The deadline for the mandate for gathering, processing, analyzing, storing, etc, personal information, declared by the Reserve Bank of India for all the FinTech companies, has passed.
By Krishnanand Bhat
The new buzz in the technology world has now gained momentum, given the strident stand of the governing bodies of our nation. The deadline for the mandate for gathering, processing, analyzing, storing, etc, personal information, declared by the Reserve Bank of India for all the FinTech companies, has passed.
While the payment companies are doing their best to request for relaxation of this norm, including some requesting an exemption, the Reserve Bank of India currently does not seem to be willing to give in.
India, being the second most populated nation in the world, gathers information that could amount to around 1 million petabytes, if the internet sources are to be believed. With stakes such high, the issue of data localisation within the nation has gained a global spotlight, with WTO calling for a ban on the same and US senators requesting for softening of the norms stating, ‘free trade’.
While we are debating on the pros and cons of data localisation, the most important fact that must be investigated is – ‘Are we ready to handle the data?’ As Mr Clive stated,‘Data is the new oil’; and if it is so, then are we prepared to handle this new resource? The relevance of data is limited to its accessibility.
Storage of data in a specific geographic location should not be that big a concern if the accessibility of the same is restricted.
What does this mean?
The objective of Data Localisation as presented is to ensure that all ‘personal information pertaining to the citizens of the country including financial information resides within the country.’ It is preferable to know where the information is lying for better visibility.
However, with the increase in the number of cyber attacks and cyber threats of criminal nature, uncertainty on the below issues has left consumers in the dark:
- Who is responsible for the data stored locally
- What measures should be taken to ensure the data is protected throughout its life cycle– obtain-process-store
- What is the retention period of the information stored locally
- Is the governing body geared up for handling this mammoth task
- Can the process and procedures in place handle data-breach situations
- How is access to this information prevented from outside the country
How companies are reacting:
This mandate has got most of the payment companies on their toes, trying to find a suitable solution to meet the requirement. There is little doubt that it clearly means a big blow to their financials, as meeting the requirements would need huge investments both in the cases of infrastructure and security of the same.
However, home companies like Paytm and Phonepe are welcoming this move and strongly advocating it as a positive step towards building a stronger compliance.
What it means for consumers:
Easy and free access, as provided by the foreign entities, could now be at stake if companies fail to meet the mandate. The consumer is left wondering if their freedom to make independent choices is being curtailed by such measures that are being taken by the government.
While there are other nations like China, Russia, North Korea, and Europe who have adopted similar to stringent policies, they have adopted suitable measures to ensure that such information is safeguarded. While experts believe this move to be in the positive direction to help build stronger cybersecurity control, what we need to watch is whether it would be able to withstand the economic pressure or end up as a failed project.
The Indian authorities need to take a balanced approach to handle this new oil, keeping in mind that we are at the cusp of innovations and digital transformation, which should not be stopped at the cost of protectionism.
Krishnanand Bhat is Chief Information Security Officer (CISO) at SKP Business Consulting LLP. Views are the author’s own.