23 July, 2016
Privacy issues are grabbing the headlines around the world. Data breaches and cybersecurity threats are increasingly common aspects of daily life. Responsible companies spend millions trying to protect the personal data of their customers from criminals, governments and those who seek to use or exploit this information for their own purposes.
Personal data is the currency of the 21st century and the product most sought after is YOU – the individual. Who you are, what your preferences are and where you go – this information has great value to businesses who want to reach into your pockets via targeted marketing messages. Yet, as privacy advocates in Europe and the US try to find the right balance between Big Data and privacy, in Asia and particularly in Singapore, the concept of privacy is culturally alien.
Almost anywhere you go in Singapore, you are faced with forms requesting personal data such as your race, religion, income – and that is just from a visit to the dentist. Government forms often require a vast amount of information such as race, National Registration Identity Card numbers and religion so much so that most Singaporeans have almost no expectation of privacy. Most willingly provide vast amounts of personal data to companies in exchange for the chance to win a lucky draw prize or a discount. Singaporeans find this completely normal and it is one of the more noticeable aspects that incoming residents have to adjust to.
With the advent of the Personal Data Protection Act in July 2014, attitudes toward privacy have changed in some ways. Unwanted direct marketing calls and SMSes are frowned upon by many and have been generally eradicated. Success in this area has been easy to achieve because it is what everyone wants. Yet, clearly in relation to the broader aspects of data protection some 2 years after the new law was implemented, it is clear that old habits die hard. Companies that have implemented compliance programs run into resistance from employees used to operating in their tried and tested ways. For example, despite enforcement actions by the regulator, a trash bag containing unshredded personal data was recently found out in the open, apparently disposed of incorrectly and investigations have commenced.
Employees continue to flout policies, mainly because they do not understand why they are being asked to follow a course of action. Simply making employees agree to a policy they do not understand and which is culturally opposite to the societal norm, is not a real solution. If things are to change, businesses must invest, not only in cybersecurity and the latest technologies, but also in educating their employees to explain and help them understand the rationale for the policies and their critical role in the compliance process. This would help employees play their part and lead to a slow cultural shift in attitudes towards the protection of personal data.
We have to create a culture of respect for personal data at all levels of society. Only after we develop this culture, will we see real change.
