About Arrka Lab
A Dedicated Lab for Testing, Innovation & Research in Data Privacy Operationalization & Implementation
Every day is a new day in the world of Data Privacy. Laws & Regulations are changing. Technology is changing. Big Tech and the ecosystems they spawn are changing. The way business is done and businesses are run is changing.
To keep up with this reality of change and to equip our clients to operate in these times, we set up Arrka Lab.
Arrka Lab does Privacy Testing, Research and incubation of Innovative Ideas to translate into Solutions & Frameworks. It also anchors our Annual ‘State of Privacy of Indian Mobile Apps and Websites’ study – our much sought-after study that shines a light on the State of Privacy of India Inc.
Privacy Testing
Are you sure your Digital Properties – your Websites, your Mobile Apps, your APIs, your Software Products – are ‘Privacy-Ready’? Do your Mobile Apps meet the stringent Privacy requirements of the Google Playstore/ Apple Appstore? Do your properties comply with the requirements of various Privacy Laws & Regulations?
Yes, you may be doing regular Security Testing (VA/PT) – but that does not look into the Privacy of your Digital Properties. Nor does that check if you are in violation of any Privacy Law or Regulation. For that, you need specialized Privacy Testing.
Arrka Lab’s Privacy Testing Solutions test for Privacy Readiness of your Digital Properties. So your organization is truly Privacy Compliant.
What do we Test for?
We test for various parameters that are typically ‘below the surface’. For eg,
- Dangerous & High-Risk Permissions, Embedded 3rd Parties and Cross-Border Personal Data Flows in Mobile Apps.
- Cookies, Trackers & Permissions, Personal Data Flows to 3rd Parties and across borders in Websites
And we check if your Digital Properties meet the requirements of Google/Apple stores as well as those of Privacy Laws like GDPR & CCPA or of guidances like those from RBI for Digital Lending Apps
Arrka Frameworks
Frameworks provide the underlying structure and approach that organizations need to operationalize and implement Data Privacy. Leveraging our decade-long experience of working closely with organizations of all hues and sizes, we at Arrka have developed these frameworks to equip our clients to implement Privacy quickly, efficiently and effectively
Arrka Privacy Implementation Framework (APIF)
The APIF is a comprehensive framework for Organizations to implement and manage a robust Privacy Program, complying with multiple laws, regulations and standards in an integrated manner
Personal Data Attribute Mapping Methodology (PDAM)
PDAM is Arrka’s unique methodology to lay the foundation for an organization’s Privacy Program. It enables you to get your program off the ground quickly and effectively
Privacy for Products Framework (PPF)
The PPF outlines the features and functionalities to be built into software products and platforms to enables compliance with Privacy Laws/ regulations and to fit into the overall ICT supply chain
Privacy for SMBs Framework (P-SMB)
Small & Mid-Sized operate under severe constraints and, consOrganizationsequently, have unique requirements. P-SMB is specifically designed for an SMB’s special needs
Our Annual State of privacy Report 2022
Arrka publishes its annual State of Privacy of Indian Mobile Apps and Websites’ study report every year on World Data Privacy Day (Jan 28th).
You can download the latest study report here
FAQs on Arrka Lab
- Security testing (for eg: VAPT) tests for all things malicious and/or risky from a Confidentiality, Integrity and Availability point of view. However, it does not check for other aspects that are risky from a Data Privacy point of view. For example,
- Mobile apps use several Dangerous and High Risk permissions that various Privacy Laws/Regulations or the Google Playstore/Apple Appstore place restrictions on. They also have several non-malicious SDKs embedded which may compromise your Privacy Policy or violate Privacy controls. Such aspects are not included in Security testing
- Websites have cookies and trackers that are non-malicious but violate privacy requirements. A security test does not test for these.
- If you have a Mobile App that is on the Google Playstore and/or the Apple AppStore, you need to ensure that it meets their stringent Privacy Policy requirements. Arrka’s Privacy Testing enables you to check your readiness before you host/update your App on the store
- If you are required to comply with any Privacy Law anywhere in the world, you need to make sure your Mobile App is also compliant. Given that a host of Personal Data is collected, processed and shared with third parties across national boundaries by your Mobile App via the permissions the App takes or the SDKs that are embedded in the App, many Mobile Apps are in violation of applicable Privacy Laws. Arrka’s Privacy Testing checks for these compliances.
- If you are required to comply with any Privacy Law anywhere in the world and/or take cookie consent, you need to know what cookies & other trackers are embedded in your website, which of these are sending out the Personal Data collected to external third parties, if this is crossing national boundaries, etc. Based on this information, you can determine what needs to be published in your Privacy Policy, where and when you need to take consent and if any other Privacy Controls need to be deployed. Thus ensuring you comply with applicable Privacy laws. Arrka’s Privacy Testing checks for all of this.
- Yes, it does
- Yes, it does.
- Yes, it does.
