

Vinayak Godse  01:47 

Thank you been a pleasure to be here on this podcast. 

Punit Bhatia  01:52 

It's a pleasure to have you and thanks for your time from such a busy schedule. Because I see you on LinkedIn, it seems like you're the busiest person in India. Nevermind. So let's start with a quick question. We talk about GDPR. And we know GDPR has many aspects. And it can be many meanings for many people. But when you think about GDPR, what's the one word that comes to your mind? 

Vinayak Godse  02:21 

Yeah, so GDPR is, in a way. One approach to operationalize the expedition that you set up for privacy, right, in the in the case of Europe, privacy is such a fundamental right, and how do you operationalize that at a at a level where people can take it and implement it and which leads to the protection of the fundamental light, and that's where GDPR as the regulation has so much of those nuanced level up, Expedition laid down in a way that people comply with them, and it also this enforcement mechanism in such a way that and also created these kinds of libraries and obligation to match to the higher level expedition setup as a privacy as a fundamental light. So that's something you require is for me, 

Punit Bhatia  03:11 

I think that's very well said and I would add on complexified by seeing when we have to implement GDPR one you already mentioned is the aspect of legal technical and so on, but then you just cannot have a law and implement it, I think there goes beyond the law, some technological advancement, innovation, thinking beyond the legal means and the technical means and the contractual means. So, can you elaborate on that because I know you have a strong expertise and views on that aspect as well. 

Vinayak Godse  03:43 

Yeah. So, the privacy, we look at right me when we say digitization happening. So, digitization is happening primarily at the three key things which is happening in data and like we have been improving the experience on the consumer, we have been improving the productivity and more importantly, we are trying to find new possibilities right and that is possible when every product and services is becoming more data layer. So data is becoming central to that and while doing that, we have been the poor way we are trying to do in a way that entire modeling of the way the transactions are processing is happening right. So a lot of third party a lot of those solutions, startups they are coming and joining to help you the process transaction right and because of that, we are really exposed to a lot of those kinds of external ecosystem apart from your organization's ecosystem to do a particular transaction right. So, the business ecosystem is so complex and the volume of transaction that we are processing is so rising and so is the velocity basically right. And then various different types of the type of the data may be collected and we will be processed with they are also very different and at various different kind of organ level of the organization.So if you try to solve the problem with only Some method for the auto compliance for the processes for the audit, you're not able to solve the expectation at a granular level. So that's what the role of technology comes into play. So the volume complexity, accuracy requirement, the discipline that you want to bring, so that will be only possible only if you tried to solve the problem more technical way. And that's the key key thing that we try from DSL that to help ecosystem to understand that these kinds of challenges you can solve, keeping technology central to the solution. 

Punit Bhatia  05:35 

And I think when we say keeping technology central to the solution, the India plays a key role in providing the software backbone and software development. So there is an element of sometimes concern and sometimes apprehension, saying the Indian privacy landscape is still not, in some views not so mature, and in some views fragmented, or it's still developing, and all the views are correct. But how do you see this landscape currently? What is the situation right now? 

Vinayak Godse  06:08 

Yeah, so one important question which got answered in 2017 is like where exactly as a country, the privacy standard, right, so the the ruling Gopa Supreme Court in 117 talking about privacy is a parameter might put on Indian citizens and residents as well. Right. So, so that would underline so there was certainly me, I had been involved into this adequacy assessment and every time that's what happened, there, there are a lot of evidence which takes that key India to provides constitutional kind of support to the team private sector that level, but that undermining happening into the 17 is certainly one of the important critical step that we achieved in the country 17 And after that, the process of setting up these comprehensive privacy law start data kicked up in the country right. But when we started with per country, we had 1.4 billion population with digitization is one of the critical mean to to improve the way the economy works, right. And that involves like inclusion, reaching out to the parties possible pays the making sure that the digitization of the we are bringing the people from the formal economy. Soall of those goals require you to look at digital and mobile as one of the critical means to achieve that goal in the country, right.So this digitization reality is also very important, right? One is that and other is these basically and last five years, we have been trying to see how can we have this redesign, which balance between the expedition laid down by these kinds of overlaying into the 17, to the need of the society to to, to really digitize the economy, digitize the different aspects of the life and transaction that we all have been doing? 

