The digital economy is here. An effective data management strategy leads to greater insights, better decision making and positive outcomes. Artificial Intelligence, Machine Learning and Data Analytics makes the headlines but Data Protection is the real foundation on which a sound data management strategy can be built.
With data becoming a valued commodity, data breaches and phishing cannot be ignored. Notable data breaches in recent years include KBox in 2014 affecting over 300,000 members, Uber in 2016 affecting over 300,000 users, SingHealth in 2018 affecting 1.5 million patients, including PM Lee Hsien Loong and Health Sciences Authority in 2019 affecting over 800,000 blood-donors.
Around 900 cases of bank-related phishing scams were reported in the first six months of 2020, from just 34 such cases for the same period in 2019.
Organisations based in Singapore need to understand and fully comply with the following:
- Personal Data Protection Act 2012 (PDPA)
- Info-communications Media Development Act 2016 (IMD Act)
There are consequention operating as well as financial impact to both these acts. Broadly, the PDPA requires organisations to develop and implement policies and procedures that clearly notify customers that their personal data is being collected, how the data may be used and to obtain consent for the collection and use of data. Organisations must take reasonable steps to verify the accuracy of the data including allowing customers to update, correct and delete data. Organisations must protect any personal data including physical and cyber security. Organisations must dispose of personal data after the fulfilment of the stated use of data. Organisations must have a data breach management plan to contain the breach, assess the impact, report the breach and take preventive actions. PDPA is broadly concerned with these three concepts:
1. Consent
Seeking and recording proof of the owner’s knowledge and consent to collate, use and / or disclose the personal data.
2. Purpose
Giving accurate information to the personal data’s owner on the prurpose and use for the data.
3. Reasonableness
Only collecting, using and / or disclosing the personal data’s owner for purposes that are deemed appropriate and reasonable to the business situation.
With regards the above, all organisations must appoint a Data Protection Officer (DPO) to ensure compliance with the PDPA. The DPO need not be an employee and can be outsourced for practical concerns. Companies who fail in their Data Protection obligations face fines of up to 10% of a companies’ revenue or S$1 million, whichever is higher. Individuals who commit offences under the PDPA also faces fines of up to $10,000 or imprisonment of up to 12 months or both.
Why Alder?
In January 2021, DBS launched an in-house institute to help staff enhance their technology skills, including cyber security. The risk is real but not all companies will have the financial and manpower resources to justify in-house data protection solutions. Contact us to offer cost-effective outsourced DPO solutions including data protection policies, PDPA consultancy and training, and compliance checking.
