10 July, 2015
At the third annual Singapore Personal Data Protection Seminar 2015 held on 8 May 2015, much attention was given to initiatives to assist SMEs to understand and comply with Singapore’s personal data protection law.
From a broader perspective, it is useful for organisations to take note of three key features of personal data protection in Singapore that can be garnered from the speeches by Dr. Yaacob Ibrahim, Minister for Communications and Information, and Mr Leong Keng Thai, Chairman of the Singapore Personal Data Protection Commission (“PDPC”), at the Seminar.
These three key features are namely:
- Emphasis on IT security and protection against cyber threats;
- Data breaches affect businesses; and
- More industry guidelines expected.
Emphasis On IT Security And Protection Against Cyber Threats
With the rise of global and local data breach incidents in an increasingly data-driven world, the Singapore Government has recognised that many organisations in Singapore are still not adequately prepared to meet the cyber threat landscape, or are only just beginning to confront this threat seriously.
In this regard, the newly-formed Singapore Cyber Security Agency (“CSA”) is expected to mount a sustained effort in the coming months to partner industry in enhancing cybersecurity preparedness. Also, the guidance notes that were published jointly by the PDPC and the CSA on 8 May 2015 is a starting point towards helping organisations secure personal data electronically and manage any data breaches.
The recent and upcoming efforts of the authorities are clear indications of the seriousness with which cybersecurity is viewed. There is no doubt that organisations must step up in terms of IT security and cyber defences in terms of the way they collect, store, use and dispose personal data against the evolving cyber threat landscape.
Data Breaches Affect Businesses
Implicit in any data breach is that it is not only the individual personal data that is compromised. The reputation of the organisation responsible for securing the personal data is also likely to be affected, for whichhere may be real cost consequences.
While negative publicity and loss of business are obvious outcomes, a serious data breach could very well threaten the share price of an organisation and perhaps even its ability to carry on business, especially where the organisation is operating in a regulated industry or is faced with mounting legal claims.
As it will take an organisation an inordinate amount of resources and time to repair the damage to the trust reposed in it by customers and or the regulator, the management of a data breach must start from a preventative and risk management approach. Beyond proper securing of personal data within the organisation, it necessarily involves proper vendor management and due diligence of their systems, and regular monitoring. It will also serve an organisation well to put in place incident management and response plans, including business continuity and crisis communication and/or media management.
More Industry Guidelines Expected
We are fortunate to have the PDPC taking the lead to help organisations by explaining the Singapore personal data protection law and how it affects specific industries in particular situations.
To date, the PDPC has issued 5 sector-specific Advisory Guidelines for the telecommunication, real estate agency, education, healthcare and social service sectors. The PDPC has indicated that more advisory guidelines and guides are on the horizon. It is also with much interest that specific industry associations (such as the Singapore Hotel Association) have taken a pro-active role in developing advisory guidelines for their respective industries. These guidelines will be released for public consultation before they are issued, as it will allow useful comments to be given to improve these guidelines.
With avenues for industry-led action and assistance from the PDPC, organisations within each specific industry should take the opportunity to collaborate and map out how their industry can work towards compliance with the personal data protection regime based on their operations as a whole. This not only helps to build trust in the professionalism and business processes of the industry, but also fosters a more mature data protection landscape that inspires confidence for the economy.
Where Do We Go From Here?
In today’s information age, it is undeniable that data is a key driver of trade.
Governments and businesses alike need to leverage on data and technology to deliver services and stay competitive. The realization of Singapore’s vision to become the world’s first Smart Nation, “to harness information and communications technology, networks and data to support better living, create more opportunities, and to support stronger communities”, will have to be underpinned by a robust data protection framework and a resilient cyber security defence.
For further information, please contact:
Rizwi Wun, Partner, RHTLaw Taylor Wessing
rizwi.wun@rhtlawtaylorwessing.com
Jack Ow, RHTLaw Taylor Wessing
jack.ow@rhtlawtaylorwessing.com
