I recently had the pleasure of conducting a panel discussion with senior KPMG partner Lee Ser Yen, discussing the newly amended Singaporean Personal Data Protection Act (PDPA), and the impact which the changes to the Act will have on businesses across the APAC region. With the possibility of now being impacted by heavier fines, coupled with the continuance of serious data breaches worldwide, businesses urgently need to know how to respond to these regulatory changes.
Protecting Data while Enabling Innovation: A View of Singapore Revised 2020 PDPA
You can listen on demand here, or take a look at highlights of our discussion below. The recording of the debate also contains a demonstration by Forcepoint’s Sales Engineering Director Brandon Tan, who walks us through some practical tips and use cases on how to leverage technology to accelerate time-to-compliance of PDPA.
Nick Savvides: The Singaporean Personal Data Protection Act has been a topic of much discussion in the APAC region since 2012, when it was first introduced. However, the new amendments which were passed in late 2020 brought the regulation up to date with digital transformation and data economy changes, and also put the privacy of individuals front and centre. So Lee Ser Yen, tell us: what drove the amendments?
Lee Ser Yen: The changes were really made in response to the evolution of the digital economy. Of course today, we see pervasive connectivity, and what I mean by that is that businesses have evolved to serve the proliferation of mobile internet and connected devices. Data is king: both in terms of what we consume, and what individuals share and access online. Businesses and individuals alike can benefit from the appropriate usage of personal data: customer profiles and behavioural patterns can be analysed to enhance service experiences. But with these opportunities do come threats. Those threats can come from cybercrime or misuse of individuals’ data: and data privacy is important to safeguard. There was a strong need to update how we view and share data, and provide clear guidance so companies know how to operate in the new world.
Nick Savvides: Fantastic. It’s really good to see proactive security and policy developments in this area, because privacy of personal data really does matter. We get a lot of questions though about what the PDPA means as a whole, and how organizations can operationalise the technology they need to not just be compliant as a box-ticking exercise, but also deliver on the spirit of the regulation too. How would you advise people approach this?
Lee Ser Yen: Well, it’s important to understand the base level of care which the PDPA sets out: and it’s a regulation which balances the business needs for data usage with the reasonable expectations of a user. Back in 2014, the regulators laid out nine obligations, these were consent, purpose, notification, access and correction, protection, accuracy, retention limitation, transfer limitation and accountability. The amendments last year added data breach notification and data portability requirement. There have also been updates to both accountability and consent.
Let’s take the four major changes one by one.
Firstly, accountability. It’s not just an openness obligation, where there is the opportunity for the end user to check on the privacy policy of an organisation or request changes or corrections to any data held. There’s now also a need to have policies and processes in place, and make these policies available on request. That means that organizations need clear, transparent policies on data collection, usage and protection. It may be that people need to consider implementing appropriate governance controls to manage data both within their organization, and throughout their third party supply chains.
This is a big one, because once you put accountability into the processing of data, you have to build it into every step of the personal data lifecycle. You have to ensure that you can identify, monitor and respond to personal data risks whether you are collecting, using, storing, retaining or even disposing of personal data. Ultimately it means, data protection by design.
Secondly, consent. There are a number of different types of consent which can be given around personal data, which should always be requested from individuals before processing any data. The PDPA states that the organisation should collect, use or disclose personal data only for purposes which a reasonable person would consider appropriate in the circumstances. The regulation is there to support business’ innovation, and that’s why dynamic consent is so interesting: this allows consent to be taken from a user and transferred across should that user buy different services from a different platform, allowing for a smoother transaction. Ultimately here, the regulation is in place to offer guidance to businesses on how they can have data flow more effectively through an organization, but ultimately still protect the individual and their privacy.
The first of the new changes is on data portability requirement. I do think more guidance is needed here. The goal is to allow any individual to request their data be shared across service providers: meaning that the data economy can continue to thrive and a person can experience seamless services should they switch, let’s say, from service provider A to service provider B.
The second and most impactful change however is the notification requirement of a PDPA incident. Organizations now have to report incidents within 72 hours if they are of significant scale (exceeding 500 entries) or may result in significant harm to an individual. Organisations need to quickly identify what data is being lost, and take action to resolve it. This will require quite a few changes to systems.
Nick: Thank you Lee, great summary. Out of those four, the big one for me is the 72hrs to notify. In our experience, it’s really difficult for organisations to classify the magnitude of an incident in that short timeframe. Forensics can uncover a lot more after this timeframe has passed. What’s your view on taking a precautionary approach to this?
Lee: We do advise that incident reporting needs a “CARE” framework: communicate, assess, evaluate and resolve. And it really joins up data protection and cybersecurity: they can’t be run in two separate silos. We advise that people run practice exercises: you need to know beyond doubt that you have a system in place with clear roles and responsibilities so you know how to respond. When you are told that something’s gone wrong, and you have 72hrs to respond, proactive management is key. Understand your risk surface now: before a breach has occurred!
Nick: Absolutely agreed! I see data privacy as something we call cyber adjacency; these are intrinsically linked areas. Organizations really do need to invest in both preventative and predictive technologies to reduce that risk surface.
One of the challenges I see is that organizations do continue to work in silos, looking at “privacy technologies” and “data protection technologies” separately; but they are all part of a bigger whole. We can’t just use DLP, for example, to undertake forensic analysis after the event: it should be in place to protect organizations and stop the breach happening in the first place.
To hear more, including more discussions about data portability and a demonstration from Forcepoint’s Sales Engineering Director Brandon Tan on how to get more out of your existing DLP technologies, particularly as it relates to PDPA compliance listen again to our BrightTalk webinar.