GDPR compliance is keeping executives up at night. Source: Shutterstock

Spelling out what GDPR means for Singaporean businesses

THE European Union’s General Data Protection Regulation – or GDPR comes into effect tomorrow.

The regulation represents a global change forcing governments and institutions to recognize the value of data as a commodity and regulating organizations in possession of data to protect individuals and make businesses more accountable.

As today’s complex regulatory landscape continues to evolve amidst rising concerns on the misuse of data, legislation varies by country, and with Singapore making international partnerships core to its success, this adds another layer of complexity to a situation that is already convoluted and confusing enough for one country.

What does GDPR really mean for Singaporean businesses?

We know that from May 25, 2018, GDPR will arrive in Singapore meaning businesses of all sizes will need to comply with this regulation if they have an established presence in, offer goods and services to, or if they in any way monitor, or profile, the behaviors of EU residents.

Given Singapore’s international reach and partnerships, a huge number of businesses will be impacted and will need to comply with these rules or cease serving or profiling their European customers.

However, a recent global survey from EY has shown that while 70 percent of Singaporean respondents are concerned about how GDPR will affect them, only 10 percent of them have a compliance plan in place.

To start building that plan, amid all the confusion, here are four steps businesses should take:

  1. Know your data

In order for businesses to best prepare for new legislation, they must first know their data and be able to answer key questions like:

  • Where does our data originate and where is it stored?
  • Do we know all of the places where our data is backed up and replicated?
  • How does personal data flow in and out of my business?
  • What is our customer and office presence across regions?
  • How much control do we have over the processing of the data?

Without knowing and understanding your data, and having a solid data privacy compliance framework you cannot clarify how exactly you will be impacted by new legislation as it emerges.

EY’s survey shows that 11 percent of Singaporean respondents are using forensic data analysis tools to work toward this part of becoming GDPR compliant, and 33 percent are looking at using these tools to achieve compliance.

If you’re not in either of these categories, you risk meeting May 25 unprepared.

  1. Understand your obligations

Once you know your data, you can start having more meaningful conversations around data compliance.

With so many laws and regulations, it’s difficult to fully understand what your obligations are, both internally and externally.

Yet in reality, this is the most important aspect of preparing for new legislation and actioning your business accordingly.

With this in mind, it’s advisable to get expert advice on legal obligations and IT solutions to quickly understand business responsibilities as legislation emerges or is adapted.

  1. Review the processes

It is vital that every organization knows where its data is stored, not to mention the risks associated with it.

The review process requires an understanding of the risks to personal information held by an organization, the consequences of data loss, and the way the data privacy compliance framework works to deal with these situations and sure up data privacy.

Businesses must sift through their policies, documents, procedures and third-party arrangements to ensure they are compliant.

  1. Build a data-centric staff culture

Businesses must focus on building a culture where data is the strategic asset – this kind of ethos is critical to successfully building and implementing the best compliance framework.

Getting staff on board doesn’t happen overnight; instead, it requires continuous empowerment of individuals with the right training and support, and this has not kept up.

This shows in EY’s survey, and our own research. Only 8 percent of Singaporean respondents feel they have the right technical and/or data analytics skills – an issue so widespread even the Singaporean government is setting aside US$145 million to deal with.

Alarmingly, when it comes to fostering a culture of innovation, there’s a mismatch between what the board thinks is possible, and the staff that are implementing it:

41 percent of IT executives think their IT department is prepared to innovate, but if you ask IT workers, only 29 percent believe they are. Be sure to understand your organization’s true capabilities; otherwise, even the best plan will fail at its execution.

Organizations today have copious amounts of data and must comply with the myriad of national and international laws and regulations that govern it.

It’s a complicated business, but Singaporean companies must not be deterred. Instead, they need to switch their mindsets when it comes to compliance.

Organizations far and wide must acknowledge that compliance is no longer simply an IT issue. Instead, it must be handled across the business – from the board to legal, to sales and beyond.

It’s time to overcome complication with proactivity. Organizations must seek to implement proactive data management strategies, across their entire business, to confidently meet today’s compliance obligations.

With inputs from subject matter expert Matthew Johnston, Area Vice President, ASEAN & Korea, Commvault.