Companies must heed legal regulations on data protection
By Steve Tan, Partner, Deputy Head of Technology, Media and Telecommunications at Rajah & Tann LLP
WITH increasing access to mobile devices and the Internet, the amount of data created annually worldwide is predicted to soar to 180 zettabytes (180 trillion gigabytes) in 2025, with approximately 80 billion devices connected to the Internet.
As organizations look towards data to track consumer patterns and guide business direction, they should also be mindful of the legal regulations that govern the protection of data and the possibility of a data breach. In the past year, we have seen some of the largest data breaches in history with millions of accounts compromised and the release of personal data such as addresses and telephone numbers for sale on the black market.
— ipfconline (@ipfconline1) April 15, 2017
Such high-profile data breaches have been increasing in size and prevalence in recent years, with cybercriminals (and even state actors) taking interest in obtaining sensitive corporate and personal information. Besides such hacking attacks, a data breach can also arise from employee mischief or neglect, an inadvertent leak, lack of or failure in security measures, just to name a few.
Regardless of the cause, the threat of data breaches is imminent and can have severe repercussions for organizations, especially if they are found guilty of failing to take sufficient measures to secure their data. Singapore’s data protection law has one of the highest fines in Asia with each breach subject to a potential fine of SGD1 million. Similarly, breaching Europe’s new General Data Protection Regulation can result in a fine of the larger of either €20 million or four percent of the organization’s global annual turnover.
Beyond financial penalties, a data breach can cause irreversible damage to a company’s reputation as well as potentially significant damages payable in civil liability to third parties, not to mention possible personal criminal liability for senior management.
Ensuring compliance in an evolving landscape
Organizations should be well aware of the prevailing legal regulations that govern ever-growing popular technology solutions such as cloud storage, collection, analysis and offshore storage of customer data.
Here are a few tips for organizations to ensure they comply with the legal regulations where they operate:
1. Have a clear understanding of how personal data is used and managed in your organization.
Some questions business leaders need to ask include what personal data has been collected, who has access to this data, whether the purposes of processing of such personal data are lawful, where and how it is kept and secured as well as how long such personal data is kept on file. In some instances, data storage and protection is managed on behalf of an organization by an outsourced service provider.
Organizations need to ensure they understand the level of protection provided by the outsourced service provider and ascertain whether regulations, including sector-specific ones, permit offshoring or cross-border data sharing. In some countries, there appears to be a growing trend of data localisation, which means organizations are not permitted to transfer any data overseas.
Data protection regulations in Asean countries are also set to develop in future in light of commitments arising from the formation of the Asean Economic Community (AEC) in 2015 and the continued digitization of everything.
Singapore, Malaysia and the Philippines are presently the only countries with dedicated robust data protection laws, and it is only a matter of time before the rest of Asean follow suit, with significant implications for foreign organizations operating in those countries.
2. Conduct regular audits and penetration testing.
The authorities recognize the fact cybercriminals often use sophisticated measures in their attacks. However, as seen with the many data breaches around the world, it is most often the case the organization has failed to have sufficient security measures in place. It is also a known fact many organizations are not doing enough to protect customer data or their important data.
At the bare minimum, organizations need to meet the regulatory standards for data protection and compliance. Beyond this, they should also conduct regular audits and security assessments such as penetration testing, to ensure the integrity of their security framework and that employees are abiding by set guidelines, especially when handling sensitive information.
— ipfconline (@ipfconline1) April 17, 2017
3. Be willing to seek external advice.
By working closely with professionals such as specialized lawyers with relevant expertise, organizations will be able to have a better understanding of other factors that could affect their business decisions, such as a digital transformation initiative to move data to the cloud.
Legal advice is also important for organizations that operate in a highly-regulated industry, such as financial institutions, which could have sector-specific laws that add a further layer of compliance for the organization.
In the event of a data breach or cyber attack resulting in leaked data, that organization would suffer the brunt of not only data protection laws, but also sector-specific laws.
Ultimately, the burden of cybersecurity falls on the organization itself and regulations call for them to ensure sufficient security measures and practices are put in place. The proper use, storage and security of data should not be seen solely as the responsibility of a “few good men” within the organization, such as the IT head or the data protection officer, but rather as a culture that permeates the entire organization.
New technological innovations have the potential to disrupt current practices and pose challenges for security management, but with the right data protection measures in place, organizations will be able to take full advantage of them to drive their business forward.
For more insights, join Steve Tan at the CommunicAsia2017 Summit, where he’ll be speaking on the topic of “Grappling with the Internet of Things, Disruptive Technology, Cloud of Things and Data Privacy”.