On February 25th, 2021, the Ministry of Information, Government of India rolled out the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 which is being deemed as the first big step towards regulating the big social media, tech, and OTT platforms. The newly unveiled rules provide the government, control over the intermediaries or even block the content altogether in case of an emergency. According to the rules, an intermediary refers to all the social media platforms, OTT platforms, online news portals, or even online discussion portals that operate within the country.

What Do The Guidelines Say?

As per the new guidelines, all social media intermediaries will have to improve their due diligence posture drastically. Not only this, their data privacy policies will have to monitor the user activities and take down anything or everything that can hamper the sovereignty and integrity of the country, is against public interest or mislead the masses. Also, the government has borrowed the Grievance Redressal Mechanism from the already existing regulations controlling the Television media. Intermediaries will need to set up a mechanism to address user complaints and a grievance officer must be appointed for acknowledging the complaint within 24 hours and resolving it within 15 days of its receipt.

The guidelines also mandate the major OTT platform to self-classify their content into 5 age-based categories namely Universal, U/A 7+, U/A 13+, U/A 16+, and A(Adult) and also include parental locks for certain specified categories. In all, with the drastic changes in the regulations, the number of responsibilities on the significant social media intermediaries has increased manifolds.

What needs to be done ?

Business model and strategy may need to be truly accessed while implementing any new to enable compliance. Clear understanding of custom, culture, ethic, Law and conduct need to be developed with what is acceptable and what is not. There is also need for intermediaries also to rethink their business models to gauge profitability and reassess their assumptions by seeing value through the eyes of the customer.

Organizations need to pick relevant goals to achieve . It is well established  business goals are prone to risks. Not all risks need to be addressed careful evaluation of risk should be done to bring it to acceptable level based on risk appetite  of organization. Teams should focus on identifying and prioritizing the risks that could have a material impact on the operations and hamper the ability to execute the strategies. Prioritization can be done based on severity, risk appetite, and tolerance. The upper management can extensively discuss the risk appetite of the company which gives a better understanding of which risks can be contained or absorbed. Companies also need to focus more on cybersecurity elements like Multi-Factor Authentication (MFA), encryption, and innovative techniques like Zero Trust Architecture to ensure confidentiality and integrity of the data. There would be more security risks lurking around inefficient logging and monitoring. Although inadequacy in generating proper audit logs cannot be leveraged for attacks, it is a clear testament to a lackluster security posture. Better logging and monitoring will also help in the submission of the monthly compliance report as mandated by the Government. Companies may need to appoint competent personnel with primary responsibility of ensuring compliance here.

There is need to revisit organization policy and procedure, create new where required, amend where necessary and in specific focus on code of ethic and code of conduct. Clear focus need to be there on ensuring public interest,  ensuring integrity, respecting culture and compliance with law. Specific implementation guideline with clear responsibility  need to developed and implemented. This will enable implementation of policy and procedure on ground.

Moreover, to cope up with these unprecedented changes in rules, technologies like Artificial Intelligence and Machine Learning can be implemented to monitor customer activities, data identification, and making calculated decisions based on the tested data. Automating processes can be a potential way to reduce compliance costs and other financial risks.

Finally, communication and awareness will be the most important cogs in the wheel of the implementation. Employees and suppliers personnel who might have some prior information about the potential threats can act as the first line of action and can educate the staff and third party personnel about these potential threats. Personnel with expertise in the field of Law and Compliance in the Digital Privacy & Security Domain may be hired to work in tandem with IT to make the system more robust. Continuous internal employee as well as supplier evaluations on the new regulations and timely re-assessment and monitoring of internal controls can be a way to lay down a robust foundation.

Effective Governance and control is key

Company is current world need to have robust governance specifically to navigate the current digitalization world which is exposed to traditional and emerging risk. Adopting of some framework like combination of ERM COSO, NIST CSF and COBIT 19 provides an easier path for Digital transformation with agile customization in place while improving areas of risk assessment, management, governance, and control. This would result in a higher rate of awareness amongst the employees, intermediaries, supplier and customer in regards to data governance, new facet of data and data ethics and security . Adoption of integrated governance framework may provides mechanism to integrate IT governance with business goals ,models and strategies . It can enable organization to have robust risk managed approach to new threat and challenges. It also helps in keeping up with both the performance and compliance. Continues measurement and governance around implementation, measurement and improvement may be key to success.

Challenges & The Road Ahead

The aforementioned suggestions are not without certain challenges. The adoption of cutting-edge technologies and frameworks can be overwhelming for smaller firms. Moreover, a dearth of capable and skilled professionals also poses a steep challenge. There is a need to find a dependable alternative to combat the problems posed that traceability seeks while keeping the data secure. Ultimately, it boils down to effective governance, practicing in spirit ethical models, implementing the risk based approach including implementation of policies  and procedure and spreading awareness among its stakeholders .

Coauthored by Ashish Tiwari and Apporv Sharma