The State of Data Privacy
While the need for strong data privacy laws has been debated for decades, the global data protection landscape witnessed a tectonic shift with the advent of the General Data Protection Regulation (GDPR). The GDPR protects a wide array of personal data like basic identity information, IP address, cookie data, etc. and mandates all organizations having a presence in any European Union (EU) country, and even non-EU organizations that process personal data of European citizens, to comply with its stringent data protection standards with effect from May 25, 2018.
With GDPR in play, there has been a total rehaul in the way organizations now store, process and protect their customers’ personal data. For organizations who do not ensure compliance with the GDPR with effect from May 25th, 2018, a penalty of up to 20 Million Euros or 4 percent of their global annual turnover, whichever is higher, can be levied. For medium-sized companies, there is a very real danger that a serious data breach could put them at a grave risk of failure.
Similarly in India, encouraged by the landmark Supreme Court judgment that asserted the Right to Privacy as a fundamental right, a group of Indian lawyers have drafted a model Indian Privacy Code, 2018 that envisages a penalty of up to Rs. 1 Crore for violating the data privacy of Indian citizens and a prison sentence of up to three years.
The IT (Amendment) Act, 2008 (ITAA 2008) makes it obligatory for organisations to protect data under lawful contracts by providing for penalty for breach of confidentiality and privacy.
A committee of experts has also been constituted by the Government of India to study the different types of issues pertaining to data protection in the country with public participation. This committee, which has been formed under the Chairmanship of Shri B N Srikrishna – former Supreme Court Justice is expected to come up with a draft Data Protection Bill.
UIDAI Mandates on Aadhaar Data Privacy
Amidst several media reports of massive breaches in the Aadhaar data, the Unique Identification Authority of India (UIDAI) published a circular last year mandating all Aadhaar-based e-KYC Authenticating Agencies (AUAs / KUAs / Sub-AUAs) to mandatorily encrypt all Aadhaar-related data and store it separately in a secure, access-controlled data repository known as an “Aadhaar Data Vault”.
As a part of the same mandate, UIDAI has recognized the importance of Secure Key Management and how critical it is to ensure that all sensitive encryption keys are properly managed and stored in Hardware Security Module (HSM) devices. HSM devices are hardened, tamper-resistant, dedicated physical computing devices whose sole objective is safeguarding the Cryptographic (Encryption) Keys used for data encryption. Also, management of all such encryption keys should comprise of all the processes used to create, distribute, rotate, archive, and delete the master keys. This is very important from the security policy guidelines mandated by UIDAI.
All AUAs / KUAs / Sub-AUAs have to strictly adhere to the above UIDAI mandate with non-compliance leading to strict action and financial disincentive.
How Gemalto is Helping Organisations Become UIDAI Compliant and Maximize Their Aadhaar Data Vault ROI
While traditional HSMs suffice in securely storing Cryptographic Keys as mandated by UIDAI, they severely lack in a critical aspect - Key Management. Since Crypto Keys pass through multiple phases during their lifetime – like generation, storage, distribution, backup, rotation and destruction, efficiently managing these keys at each and every stage of their lifecycle plays a pivotal role in optimal data protection.
Gemalto’s Key Management Solution offers organisations a single, robust, centralized platform that seamlessly manages the Crypto Keys at each stage of their lifecycle and helps organisations maximize their Aadhaar Data Vault investments by supporting multiple use-cases across departments.
1. End-to-end Key Lifecycle Management on a single platform.
2. Seamless integration with other encryption solutions like Gemalto Tokenization.
3. Detailed logging and audit tracking of all key state changes, administrator access and policy changes making it UIDAI compliant.
4. Centralized encryption and crypto management operations regardless of its location.
5. Lowers the cost of key management and encryption with centralized administration and automated operations.
6. Multiplies use-cases through easy integration with other data protection solutions.
Check out more information on how Gemalto’s SafeNet KeySecure can help your organisation adhere to UIDAI’s mandate.
To Sum It Up
Gone are the days where data protection was the responsibility of only one department within an organisation. With new, stringent data protection regulations like the GDPR, the upcoming Indian Privacy Code, 2018 and UIDAI’s Aadhaar Data Vault Mandate, it is in the best interest of organisations to ensure that they put data protection at the very center of their data processing systems, rather than as an afterthought. It is also imperative for organisations to choose a holistic solution that provides seamless scalability, both horizontal as well as vertical, to reduce the Total Cost of Ownership (TCO).
To learn how Gemalto’s end-to-end Tokenization solution and enterprise-ready SafeNet KeySecure platform can help your organisation comply with UIDAI’s mandate and maximize returns on your Aadhaar Data Vault infrastructure, please visit here.