Punit Bhatia  07:57 

That's very well put. And I think it also adds into the complexity of the environment. Because complex, one, it's extremely digital and the other it's completely analog. And same way, the understanding or awareness about privacy, or the harm it can create is also very, very, so even if you can frame a lot to educate and take along 1.4 billion people, that's the humungous challenge. So in this all this land landscape as the law would come, eventually, I see that the Data Security Council of India is playing an active role. So how is it position? What's the role? Because is it security oriented? But I see you on LinkedIn, there are privacy elements also the cybersecurity also so what's the role of the Sei? 

Vinayak Godse  08:45 

So Data Security Council of India was set up by NASSCOM but when it was set up to set up as independent, not for profit company, right. And primary focus is on cybersecurity and privacy. Both right so this is probably the interesting experiment of setting up a think tank and industry body both working together. So we work as a think tank with the industry body for cybersecurity privacy focused on cybersquatting privacy and setup as an independent company. So that really helps us to engage with government closely so all these mercenaries are coming up in depth from the cybersecurity and policymaking from digitization perspective and data privacy perspective. We work closely with the Government of India, we have been part of these tools committee government of India setup one into the 12 digit API committee and then there was an eight in the C Krishna committee. DSA was a formal part of that committee which which laid out the kind of framework for data protection regulation in this country right so and then we have been contributing to a lot of this policy engagements that government in India have been putting together around cybersecurity much more importantly last pi success have been mostly in data sight and we also engage on the all these bilateral multilateral discussion happens with respect to data privacy data flow, and then the relation of trade on data. So, that is the area that we engaged through government of India and various various set of discussion that we had been Susanne, one hand another hand that we engage with all the industry sectors, so our membership base is all across the industry, verticals like banking, telecom, oil, energy, or sector health sector. And all of them have been tied to now grappling with the challenges of the privacy because all of them are putting together big larger digitization strategy and data is central to that and they are alarming like to see one is because of GDPR. And definitely GDPR is driving the policy initiatives all across the globe, and also in India, initially with GDPR. But now with these 217 regulation, the Supreme Court ruling and more importantly, the process, which has been set up as setting up the privacy law in this country. So most of this member ecosystem is now looking at our support to really design and execute the privacy program. So we advise and guide our members for that we created our own credential program for privacy. So all the exposure that we have in policymaking international enrichment plus working with different sector, we try to capture that into the CIA's credential program, which is the SSA certified privacy lead assessor program on DSS certified privacy professional program. So we have been, we can take some little credit of creating privacy proportion in the 1000s of people, we train in privacy, and they have been doing their own work in their own companies to implement privacy, taking this understanding it better. And we have created this privacy leadership ecosystem in the country. 

Punit Bhatia  11:47 

And I also see that you're inactive or promoting a certification. So are you getting into more of an IPP? Or is soccer kind of model for India, to play 

Vinayak Godse  11:59 

certification body, right IBP, or in soccer is more pure preservation worry, we see being working as a industry body and fintech by security, we get that exposure, right on the policy side on international engagement happening around data on our engagement with all these members that we have, are like a sector. So that also exposes it to cater good, interesting, we have the disruption happening in the country, we also engage with startup ecosystem, we also work with Detail Product ecosystem in the country. So that exposure on that learning that we have translated into development of this credential of the ACI, so it's like translating whatever we're learning to help build the profession in the country. So one part of us is that not all, I talked about many other things that we do apart from the training, we eventually are now trying to bring together some kind of a schema mechanism to help people to even evaluate the applications, the processes, the practices for privacy. So we are certainly looking at some kind of assurance structure that we create for people to to comply with, and maybe a sale program of the ACA or maybe certification program DSCI until it was more creation of the profession, but eventually we'll be moving towards probably creating a something which could be used and leveraged by the because the enforcement and compliance is also very nuanced, right? So you can't have one way of complying and enforcement right. So we are trying to find different ways that we can provide to the our membership ecosystem, which they can leverage to, to show their commitment to the privacy implementation. 

Punit Bhatia  13:43 

Make sense? And your when you say you're helping individuals, is it individual members? Or is it corporate driven membership 

Vinayak Godse  13:51 

member I'm talking about so okay. So these are top 10 banks of India now our member, so is the oil energy company, so is the health sector company. So the corporate membership, I talk about? 

