In the digital age, data is a very important currency for any business. That’s why it’s crucial that they comply with the Personal Data Protection Act (PDPA) in terms of handling the NRIC numbers, for instance, and how they institute cyber security measures to protect the private information of their clients.
In Singapore, the trading of data is the driving force that moves its economy forward. The city has made massive gains in this regard as it topped the Global Smart City Performance Index 2017, even ahead of bigger cities like San Francisco, London, New York, Barcelona, and Berlin. The study recognized Singapore’s data-centric initiatives to make the lives of its citizens better by optimizing the use of technology to give everybody greater access to digital services.
To be considered a Smart City, the area should be able to utilize the Internet of Things through sensors and meters to collect and interpret data to further improve health, mobility, infrastructure, and other government services.
The Challenges of Data Protection
The PDPA is a very important legislature in the future of data handling and exchange. Right now, the private data has become the currency in the digital world. Hackers constantly mine the cyberspace for any information that they can exploit financially.
For instance, a survey by the Javelin Strategy & Research revealed that 16.7 million people from the US alone have become victims of identity theft in 2017. That resulted in almost $17 billion in losses. Meanwhile, 3 in 10 of American consumers have been notified that their private information, particularly their social security number, was stolen by hackers.
The Act recognizes several challenges in data protection:
- The relaxed attitude that consumers have when it comes to protecting their private information
- Personal data now is easier to collect
- The popularity of social media channels like Facebook or Twitter also forces users into giving up some of their personal privacy in order to be connected
- The popularity of mobile devices which, in turn, also contribute to more and more cloud and online servers being hosted. In essence, people are essentially trusting third-party vendors with their personal information.
Because of these challenges, Singapore felt that it needed to establish parameters in the way businesses and organizations trade data. Basically, the law puts in place mechanisms and rules to limit the unnecessary collection of a person’s private information by businesses. One clear example is to ask for the individual’s expressed consent before they can input the personal data on their systems.
Prior to the Act, data protection in Singapore is basically a hit-and-miss affair. In some instances, data collection is protected under the law but the rules are not all-encompassing. Whatever the gaps are, it was assumed that the businesses would pick up the slack. It’s good if the business has its own cyber security protocols to protect the information of its customers. However, there was really no legal avenue for people when they need to file a lawsuit in case of a data breach.
Most of the principles enshrined in the Act are anchored on the same set of protocols laid down by the Organisation for Economic Cooperation and Development or the OECD.
At its core, the PDPA mandates that businesses should first acquire the consent of the individual for the collection, use, and disclosure of private information. Also, the organization must also get the consent if it will use the data for another purpose other than what was consented to. While businesses are tasked to secure the data, through cyber security measures, they are also mandated to give people access to their personal information.
The General Data Protection Regulation and its Impact on Singapore Businesses
The General Data Protection Regulation (GDPR) is an EU requirement that took effect in May 2018. While it was supposed to be an insular set of rules and policies covering businesses within the economic aggrupation, the GPDR has become a standard for the world’s businesses in how they handle data privacy.
Now, why is the GDPR important?
While the GPDR is legally binding only among the EU countries, the law is significant to Singapore because the country remains EU’s largest trading partner in the ASEAN, and also the 14th overall. Meanwhile, Singapore businesses have significant stakes in the EU because the nation only follows China and Japan among the Asian countries with large investments in the EU.
According to the European Commission, the bilateral FDI (foreign direct investment) stocks between Singapore and EU stood at €256 billion or roughly 410 Singaporean dollars.
The GPDR also covers Singaporean-based firms if they trade with the EU. This is why they really have to institute cyber security measures in compliance with the regulations on data protection if they want to continue doing business with EU countries.
Things to Consider When Complying with PDPA and GPDR
1. A data breach is mostly preventable
This is why it really doesn’t make sense why companies and organizations continue to resist investments in cyber security. The most common errors in relation to stolen data are the human factor and the weak digital infrastructure. In a world where data is a currency, a breach will cause untold damage to your reputation.
The website breachlevelindex.com revealed that there were 14,644 billion data has been stolen or lost since 2013. In fact, every day, an estimated 7 million people have become victims of stolen data. According to the website, a measly 4% of companies with cyber security firewalls are breached.
Meanwhile, the 2018 Cost of a Data Breach revealed that the average loss of an organization or business for each data breach has already reached $3.9 million, which is up from the $3.1 million in 2017.
2. Clean up the files
An efficient organization should assess all the data that is contained in the servers. It’s important to know which of the data you need and how it is being stored. The basic questions of who owns the data, how it is being protected, and who needs the data should be adequately answered. Personal data that could not be verified should be discarded from the central repositories. This will protect you from a headache later on if the private data ends up in the wrong hands. In the same vein, your personnel should also be trained on how to appreciate the need for cyber security so they would be more cognizant of how they use cloud services, protect their password, or utilize unstructured data.
3. Always update the systems
Cyber security is anchored on smart investments. Smaller organizations couldn’t possibly keep up with the fast-paced technological advances. Unless they have money to burn, it’s not sustainable to be always changing computers and servers to prevent a data breach. With that said, they need to constantly monitor and assess their systems to determine if they still have the existing technology in place to handle the growing challenges and vulnerabilities.
Meanwhile, you also make sure the knowledge of employees is also updated so you take out human error out of the equation.
4. Set Action Plan in Place
Finally, your cyber security plan should also involve a response strategy in case of an attack. Each department and personnel must know their respective roles once the organization encounters a problem. The requirements outlined in the GDPR mandates companies to notify customers of the data breach within 72 hours after the infringement was first detected. While your IT team will move to isolate the breach, the marketing team should be ready for the fallout. How do you then contain the bad press and ensure that your customers won’t be scared into bringing their business elsewhere?
Importance of Cyber Security
Clearly, businesses need to have a cyber security strategy in place. You can’t afford to gamble the future of your company on the small chance that you will be targeted by hackers or identity thieves. There are a few countries in the world that can compete with Singapore in terms of harnessing digital technology for the benefit of its citizens.
Digital technology has elevated a small country like Singapore, with few resources to speak of, into becoming a global leader in data currency. The one challenge that Singapore is facing, however, is its reputation as a “police state.” The government is so intertwined with private corporations and the citizens that any security breach is bound to have a fallback on the state.
In the US—which accounts for 6 in 10 global data breach incidents—any consequence of data breach is contained on the particular business concerned. Unfortunately, Singapore has no such luxury. If a private company has become a victim of hacking, the eyes of the world will inevitably turn to the government and its perceived failure to employ data protection protocols. This is why each organization, business, and academic institution must play its role in ensuring that the data of its citizens will not end up in the wrong hands. The fact that the government passed the Personal Data Protection Act is sufficient proof that it takes this matter seriously.