Story image

The legal impact of data protection and management in the digital age

18 Apr 17

With increasing access to mobile devices and the internet, the amount of data created annually worldwide is predicted to soar to 180 zettabytes (180 trillion gigabytes) in 2025, with approximately 80 billion devices connected to the Internet.

As organisations look towards data to track consumer patterns and guide business direction, they should also be mindful of the legal regulations that govern the protection of data and the possibility of a data breach. In the past year, we have seen some of the largest data breaches in history with millions of accounts compromised and the release of personal data such as addresses and telephone numbers for sale on the black market.

Such high-profile data breaches have been increasing in size and prevalence in recent years, with cyber criminals (and even state actors) taking keen interest in obtaining sensitive corporate and personal information. Besides such hacking attacks, a data breach can also arise from employee mischief or neglect, an inadvertent leak, lack of or failure in security measures, just to name a few.

Regardless of the cause, the threat of data breaches is imminent and can have severe repercussions for organisations, especially if they are found guilty of failing to take sufficient measures to secure their data. Singapore's data protection law has one of the highest fines in Asia with each breach subject to a potential fine of S$1 million.

Similarly, breaching Europe’s new General Data Protection Regulation can result in a fine of the larger of either 20 million Euro or 4 per cent of the organisation’s global annual turnover. Beyond financial penalties, a data breach can cause irreversible damage to a company’s reputation as well as potentially significant damages payable in civil liability to third parties, not to mention possible personal criminal liability for senior management.

Ensuring compliance in an evolving landscape Organisations should be well aware of the prevailing legal regulations that govern ever growing popular technology solutions such as cloud storage, collection, analysis, and offshore storage of customer data. 1 IDC FutureScape: Worldwide IT Industry 2017 Predictions Here are a few tips for organisations to ensure that they comply with the legal regulations where they operate in.

1. Have a clear understanding of how personal data is used and managed in your organisation. Some questions that business leaders need to ask include what personal data has been collected, who has access to this data, whether the purposes of processing of such personal data are lawful, where and how it is kept and secured, and how long such personal data is kept on file. In some instances, data storage and protection is managed on behalf of an organisation by an outsourced service provider.

Organisations need to ensure that they understand the level of protection to the data provided by the outsourced service provider and ascertain whether regulations, including sector-specific ones, permit offshoring or cross-border data sharing. In some countries, there appears to be a growing trend of data localisation which means organisations are not permitted to transfer any such data overseas.

Data protection regulations in ASEAN countries are also set to develop in future in light of commitments arising from the formation of the ASEAN Economic Community (AEC) in end 2015 and the continued digitalization of everything. Singapore, Malaysia and the Philippines are presently the only countries with dedicated robust data protection laws, and it is only a matter of time before the rest of the ASEAN countries follow suit, with significant implications for foreign organisations operating in those countries.

2. Conduct regular audits and penetration testing. The authorities do recognise the fact that cyber criminals often use sophisticated measures in their attacks. However, as seen with the many data breaches around the world, it is most often the case that the organisation itself has failed to have sufficient security measures in place.

It is also a known fact that many organisations are not doing enough to protect customer data or their important data. At the bare minimum, organisations need to meet the regulatory standards for data protection and compliance. Beyond this, they should also conduct regular audits and security assessments such as penetration testing, to ensure the integrity of their security framework and that employees are abiding by set guidelines, especially when handling sensitive information.

3. Be willing to seek external advice. By working closely with professionals such as specialised lawyers with the relevant expertise, organisations will be able to have a better understanding of other factors that could affect their business decisions, such as a digital transformation initiative to move data to the cloud.

Legal advice is also important for organisations that operate in a highly regulated industry, such as financial institutions, which could have sector-specific laws that add on a further layer of compliance by the organisation. In the event of a data breach or cyberattack resulting in leaked data, that organisation would suffer the brunt of not only data protection laws but also sector-specific laws.

Ultimately, the burden of cyber security falls on the organisation itself, and regulations call for them to ensure that sufficient security measures and practices are put in place. The proper use, storage, and security of data should not be seen solely as the responsibility of a ‘few good men’ within the organisation such as the IT head or the data protection officer, but rather as a culture that permeates throughout the entire organisation.

New technological innovations have the potential to disrupt current practices and pose challenges for security management, but with the right data protection measures in place, organisations will be able to take full advantage of these to drive their business forward.

Article by Steve Tan, Partner, deputy head – Technology, Media & Telecommunications, Rajah & Tann LLP.

Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.
Tensions on the rise after Huawei CFO arrest
“Recently our corporate CFO, Meng Wanzhou, was provisionally detained by the Canadian authorities on behalf of the United States of America."