Punit Bhatia  14:05 

Okay. And individuals can also become member of DCI, 

Vinayak Godse  14:09 

it's not a we don't charge anything from member we have chapters all across the country, they become a member of chapter but we don't really have a kind of a kind of fee. I mean, does your membership fee that we charge for? 

Punit Bhatia  14:24 

And what are the challenges you're seeing in India in terms of privacy and security? As we talked earlier, the landscape is quite complex, the variety of awareness is complex or varying. 

Vinayak Godse  14:36 

Yeah, so one is the the aggressive digitization that we see right. And some of these data sharing has been done in terms of bringing together a lot of those experimentation from the government side, right.So I'm not saying that as a challenge, but we probably are showing to the world that digitization can happen in a different way and it can be very scalable. Well, so the experimentation that we did in terms of Adar, and then UPI an entire digital public infrastructure that we put in together which, which is democratizing the vegetation happened, right. And that also means the kind of payment that we are processing per month is almost going to now $10 billion transactions that we have been doing, no country is coming close to eight. Sothe when we are creating our own data action strategy, which could be an example to the other global geography to follow.So one level up thing is key, how can we more make that more robust? And that's what the policymakers are looking at key how can we make that more robust from the policy perspective and also from the condition intervention, right, and government layered after cultural interventions right, within traditional governance mechanisms, so how can you make the design and processes Moreover, so that's the one level that is there. And then every sector is digitizing every sector is putting together a plan for making use of data collecting data, improving the productivity, creating new possibilities for them to that, so then, then sectoral nuances also sometimes throw challenge to you and we are taking sectoral Privacy project. And that is trying to reveal those kinds of challenges and trying to find solutions for that which could be very good guiding factor for our members, then the digital product industry is also growing quite well in India and in a b2c in creating those digital product ecosystem and wildly having those unicorns in the third largest startup ecosystem in the world. And that is largely based on the digitisation right and utilize the mean to do a lot of digital first organization in the country and where they have been collecting processing information all across the areas and they're working on. So that is another area to look at. And then a lot of those production elements that has been used, right,and largely, some of those products are getting consumed.So we software side, we are definitely good. But then a lot of those products now coming in IoT side in digital things side, basically. So those kinds of shows are happening. And that could lead to some of the challenges that we see in our across globe in India as well. But here the volume is significant. The transaction volume is also quite significant number of people significant lot of diversity or across the country, the enforce the language is another challenge, then the EU may depend on one structure and one way of implementing privacy, but then the it has to deal with the diversity, right, it has to deal with the enforcement kind of challenges and all across the country.So these challenges are very important and very unique challenges for India, to have its own digital protection or data protection regime and also find its own way of making sure that you have the content principle. And also you have the enforcement mechanism, which could match to the challenges. 

Punit Bhatia  18:04 

Indeed, and I think as the digitization happens at the pace and the scale at which happening, it's important to fill five figure in security and privacy by design. And that's where the SEI and you are playing an active role in helping these organizations. And how are these challenges that you mentioned being solved? Especially because India has a lot of innovation and creativity? And there are a lot of ideas, lots of opportunities? How what do you see happening in that space? Because when the law comes that will be needed? 

Vinayak Godse  18:38 

So it's not one law, right? It's like a kind of framework that we had been putting together. Right? So there is a data protection, digital data protection bill which is in place, right. And there's a constitutional guarantee that I just talked about in the Digital India Act, which is also coming in there is a telecom bill, which is coming as it's all we work together to create a kind of region policy region per data lead economy in the country. Right. Another thing is, while this is being played, a care is certainly being taken there. This is not really stifling the innovation and digitization possibility. So that's the second care we have been taking and we are seeing some of the challenges that GDPR has totally in terms of challenges and some frustration associated with the repair these really inhibiting people to innovate, do more detection and that learning has definitely kicked in in terms of the way we have been thinking about third parties in a way, at a at a national and government level. I think the story that we have been creating in terms of our own story to digital public infrastructure, so not our deliberations are outside happening if you're taking it to the global market, so how can we make more robust in nature? People aren't citizens basically getting connected. And because we got this enter reduction region, from high value to low volume to low value, high volume, everybody seems now doing transaction lastly on a digital way. So then sometimes that led to possibilities of fraud, right. So the priority certainly one of the in terms of percentage, we may not be that significant. But because volume is so big, so absolute number looks very, very significant. Right? And that, that may give the impression that some of the products are quite significant and, and how do you really create the ecosystem or design of the solution so that it doesn't lose scope or the program, even if there is a fraud happening, there is a very effective efficient support system available for victims. So those are the areas basically, so the lot of thinking is going on in this country. As of now. 

