How new EU data protection law will impact Singapore firms

COLLECTION of individuals' personal information, such as NRIC numbers, used to be a common commercial transaction for organisations for a range of reasons including issuing visitor badges for buildings, signing up for retail memberships or lucky draws. But not anymore.

More than 7.1 billion identities worldwide have been exposed in data breaches over the last eight years. However, recent high profile cyber breaches including Singapore's Ministry of Defence's breach in early 2017 that resulted in the personal data of 850 national servicemen and employees being stolen sparked more conversations around security protocols on protecting personal data.

Later in the year, Singapore's privacy gatekeeper, the Personal Data Protection Commission (PDPC), revised advisory guidelines on how local organisations handle individuals' NRIC numbers, collect the physical NRIC or a copy of it. This encouraged more local organisations to adopt the necessary steps to better serve their customers by taking stronger measurements to protect personal data collected, if at all.

Data is the driving force of Singapore's digital economy as the nation progresses towards becoming a Smart Nation. As such, it is imperative that local organisations adopt a strategic cybersecurity stance on how personal information is collected, managed and removed.

An important change for some Singapore businesses is the new European Union (EU) General Data Protection Regulation (GDPR) soon to take effect in May 2018. Touted as the most significant change in data privacy regulation in 20 years, the new legislation underpins a comprehensive series of rights and principles that serve to protect personal information of individuals within the EU. It is also influencing change in privacy regulations around the world.

IMPLICATIONS ON SINGAPORE ORGANISATIONS

The nature of the GDPR is that as long as an organisation collects data on people within the EU, shares data or sells products and services within the EU, they will be subjected to GDPR - even if they are located in Singapore.

As the EU's largest commercial partner within Asean, many organisations in Singapore will be caught in the fold. Not only can a non-compliance result in potential fines of S$29.8 million or up to four per cent global annual turnover, whichever is greater, it will also do damage to an organisation's reputation among a business's most valuable resource - its customers. Local organisations need to sit up and pay attention to GDPR if they haven't already done so.

Recent phenomena such as the emergence of fake news and multiple cases of personal information loss have led to trust becoming a largely coveted business currency. To that end, GDPR comes at an opportune time for organisations to foster confidence and trust with customers.

By upholding the data standards championed under the GDPR, organisations will be able to demonstrate an augmented sense of corporate responsibility. It is by taking such measurements to protect customer's interests, that organisations can provide accountability and cultivate trust. Good privacy practices are fast becoming a valued commodity.

GDPR-aware companies will also be ahead of the wave as more and more jurisdictions modify their privacy legislations to be closer to the GDPR.

Here are some tips to achieve GDPR compliance and protect data against cyber breaches:

Know what data you have and where it is: Good data privacy starts with understanding what data you need for your business, who needs that data, and where it is kept. Organisations often find themselves with undocumented personal data stored outside of the formal business repositories. Understand how your staff are using unstructured data, alternate cloud services and roaming devices. This is essential to developing smart data governance policies that help businesses but control privacy risks.

Handle with care: Most privacy breaches are preventable. The two main causes of privacy breaches are careless human errors and poor security. Data is a precious resource so companies must treat it appropriately. Protect your IT systems and control data so that it does not fall into the wrong hands, and have the ability to render data unusable in the event of the worst case scenario panning out.

Efficient cybersecurity strategies do not have to be costly: Strong, cost effective data privacy protection is about your technology, people and business processes working together. Employees need to be aware of privacy risks and how data should be handled. Likewise, business processes need to be designed with privacy in mind.

Continuously monitor: Privacy is not a one-time exercise. Regularly evaluate your current business to establish if the technologies you have in place are appropriate as IT systems, security threats and company practices change.

Plan your response: If something goes wrong, know in advance how you are going to respond. The GDPR requires notification within 72 hours of a privacy breach being detected. How will you detect a privacy breach? Who will take charge and how will you carry out notification? Consider the legal and security teams practising this in an exercise, just in case.

In a world where data is everywhere, it is becoming increasingly difficult for organisations to protect the personal information entrusted to them. And as cyber criminals reveal new levels of ambition and ability - organisations will need to keep privacy and security at the forefront of their business strategy to reduce their regulatory risks.