Hi there!

Whoever said the peak of summer in this part of the world has a soporific effect on everything? It has, in fact, been just the opposite.

Much has been happening on the data front with India’s central government announcing a revised draft Data Governance framework policy to open up nonpersonal data under its purview; some state governments are also doing the same and various initiatives around health data, agricultural technology, etc., are growing rapidly — all with the deafening silence around the Data Protection Bill.

However, two things stood out for me amid this action by their significance:

CERT-IN Directions

The last few weeks in India have been abuzz with the new directions for cybersecurity issued by the Indian Computer Emergency Response Team (CERT-IN), the nodal agency of the government for cybersecurity, 28 April. Among several requirements, the one thing that stood out and, in a way, “rattled” many folks was the requirement to report incidents within six hours of detection. By all organizations, big and small.

This is in a country that has had almost no incident or breach notification requirements, except in pockets like the financial services sector. Given the volume and steep rise in known cybersecurity incidents (1.4 million in 2021 and more than 200,000 in the first two months of 2022), CERT-IN is looking at improving the cybersecurity posture of the country with this directive.

Even as I write this piece, there is much discussion and criticism going on across forums, industry bodies and the media. Many valid points have been raised, like whether the six-hour timeline makes sense, the ability of small businesses to comply, etc. However, it doesn’t seem like the government is likely to go back on this directive that comes into effect end of June, leaving little time for organizations to gear up.

A solution for the multi-hued, complex challenge that is adtech?

I have been closely following the advertising technology sector for a while from a privacy perspective. While digital marketers go all out to leverage the power of data — without necessarily understanding the privacy impact — regulators and civil society are busy trying to tame the tiger in different ways. Key influencers and contributors like Google and Apple have brought in policies that have had or is likely to have some impact. The industry itself is attempting to put some best practices and codes in place via assurance programs like seals and certifications. However, I have always wondered if and how much an impact would these unilateral and patchwork measures have.

One of the fundamental problems of the current adtech ecosystem is the absence of consented consumer data. Further, advertisers — who are at one end of the digital supply chain — do not get to directly interact with consumers, leading to opacity in the whole chain. So how do they comply with privacy laws and regulations requiring them to get consent, maintain records of processing, remain accountable overall and so on?

So, when I saw an announcement from one of India’s largest telecommunications companies — Airtel — about incorporating a blockchain-based solution in their rapidly growing adtech platform to ensure privacy and provenance, I was really excited. The solution — from Aqilliz, a company based out of Singapore — looks at the fundamental problem from the ground up and, with the help of blockchain, ensures that a consistent and immutable record of transactions is maintained across the entire digital supply chain.

Finally, a light at the end of the tunnel?

As we in India eagerly look forward to the refreshing monsoons round the corner, here’s wishing you all a great month ahead!