Punit Bhatia  21:09 

That's good to know, because fraud inevitably will happen. You can do your best, but you cannot say it will not happen. And when it happens, the redressal mechanisms for individuals are what we look into, and also guiding the organizations to mitigate any loopholes that are there or reduce the number of loopholes. So is the Data Security Council also playing that part in terms of creating those redressal mechanisms or working with the government? 

Vinayak Godse  21:40 

We had so we had been through we closely work with law enforcement agencies, we have one center call as a CCI at yard sales. I've set up a cybercrime investigation training resource center, which is like police premises, we set up this with help up the industry. And we have been training law enforcement officials to understand this cyber crime product ecosystem well and training them in digital currency kind of investigation, presenting those cases in court well. So building the law enforcement capability in this area is certainly one important thing that we do at national level, we contribute to a lot of those thinking which is happening in terms of how do we address these strategically at national level to policy intervention, plus outdoor system thinking which is happening at national level, there is a God conference which is happening. Next one only focused on the crime and cyber security, which Vista homebased has been hosting us we are or one of the knowledge partner, the partners there. We also work with our own member ecosystem and financial sector, right.So we did seek their help to spread more awareness, we help them in the strategy they're laying down to poor cybersecurity and the product management as well. And we also know the chair of the industry in this area, like product management industry, that is part of the industry, the consulting services industry in this area. So these are multifaceted effort that we put together to, to contribute in this area. 

Punit Bhatia  23:15 

Very nice. I mean, in essence of time, and also to kind of get towards a close, if there is an organization who's been unsure on security and privacy and wants to do something, what would be your one advice to them? 

Vinayak Godse  23:35 

So we ask them to start with creating good visibility about the data that you have been collecting, generating, receiving or sharing, right? And that's the critical first step. Right. But so visibility is the key first step that you achieve with respect to data protection. So that's the key critical message that we start getting there was do you have that in yourself we'll think about Caroline I, with this data, these cancers will come to me and with this concern, I need to have some kind of process some kind of organization that needs to be set policy needs to be set up basically, I need to probably understand what it brings to me in terms of regulation, my obligation, some liability, you start looking at that, then this data that you do the processing that you do you share with the external ecosystem that you something about key, I'm owning privacy so I'm also sharing the data so how can I share the responsibility with my ecosystem that work with me so then you start looking at how can you share with to contract me under mean, you then start monitoring it because you know, that small incident create a larger problem for privacy and you know that God is every breach. We could create the lab it could be very specific to individual breach. So then you start monitoring the entire system or the privacy specific breach then you create a specific technology The structure and processes for securing the personal data. So you create the sensitization about the personal data to bring process like a privacy impact assessment in the organization. So the initial first step is to create the visibility. So that's where you start. And that's the key is that we try to get it to the time to give it to our member ecosystem. Once you us have great visibility, you start taking all of the steps, which I just mentioned about, 

Punit Bhatia  25:26 

I think, very fair, that if you have to do and that what even in GDPR, we say that if you have to do have a record of processing activity on the data inventory, and then build data maps and data flows, and then start seeing where the vulnerabilities are, and start addressing one by one. But before we close, just one final question, because a lot of people would get confused, or are still getting confused around two or three terms we use security and privacy. So well, these are interchangeable, but how do you see the security privacy or the data protection angle? 

