How can organizations stand against cyber risks amid the evolving data protection regulatory landscape? A whole-of-organization effort to understand data risks and design innovative and sustainable protection measures is vital.
Today, if data incidents are not managed well, it may snowball into a crisis. Considering the sophistication, scale and impact of cyberattacks, no organization is immune from a data breach that could result in theft or manipulation.
Regulators in many countries recognize the seriousness of data risks today and are introducing and enforcing new data privacy and protection requirements. Since the General Data Protection Regulation (GDPR) came into effect on 25 May 2018, several organizations have been subjected to fines from EU.
As of May 2019, fines totaled €56m with more than 200,000 investigations, 64,000 of which were upheld. €50m of the €56m total was a single fine against a technology company, where the company had failed to comply with its obligation to be transparent about the data it was collecting and using to serve personalized ads.
In Southeast Asia, there is also a clear emphasis on data protection. Countries like Singapore, Malaysia, Philippines, Thailand, Indonesia, Myanmar have established laws on privacy and data protection, while Vietnam and Cambodia have laws that broadly cover some elements of data protection.
In Singapore, the country’s Personal Data Protection Commission (PDPC) has issued a public consultation in May 2019 proposing data portability and data innovation provisions. It is also intending to introduce a mandatory breach notification regime as part of the proposed amendments to the Personal Data Protection Act. Singapore organizations are also to discontinue the widespread practice of collecting, using or disclosing consumers’ NRIC information from 1 September 2019.
Proactive compliance and a common risk language
Companies are recognizing that investing in the risk and compliance agenda to build stakeholder confidence and keep pace with the accelerating technology transformation must be a business imperative.
The desire to be resilient and to acquire capabilities to bounce back from incidents will require a culture of proactive data compliance. This means that while adopting minimum compliance requirements may reduce the risk of organizations facing fines or loss of trust, the risks associated with such a reactive compliance attitude are significant.
Navigating the complex patchwork of regulatory requirements is hardly straightforward. It starts with organizations building up their data protection competency. The PDPC has rolled out a data protection competency roadmap that encompasses data protection management, risk management, breach management, stakeholder management, data protection audit and assurance, and data governance.
Next, organizations need to gain an understanding of the inventory of data that it processes, the sources of data collection and the data flows that are handled by the various business units. Technology enablement can support the data protection team, whose role is to assess the impact and risk of data privacy to the organization and champion data protection policies and control implementation.
Lastly, organizations must develop a common framework for terminology, technology and performance metrics to enable cross-functional collaboration and a risk-informed leadership.
Such investments to strengthen an organization’s data protection and privacy capabilities are critical in building up the business confidence for organizations to pursue their data innovation agenda, reducing the risks relating to cybersecurity and data breaches as they embark on their transformation journeys.
Data privacy and protection by design
As organizations innovate and transform, they need to build privacy into their processes and systems.
As a case in point, with the roll-out of the restricted usage of NRIC numbers in Singapore, organizations are driven to revisit their data management policies and activities such as consumer loyalty and marketing programs where NRIC information is collected. Organizations will have to use other means to verify the identity of their customers and systems will need revisions to comply with regulatory requirements to “privacy-proof” their digital platforms.
Therefore, in the course of redesigning systems and processes to meet current requirements, organizations need to also factor in future data protection and consumers’ needs. They can do so by performing data protection impact assessments and integrating privacy consideration and data protection measures into the design of business processes and systems. In the long run, a proactive approach to data protection will help organizations be more agile in managing risks and meeting data privacy and protection requirements.
The reality is that changes in data protection requirements are inevitable in a dynamic regulatory climate. As organizations embrace their responsibilities and accountabilities towards protecting data and privacy – and the challenges that come with it – they should view it as an opportunity to build and secure customer trust that will pay off in the longer term.
The authors are John Ho Chi, Partner, and Hamalatha Seetharam, Manager, both from Advisory Services, Ernst & Young Advisory Pte Ltd. The views reflected in this article are the authors’ and do not necessarily reflect the views of the global EY organization or its member firms.