2019 has been a watershed year when it comes to data privacy in Singapore.
Ferry service operator, Horizon Fast Ferry was fined $54,000 for not having “reasonable security arrangements” in place to protect customers’ personal data.
Sushi eatery Genki Sushi was also fined $16,000 for failing to secure staff data – a compromised server fell victim to a ransomware attack.
The biggest one, SingHealth and Integrated Health Information Systems (IHiS) were slapped with a $1 million fine for a breach that compromised the data of 1.5 million patients, including the Prime Minister.
All of these contributed to the $1.28 million in fines meted out in 2019 to date by the Personal Data Protection Commission (PDPC), as a result of organizations falling foul of the Personal Data Protection Act (PDPA).
Indeed, even if the $1 million SingHealth and IHiS fine was removed from the equation, the remaining $280,000 was still double the total of all fines issued by the PDPC in 2018.
Current state of data security and privacy
It is clear that data security and privacy have rocketed to the fore as key areas of concern, for both businesses and consumers alike. The wider cybersecurity sphere has been elevated to one of national importance – to the extent that digital defence has now become the 6th pillar of Singapore’s Total Defence.
Meanwhile, Singapore’s Cybersecurity Act has been in effect for a year, and has forced 11 Critical Information Infrastructure (CII) sectors to proactively protect themselves against cyber intrusions in order to ensure the continuous delivery of essential services which Singapore relies on.
In a highly digital economy where data is the new oil, and consumers willingly give their personal information to big tech companies in exchange for personalized solutions and services, it’s only reasonable that the government has imposed measures to better police businesses which includes:
- Enforcing the appointment of a Data Protection Office (DPO) to supervise business’ collection, usage and disclosure of personal data, and to ensure compliance with the PDPA.
- Ensuring the implementation of both physical (e.g. proper disposal of sensitive data) and technical data protection policies (e.g. multi-factor authentication)
Falling foul of the law
However, for businesses that flout the PDPA, the repercussions are severe. Beyond the maximum $1 million fine that can be imposed, businesses may also be ordered to stop collecting, using or disclosing personal data, or forced to destroy any data that they have already collected.
Meanwhile, under the constructs of the PDPA’s European counterpart, the General Data Protection Regulation (GDPR), the penalty is much harsher – up to 4% of the business’s global turnover or 20 million euros, whichever is greater.
In addition, even though the GDPR is a European regulation, it still applies to any organization that collects data from residents and citizens of the European Union (EU), whether or not it operates in the EU.
While no Singaporean organization has yet to fall foul of GDPR, one can’t help but wonder that it may happen sooner rather than later.
Given the spate of data breaches that have taken place this year, the increasing complexity of the threat landscape and the sheer volume of various types of data being handled by Singapore in its bid to becoming a smart nation.
An EY study revealed that 9 in 10 organizations are unprepared to deal with GDPR. The only saving grace for Singaporean companies in the near future, is that EU regulators are still busy working out their frameworks and practices for enforcing the GDPR in their own territories. Enforcing the GDPR beyond the EU may not be on their radar yet.
Taking necessary precautions
It would come as no surprise if this intense scrutiny started putting off the daring, digital-first businesses of today – after all, many modern business models rely on data to be effective. However, there are a few measures businesses can take to ensure that they remain compliant with the regulations they’re governed by. These enables them to continue collecting and using data to deliver better products, solutions and services to customers, and effectively operates as a business:
- Use tools to assess your business’s compliance with regulations – There are many different assessments, toolkits, checklists and even consultancies that can help you evaluate your business’s current data privacy and security practices and identify gaps that need to be addressed.
- Appoint a Data Protection Officer (DPO) – A measure that is mandatory under both PDPA and GDPR guidelines, this individual is responsible for supervising your business’ collection, usage and disclosure of personal data. The individual is also the point person for ensuring that the business is compliant with any and all data privacy and security regulations, and for updating internal processes and policies when the law changes.
- Educate employees – A chain is only as strong as its weakest link the same way a company is only as secure as its least-savvy employee. Businesses should consider training employees in the art of handling, using and properly disposing of sensitive data. These would also include familiarizing employees with basic cybersecurity knowledge, such as identifying phishing emails or ransomware attacks.
A measured approach to a data-driven future
Data is the fuel that’s powering the growth of numerous economies, and Singapore is no exception. This tiny island-state has benefited from the advent of technology and the influx of data that has come with it – from ecommerce stores studying consumer buying patterns and browsing behavior to better target ads and promotions to them, to the government using data to better plan public transportation routes.
However, times are changing. While data collection is commonplace, consumers are becoming savvier, and demands greater control over their data. So, the burden is on businesses to ensure they are accountable for that data’s protection and privacy – because one seemingly small slip-up could easily escalate into something bigger and scarier.