Vinayak Godse  26:04 

See, privacy? The questioning is different than a security right security is largely do it you're doing for you and you are assessed and you are in production and you protect to protect that right, but privacy or to do some for somebody else, right. And it's mostly the citizens and residents of the country. And they have been assured about the Right, right. And that's why there's obligation library sitting on your right. And that's why questioning that you have for the privacy is different. So for example, security, we will at the most will go need to know basis access to the information, right? Privacy will put a question why you need that information. Why that much information.So since this questioning wouldn't come in security, this request this questioning, which largely stemmed from the minimization purpose, limitation, such contracts, protection, privacy, those expectations are different expression than a security explanation. So that's the first distinction, right? And then, and that's why it is different than a security one, but then one, you need to find the relation between the security and privacy. So these expectations are now articulated largely in a content consumer privacy and security, certainly one of the so many other principles of the privacy, right. So one way is looking at key securities, one principle out of a lot of other content principle that we talk about secondary security, so mean to deliver privacy. It'sall the security control, security technologies security. Architecture, can help you to manage the expectations of privacy much better, basically. So this is a relation and also distinction that we try to see, from our perspective. 

Punit Bhatia  27:48 

Very well said, I've asked this question and even answered this question many times. But the profoundness and the simplicity with which you brought in the aspect of the one is from the perspective of the individual and other experts from the perspective of the organization. And the interest is very different privacy is purely in the interest of the individual. That's very well said. And I think that's a very good moment to say. It's been a very useful and very enlightening conversation. I'm sure everyone will enjoy it. And I will say thank you so much for your time. 

Vinayak Godse  28:24 

Thank you for having me here on this platform. Thank you. 


Vinayak Godse is the CEO of Data Security Council of India. He has over 27 years of experience in Information Security, IT Transformation, Intelligent Networking and Telecom Infrastructure. Vinayak also leads the National Centre of Excellence (NCoE) for Cybersecurity Technology and Entrepreneurship, a joint initiative of DSCI and Ministry of Electronics & IT. NCoE is engaged in cybersecurity industry building, fostering security research and product engineering, and building an ecosystem for security entrepreneurship. He has been deeply engaged with all initiatives of DSCI with government stakeholders and sectoral regulators. He was instrumental in developing DSCI Security Framework (DSF), DSCI Privacy Framework (DPF) and DSCI Certified Privacy Lead Assessor (DCPLA), DSCI Certified Privacy Professional (DCPP) certifications and conducted many of these training programs. Prior to DSCI, he worked with the Global Consulting Practice of TCS in Information Risk Management and also worked as a Telecom Engineer at BSNL. He started his career as a lecturer in Electronics Engineering. 


Punit Bhatia is one of the leading privacy experts, who works independently and has worked with professionals in over 30 countries. Punit works with business and privacy leaders to create an organization culture with high privacy awareness and compliance as a business priority. Selectively, Punit is open to mentor and coach privacy professionals. Punit is the author of books “Be Ready for GDPR” which was rated as the best GDPR Book, “AI & Privacy – How To Find Balance”, “Intro To GDPR”, and “Be an Effective DPO”. Punit is a global speaker who has spoken at over 30 global events. Punit is the creator and host of the FIT4PRIVACY Podcast. This podcast has been featured amongst top GDPR and privacy podcasts. As a person, Punit is an avid thinker and believes in thinking, believing, and acting in line with one’s value to have joy in life. He has developed the philosophy named ‘ABC for joy of life’ which passionately shares. Punit is based out of Belgium, the heart of Europe.  


YouTube Channel 
Email [email protected]  

Listen to the top ranked EU GDPR based privacy podcast...

Stay connected with the views of leading data privacy professionals and business leaders in today's world on a broad range of topics like setting global privacy programs for private sector companies, role of Data Protection Officer (DPO), EU Representative role, Data Protection Impact Assessments (DPIA), Records of Processing Activity (ROPA), security of personal information, data security, personal security, privacy and security overlaps, prevention of personal data breaches, reporting a data breach, securing data transfers, privacy shield invalidation, new Standard Contractual Clauses (SCCs), guidelines from European Commission and other bodies like European Data Protection Board (EDPB), implementing regulations and laws (like EU General Data Protection Regulation or GDPR, California's Consumer Privacy Act or CCPA, Canada's Personal Information Protection and Electronic Documents Act or PIPEDA, China's Personal Information Protection Law or PIPL, India's Personal Data Protection Bill or PDPB), different types of solutions, even new laws and legal framework(s) to comply with a privacy law and much more.
Created with