Customer data privacy program poised to roll out at Airtel

The industry-wide scramble to comply with the stringent requirements posed by the IT Rules 2011 notification finds Airtel on firm footing, with its customer data privacy program well underway. Airtel’s customer data privacy program is now successfully clearing the pilot stage, and will soon be implemented across the company’s businesses.

In a bid to secure sensitive personal information of customers, Airtel was already working on a data privacy policy to meet the challenges of protecting its burgeoning customer base. According to Charanjit Singh Sodhi, Airtel’s chief of security plans and policies, compliance with legal and regulatory stipulations was one of the prime movers for this initiative, followed by customer expectations and protecting brand reputation.

“The need for facilitating business in a secure environment was also a factor,” says Sodhi.  Given the large environment of third parties (over 3,000) associated with Airtel’s business, a decision to go beyond ISO 27001 — which Airtel has been compliant with for over two years now — was taken.

Company data states that over 60,000 users within Airtel’s ecosystem have access to customer data. This includes associates such as authorized retail centers, contact centers and VAS (value added services) vendors.

Under Airtel’s customer data privacy program, associates must sign third-party security policies and adhere to stringent controls. These are validated through ongoing monitoring and surprise audits, with relevant governance interventions as required.

According to Sodhi, the main privacy policy has been prepared and is under revision. Sodhi believes that a customer data privacy program will not impede business, but instead garner increased customer goodwill in the long run. Airtel is confident of its readiness for compliance with the stringent requirements that the IT Rules 2011 notification have added to the IT Act (Amendment) 2008.

The pilot customer data privacy program was executed by the Airtel head office in Gurgaon, as most processes were centralized there. To emulate processes at the circle level, Airtel used representative sample circles. Since Airtel’s multiple lines of business have now been re-organized into B2C (mobile, DTH and telemedia) and B2B (enterprise) segments, this has simplified the process, says Sodhi.

The scope covers businesses and associated partners. “Anyone dealing with customer data falls under the program’s purview,” says Sodhi. The entire rollout is expected to take a year, with phased implementation incorporating lessons learned from the pilot phase.

The circle-wise rollout is expected to be time consuming, since the reorganization will require educating each stakeholder on potential privacy gaps. Administration and monitoring will be handled by Airtel’s Gurgaon program management office.

From a technology perspective, the customer data privacy program covers IT systems and networks. While online privacy is already in place, the internal policy is in the review stage.

The customer data privacy program has facilitated study of the customer life cycle, according to Sodhi. The initiative enjoyed complete management support throughout, with the beneficial fallout of successfully cultivating involvement of the business in information security.