- Privacy laws are not those where one can do a ‘checklist-driven’ implementation. In other words, in order to comply with the Principles, Rights and Organizational Obligations contained in every Privacy law, the organization needs to undertake a series of foundational measures upon which the compliance can be built.
- For example, in order to cater to an individual’s right to erasure of her Personal Data, the organization first needs to know all places where her data resides. For which, a comprehensive Personal Data Inventory needs to be built, including all external 3rd parties with whom her data may have been shared with. A framework guides the organization to take such measures so that, when it all comes together, comprehensive compliance can happen.
- We at Arrka have been closely working with Organizations for a decade to help them implement their Privacy Programs. During these years, we have seen, first-hand, how organizations struggle with different aspects – which could be easily addressed should a relevant framework(s) be made available. We looked around and found that either there were no frameworks available to meet the specific need and/or the ones available were not appropriate or adequate. At every such juncture, we kept developing and fine-tuning our own and deploying them for our clients. As we deployed them across multiple scenarios and use cases, we kept continually fine tuning them, adding each and every incremental learning. In the process, they became robust and time tested. As a result, we now have a set of frameworks that enables our clients to operationalize and manage robust Privacy programs that keep up with the rapidly changing and evolving Laws, Regulations and Guidelines.
- ISO 27001 is an excellent standard for your Infosec program. However, is does not address the needs of Data Privacy. For that you need other frameworks, like those from Arrka.
- The EU GDPR is a law, NOT a framework for implementing a privacy program. In order to comply with GDPR, you need a framework that guide you for what needs to be done, so that you meet the requirements of the law.
- The APIF is used as the underlying framework to assess, design, implement and manage a full-fledged organizational Data Privacy program. Whether an organization needs to comply with just one law or multiple laws, this framework equips the organization to manage it all. Further, it takes into account the fact that (1) existing laws are being updated and new guidances/regulations are being issued from time to time and (2) organizations are growing and changing and hence need to comply with new laws and regulations as their business expands. Essentially, the framework equips organizations to bring stability, robustness, maturity and predictability to their privacy programs so that they are not shaken everytime a new requirement comes along.
- PDAM or Personal Data Attribute Mapping is Arrka’s proprietary methodology to lay the foundation for a Privacy Program in an organization. It helps the organization develop a comprehensive view of its Personal Data without having to build a full fledged inventory that gives just the exact set of details required to assess gaps and design all the Privacy Program elements and controls required.
- In other words, it helps an organization get its privacy program off the ground quickly and easily.
- For large organizations, it is recommended that PDAM be done for specific processes, functions or business units. This enables the organization to develop a phase-wise approach to its program implementation.
- For smaller organizations, since its processes, functions or business units tend to be smaller, PDAM can be quickly done for the entire organization.
- PDAM equips you to get just the right quantum of inputs you need to start rolling out Privacy in your organization. Therefore, you do not need to build the comprehensive Personal Data Inventory before you start designing and deploying your Privacy program. The inventory can be built during the subsequent implementation phase. This approach helps you get the program off the ground quickly, thereby accelerating program deployment.
- A Personal Data Inventory (or PDI) is a comprehensive inventory of each and every place where Personal Data lies – both inside the organization as well as with third parties. It takes a long time to build as discovery of Personal Data requires going into every nook and cranny of the organization as well as that of each of its vendors and other third parties. However painful this exercise may be, a PDI is required to be built – and maintained continually. It is critical to meet many crucial requirements of any Privacy Law.
- PDAM, on the other hand, is a high level view that is just enough to get going with your privacy program. The data gathered for PDAM can be fed into the PDI and the PDI can be built further from there.
- To build privacy capabilities into a software product, several specific features and functionalities need to be built into it. These are independent of the law(s) that the product may ultimately be exposed to. In fact, the product is likely to be deployed across multiple organizations across various geographies, thus exposing it to multiple laws and regulations – that cannot be foreseen at the time of developing the product. Hence the features and functionalities need to be agnostic of the law yet be able to meet the requirement of any law it is required to
- To be able to do this, product developers need a guiding framework. And this framework is distinct and different from an implementation framework – which is designed around processes and systems. The Arrka Products Privacy Framework provides this requisite guidance.
- Small and Mid-Sized Businesses (SMBs) usually operate under severe resource constraints. Budgets are always tight, access to skilled people is not easy and expertise availability is scarce. More so in the domain of Data Privacy. Yet, to remain in business, SMBs also need to ensure they comply – for which they need to build Privacy Programs.
- The frameworks for large enterprises are typically designed to address their complex requirements. ‘Paring’ them down to meet the requirements of a Small business does not help the small business as, usually, the Small Business is coming from a completely different perspective.
- Having worked for many years with organizations at both ends of the spectrum – from very large enterprises to tiny 10-15 persons strong entities – we at Arrka realised a solution for SMBs needs to be built grounds up, taking learnings from the large enterprises yet not adding on unnecessary burden or complexities. Which is why we developed a separate framework for SMBs.
- Incidentally, this framework is full baked into the Arrka platform, enabling organizations to easily deploy and manage their Privacy Programs.