The legal impact of data protection and management in the digital age
FYI, this story is more than a year old
With increasing access to mobile devices and the internet, the amount of data created annually worldwide is predicted to soar to 180 zettabytes (180 trillion gigabytes) in 2025, with approximately 80 billion devices connected to the Internet.
As organisations look towards data to track consumer patterns and guide business direction, they should also be mindful of the legal regulations that govern the protection of data and the possibility of a data breach. In the past year, we have seen some of the largest data breaches in history with millions of accounts compromised and the release of personal data such as addresses and telephone numbers for sale on the black market.
Such high-profile data breaches have been increasing in size and prevalence in recent years, with cyber criminals (and even state actors) taking keen interest in obtaining sensitive corporate and personal information. Besides such hacking attacks, a data breach can also arise from employee mischief or neglect, an inadvertent leak, lack of or failure in security measures, just to name a few.
Regardless of the cause, the threat of data breaches is imminent and can have severe repercussions for organisations, especially if they are found guilty of failing to take sufficient measures to secure their data. Singapore's data protection law has one of the highest fines in Asia with each breach subject to a potential fine of S$1 million.
Similarly, breaching Europe’s new General Data Protection Regulation can result in a fine of the larger of either 20 million Euro or 4 per cent of the organisation’s global annual turnover. Beyond financial penalties, a data breach can cause irreversible damage to a company’s reputation as well as potentially significant damages payable in civil liability to third parties, not to mention possible personal criminal liability for senior management.
Ensuring compliance in an evolving landscape Organisations should be well aware of the prevailing legal regulations that govern ever growing popular technology solutions such as cloud storage, collection, analysis, and offshore storage of customer data. 1 IDC FutureScape: Worldwide IT Industry 2017 Predictions Here are a few tips for organisations to ensure that they comply with the legal regulations where they operate in.
1. Have a clear understanding of how personal data is used and managed in your organisation. Some questions that business leaders need to ask include what personal data has been collected, who has access to this data, whether the purposes of processing of such personal data are lawful, where and how it is kept and secured, and how long such personal data is kept on file. In some instances, data storage and protection is managed on behalf of an organisation by an outsourced service provider.
Organisations need to ensure that they understand the level of protection to the data provided by the outsourced service provider and ascertain whether regulations, including sector-specific ones, permit offshoring or cross-border data sharing. In some countries, there appears to be a growing trend of data localisation which means organisations are not permitted to transfer any such data overseas.
Data protection regulations in ASEAN countries are also set to develop in future in light of commitments arising from the formation of the ASEAN Economic Community (AEC) in end 2015 and the continued digitalization of everything. Singapore, Malaysia and the Philippines are presently the only countries with dedicated robust data protection laws, and it is only a matter of time before the rest of the ASEAN countries follow suit, with significant implications for foreign organisations operating in those countries.
2. Conduct regular audits and penetration testing. The authorities do recognise the fact that cyber criminals often use sophisticated measures in their attacks. However, as seen with the many data breaches around the world, it is most often the case that the organisation itself has failed to have sufficient security measures in place.
It is also a known fact that many organisations are not doing enough to protect customer data or their important data. At the bare minimum, organisations need to meet the regulatory standards for data protection and compliance. Beyond this, they should also conduct regular audits and security assessments such as penetration testing, to ensure the integrity of their security framework and that employees are abiding by set guidelines, especially when handling sensitive information.
3. Be willing to seek external advice. By working closely with professionals such as specialised lawyers with the relevant expertise, organisations will be able to have a better understanding of other factors that could affect their business decisions, such as a digital transformation initiative to move data to the cloud.
Legal advice is also important for organisations that operate in a highly regulated industry, such as financial institutions, which could have sector-specific laws that add on a further layer of compliance by the organisation. In the event of a data breach or cyberattack resulting in leaked data, that organisation would suffer the brunt of not only data protection laws but also sector-specific laws.
Ultimately, the burden of cyber security falls on the organisation itself, and regulations call for them to ensure that sufficient security measures and practices are put in place. The proper use, storage, and security of data should not be seen solely as the responsibility of a ‘few good men’ within the organisation such as the IT head or the data protection officer, but rather as a culture that permeates throughout the entire organisation.
New technological innovations have the potential to disrupt current practices and pose challenges for security management, but with the right data protection measures in place, organisations will be able to take full advantage of these to drive their business forward.
Article by Steve Tan, Partner, deputy head – Technology, Media & Telecommunications, Rajah & Tann LLP.