AS Singapore works towards becoming a Smart Nation, it is important to strike a balance between leveraging Big Data to transform the economy and data privacy. On the business front, data relating to individual behaviours and preferences have translated into a competitive advantage for many organisations. However, while many organisations have recognised the value of data as the new fuel for growth, not all are well prepared for the fast-evolving data regulation landscape, both locally and across the globe.
In recent months, Singapore's Personal Data Protection Commission (PDPC) proposed a revision to the existing Personal Data Protection Act (PDPA), which will require organisations to inform customers of personal data breaches as soon as they are discovered. Organisations must also report the breach within 72 hours. This will add to the existing PDPA which comprises various rules governing the collection, use, disclosure and care of personal data in Singapore. Rapid advances in technologies - such as the ability of devices to seamlessly collect and transmit personal data across networks - present challenges for consent-based approaches to personal data protection. It is critical for organisations to be mindful that the proposed review will potentially impact their organisations if they process personal data for internal use or on behalf of another organisation.
Adopted in April 2016, the General Data Protection Regulation (GDPR) requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The new regulation, which will take effect from May 25, 2018, will include an overview of where and how personal data - including credit card details, banking and health records - is stored and transferred.
Though GDPR may seem to affect only those residing in the EU, local businesses should not dismiss the regulations, especially since Singapore is by far the EU's largest commercial partner in Asean, accounting for about one-third of EU-Asean trade in goods and services, and roughly two-thirds of investments between the two regions.
A recent study by Veritas has identified a consistent trend among local organisations. It suggests that companies have a prevalent amount of ROT (redundant, obsolete and trivial) and dark data stored on premises and in the cloud. If left unchecked, business data will unnecessarily cost organisations around the world a cumulative US$ 3.3 trillion by 2020.
According to the latest Veritas study on GDPR, more than half of organisations in Singapore (56 per cent) are concerned that they will not be able to meet the new EU requirements, and only 18 per cent feel they are already GDPR-compliant. But it is encouraging to note that 95 per cent of the organisations here plan to drive behaviourial changes through training, rewards and contracts to help ensure that they comply with GDPR policies.
Notwithstanding the alarming statistics, it is only fair to acknowledge that the biggest challenge for many organisations in Singapore is understanding what data resides in their complex IT environments, how to protect the data and delete it from the network when requested or when it's no longer needed. Veritas research also shows that a third (34 per cent) of organisations in Singapore do not have the right technology in place to cope with GDPR. With just six months to go before the rules take effect, organisations should look to establish a clearly defined governance strategy with data management tools at the core.
As with any new regulation, companies need to be aware of the risks of prosecution and breaking the principles of GDPR, which could result in huge penalties of up to four per cent of global turnover or 20 million euros (S$32 million), whichever is greater. However, the severity of the failure to comply will not just end with these penalties.
Being non-compliant to GDPR could potentially have a devastating impact on an organisation's brand image, especially if and when a compliance failure is made public, potentially as a result of the new obligations to notify data breaches to those affected. Other adverse consequences include the devaluation of the brand as well as the loss of customer loyalty - which most companies fear. According to the same Veritas study on GDPR, 20 per cent of the companies surveyed fear that negative media or social coverage could cause their organisation to lose customers.
To remain GDPR-compliant, companies can follow these guidelines to ensure that their organisation is kept in check:
The critical first step in complying with GDPR is gaining a holistic understanding of where all the personal data held by your organisation is located. Building a data map of where this information is being stored, who has access to it, how long it is being retained, and where it is being moved is critical to understanding how your enterprise is processing and managing personal data.
Residents of the EU can now request visibility into all of the personal data held on them by submitting a Subject Access Request (SAR). They can also request that the data be corrected (if factually incorrect), ported (to a suitable export format) or deleted. Ensuring that your organisation can undertake and service these requests in a timely manner is critical to avoiding GDPR penalties.
Data minimisation, one of the main tenets of GDPR, is designed to ensure that organisations reduce the overall amount of stored personal data. This is done by keeping personal data only for the period of time directly related to the original intended purpose. Deploying and enforcing retention policies that automatically expire data over time would establish the cornerstone of your GDPR strategy.
Under GDPR, organisations have a general obligation to implement technical and organisational measures to show they have considered and integrated data protection into all data collection and processing activities. Organisations may benefit from existing advisory services that are available to educate and transfer knowledge to global legal, compliance and privacy teams as to how the solution can help meet the GDPR challenge.
GDPR requires all organisations to report certain types of data breaches to the relevant supervisory authority, and in some cases to the individuals affected. You should assure that you have capabilities in place to monitor for possible breaches - such as unexpected or unusual file access patterns - and to quickly trigger reporting procedures.
By following these best practices, companies would be able to comply with GDPR and other regulations, such as PDPA. Businesses would also establish data management capabilities that are more robust and compliant than before. To keep up with the changing technology landscape, it is more important than ever to have the appropriate data management measures in place, to ensure that companies are on the right side of the law.
- The writer is Singapore country manager at Veritas.