Dear Diary,

Today, I found myself asking “how do people really get to me?” Not that I live under a rock, but in the sense, why do I receive so many calls? SMS Messages? Emails? Asking if I would be interested in products and services I’ve never subscribed to! These unprecedented times of COVID-19, have brought me to living in a virtual world and defining the new normal. I found myself itching to read and recap conversations from my Privacy Diary again!! To recall some smart ways to comply. Here’s a peek.

Download the full 2020 BELA South Asia Magazine here

Raelene Antao 

 Much to my surprise, “Data Privacy” and Cybersecurity are more important than I thought it to be. Not only did it have a far-reaching effect on my personal space, but it also impacted me as a professional. Our Data Privacy Manager (DPM) and Cyber Security Manager (CSM) walked me through some of the practices that were being followed by Bayer to ensure the protection of personal data and how by keeping things simple we were able to ensure respect for an individual’s privacy. I’ve captured our conversations below. So back to where we started, let’s flip through my Privacy Diary and share with you on how we looked at things differently since then. 

Data Privacy is such a real topic, the DPM and Bayer are diverse when it comes to our Data Subjects. I am not sure everyone has the same level of maturity on this subject however, the biggest challenge is to keep the subject simple. 

DPM: Your concern is legit. It’s important to make this topic relatable and more so during these times. Wasn’t our Data Privacy Series impactful? It is a highly innovative way of breaking up the topic, aligning it with Bayer’s Regulation, the European Union General Data Privacy Regulation (GDPR) and the provisions under the Information Technology (IT) legislation in India. We kept to relatable catchy captions which were simple and crisp. The outcome was stunning as we could have the widest reach. 

Oh yes! I thoroughly enjoyed this learning experience

There is so much buzz with respect to consent being so important to ensure Data Privacy protocols are met. There are numerous consents that are required from stakeholders & business partners for various initiatives. Is there a way out that would enable us to be compliant as well as make it easier for the business to comply? 

Hemal Bhavsar 

DPM: I do agree that this can be an administrative hurdle. We use integrated consent which is a one-time consent collection, specially designed for the use of Personal Data for marketing communication whether electronically or in print. This approach provides details to our HealthCare Professionals about the purpose, transfer to third parties, retention period of personal data and their rights which would include the right to withdraw consent as well. 

Yes DPM, you are right, such an integrated approach will help the business comply with a swifter, and simpler consent collection process. 

Now let’s turn the conversation over to the Cyber Security Manager (CSM)

CSM, what according to you makes an organisation most vulnerable with respect to cybersecurity? 

Ramchandra Karmalkar

CSM: I am glad you asked this question!  You will be surprised. When it comes to cybersecurity, the most vulnerable link in a company are its employees. They can also act as the first line of defense! That is why  we never get tired of emphasizing the importance of the 7 Key Principles which are the ground rules for cybersecurity at Bayer. They include 1. handling information with care; 2. communicating with caution; 3. protecting your identity; 4. handling your devices with care; 5. clearing your workplaces; 6. paying attention when travelling & working from home and lastly; 7. reporting suspicious incidents & loss of equipment. 

The 7 key principles serve as a responsibility and protection for each employee as well as for the organisation. I see how data privacy and cybersecurity are inextricably linked and the one thing that is common is to “stay alert” and be “mindful of how we are handling information”.

You are right, such an integrated approach is so well structured, swifter, less of an administrative hassle and ensures compliance for the numerous data subjects. 

Digital Platforms and Applications 

What are some of the measures which you take when you support business and ensure Data Privacy compliance in digital platforms and applications?

DPM: Lets keep it simple, one must take responsibility of collecting, transferring, analysing, storing and deleting Personal Data. Consent is very important more so in India, when there is Sensitive Personal data involved. Every organisation deals with a variety of Data Subjects, these may be as diverse as employees, farmers, healthcare professionals and even patients for clinical trials. Amongst others, we need to ensure a Privacy Policy, Consent, have a verified Cloud/ Server with a certified system, and lastly, by providing clear guidance to Business on the do’s and don’ts. We must contractually obligate our Third Parties to safeguard Personal Data.

Apart from contractually obligating third parties, how can we overcome risks associated with inappropriate handling of Personal Data?

DPM: In the first place, evaluate whether the collection and transfer of personal data are really required. The contract and documents must have clear clauses defining the responsibility of Third Parties along with the appropriate safeguards. Adopting simpler measures such as data encryption, anonymisation and restricted access would help in minimization of data privacy risks with respect to Third Parties. 

Would you share some simple ways that Bayer has adopted to ensure Data Privacy compliance at work?

DPM: Invest in what we call “applications backlog assessment”. Simply take a deep dive and understand all Data Privacy relevant applications in the organisation, past, present and future to ensure all measures are put in place.  We also encourage our colleagues to do a “DP cleanliness drive”, at certain intervals where they would look into their systems and delete redundant personal data to avoid digital hoarding. Afterall, it is important to live the spirit of the Legislation.

I can still recall this statement and I am sure it is more than just compliance. It is about respecting the Right to Life & Privacy and the Right to be forgotten. 

Note: For more on the “Compact Compliance” data privacy series, visit the Business Ethics Leadership Alliance (BELA) South Asia Member Hub.

About the Authors

Raelene Antao is Compliance Business Partner and Data Privacy Manager for Bayer in India. Antao joined Bayer in India as a Legal Counsel in 2008 and worked across the Agro, Pharma and Plastic businesses, including specialized roles of Code Compliance and Litigation. Subsequently, she took up the role of a Compliance Business Partner to set- up the Bayer Compliance Program in India & South Asia. As the Compliance Business Partner and Data Privacy Manager for Bayer in India, she is responsible to ensure the efficacy of the compliance strategy and the compliance culture in the organization. She has been adding value to business initiatives by effective compliance (including data privacy) risk mitigation with smart simple solutions and ensuring an overall momentum with focused compliance messaging.   

Hemal Bhavsar is Manager, Legal Compliance & Data Privacy, Bayer in India 

Bhavsar is a Company Secretary and a Compliance Professional with close to 5 years of experience in corporate secretarial & compliance-related matters. At Bayer, she works on making compliance communications and trainings interactive, innovative and interesting to ensure high retention and awareness. In addition to being a compliance advisory, she is also a part of the Data Privacy office and offers solutions for protection and appropriate handling of personal data to various business divisions at Bayer. In her career so far, she has gained rich experience in M&A through two mergers and a demerger deal involving listed entities. As a caretaker for a non-profit organization of the Bayer group in India, she continues to cater to both the allied fields of statutory as well as internal compliances. 

Ramchandra Karmalkar is SME and Information Security, Bayer in India 

Karmalkar is a member of Cyber Security and Risk Assessment team of Bayer where he has the responsibility to provide sustainable state-of-the-art protection of intellectual property. He has significant experience spanning over 25 years in Information Security and Risk Management. In this role he works with  Business to understand demands ,future directions and translates Security / Technology guard rails in Business language, he is also instrumental to build Security awareness in the country‘s cluster.