SMEs in Singapore need to be careful when moving data to the cloud. Source: Shutterstock

SMEs in Singapore need to be careful when moving data to the cloud. Source: Shutterstock

What SMEs should know about SG’s new laws on data privacy in the cloud

TODAY, digital-first businesses recognize the many benefits that the cloud has to offer. This can be seen from the increased number of businesses that are engaging Cloud Service Providers (CSP) to help them migrate data and applications to the cloud.

Whilst many are eager to jump on the cloud services bandwagon, businesses must be careful about how they move and manage sensitive data.

Data privacy, after all, is a key concern for consumers and regulators alike, and a breach can prove disastrous, causing irreparable reputational and financial damage.

In October, Singapore’s Personal Data Protection Commission (PDPC) added a new chapter — Chapter 8 — on cloud services in the advisory guidelines on the Personal Data Protection Act (PDPA) for selected topics.

Business owners in Singapore, as a result, must make an effort to understand the new chapter as it stipulates the legal obligations of a business in ensuring client data privacy when engaging the services of a CSP.

In response to a client alert issued on the subject by the practice Baker McKenzie Wong & Leow, Tech Wire Asia interviewed Alex Toh, a Senior Associate in its M&A Practice, who is focused on Technology, Media and Telecommunications (TMT) matters.

According to the legal specialist, a key emphasis in Chapter 8 is that organizations engaging CSPs remain responsible to comply with the PDPA. If an overseas data transfer is required, organizations must also ensure that these destinations have comparable data privacy laws.

However, “Singapore has yet to officially recognize any countries as having a comparable standard of data protection”.

Therefore, to mitigate the risk of breaching Chapter 8 of the PDPA, businesses need to assess for themselves the adequacy of data protection laws of the country where the CSP is located.

SMEs that don’t have the competency to thoroughly assess the sufficiency of laws in another jurisdiction must look for other ways to satisfy these requirements — according to Toh, that may well mean pursuing a legal contract that requires the CSP to protect personal data to a standard similar to that prescribed by the PDPA.

Toh, who often advises clients on the matter of data privacy and protection in the cloud-first era, said that SMEs must be aware that they have the same obligations as large businesses to comply with the PDPA.

“SMEs probably do not have the same resources that are available to large organizations to devote to selecting and contracting with service providers, so they need to be smart in using available resources to assess whether a CSP will adequately protect the SME’s personal data”.

Toh also mentioned that before SMEs engage with a particular CSP, they must be cautious and check what contract commitments the CSP provides with regards to data protection and privacy.

“SMEs can also look into the security certifications obtained by the CSP to ensure that its security measures are of an acceptable standard. Examples of these certifications are the ISO 27001 or the Multi-Tier Cloud Security Standard.”

Technical experts believe that moving to the cloud is a requirement today, and legal experts like Toh don’t disagree.

However, effective yet safe digitalization only requires that SMEs bear in mind that there upholding the trust of customers is important — and hence, companies need to go the extra mile to protect the privacy of the personal data that is collected.