Digital data flow on road with motion blur showing data protection and data breach

Data Privacy in 2022: Navigating the Ever-shifting Terrain

Where there is data, there is a risk of a data breach. It is essential to implement protective measures for such an event and to educate oneself to spot a potential breach.

The importance of implementing data protection guidelines correctly

Data protection or privacy laws are being passed or amended to keep up with new technologies (such as artificial intelligence), and organisations are scrambling to comply with these laws, including their changes. In addition, organisations want to earn and maintain the trust of their stakeholders, including consumers, and complying with data protection or privacy laws is important for this reason. As data breaches are increasingly making headlines, organisations risk losing the trust of consumers due to lapses concerning the security of data.

With the introduction of data protection or privacy laws, regulatory agencies are established to encourage and monitor compliance with the laws. Many regulators also provide data protection or privacy guidelines to help organisations to comply with the law. For instance, the Personal Data Protection Commission of Singapore has its “Advisory Guidelines on Key Concepts in the Personal Data Protection Act” to explain how it intends to enforce the Personal Data Protection Act.

How individuals can spot potential data breaches before they happen, both in the workplace and their own personal profiles

It is important for individuals to know their rights under the PDPA and to ask organisations that collect their personal data why they are doing so and how they will use, disclose, and protect that personal data. The more personal data organisations asks for, especially if they ask for sensitive personal data, the more the individual should investigate them to see if they adhere to standards for sound data protection practices. Published privacy policies of organisations can provide insight into the purpose behind the collection of data and how the organisations will use, disclose and protect it. It is good practice to make it a habit to read the privacy policy before downloading an app, for instance, so that you know what the organisation is doing in relation to personal data. Sometimes, you may decide not to download it after all.

Among the red flags for a potential workplace data breach are the lack of data protection policies and standard operating procedures and training in them for staff, the absence of a data protection officer (DPO) or committee, and the absence of a data protection management programme (DPMP). These are the baseline requirements for basic data protection practices within an organisation. In the absence of a properly developed and implemented DPMP, and a designated DPO overseeing DPMP operations, an organisation is at a high risk in regards to the likelihood of a data breach or other failure to comply with the law.

How to identify and overcome flaws in corporate data protection policies

Flaws may fall into either or both of two main categories.  First, there is data processing that is unethical even if it otherwise complies with data protection law.  Second, there is data processing that does not comply with the applicable data protection law.

When it comes to processing personal data, unethical practices include organisations failing to obtain consent from individuals for the use of personal data about them, failing to be transparent about the purposes for which the personal data will be used and/or disclosed, and failing to allow individuals to acknowledge the purposes for processing personal data to which they consent.

In order to govern data effectively, it is crucial that organisations are aware of how personal data is collected, used, disclosed, and stored (CUDS) within their business processes. This requires them to build a data inventory and to track the flow of personal data within the organisation and to and from third parties, such as service providers and other vendors.  It is also vital for organisations to assess the risks relating to the processing of personal data across the organisation (data flows), to develop and implement controls to manage these risks and to conduct data protection impact assessments (DPIA).   Controls include implementing policies and processes / standard operating procedures (SOPs) that support business operations in compliance with data protection laws and training staff in those policies and SOPs.

In addition, it is essential that the organisation sustain its compliance efforts by educating stakeholders about the personal data protection policies, including conducting regular data protection audits and consistent risk assessments. Another key element would be to ensure that the organisation has a plan to respond to breach incidents.

What factors encourage users to share their information

In the past decade, we have witnessed consumers becoming more comfortable with the digital landscape and actively engaging in online activities. Consumers even routinely trade personal data for free services. However, if something like this is free, the cost to an individual takes the form of personal data being harvested and used to enable the organisation to earn revenue. In other words, when a service is free the consumer of it is actually the product.

Many websites also have social login, which enables users to sign up for their website by providing information in their social media accounts. This provides a seamless experience for users and that could be a contributing factor for users to share their information more readily. Users may also be more likely to share their information with websites or apps, if many of their family or friends are doing it as well.

How to break bad habits that lead to data breaches

Individuals should always read the privacy policies before providing consent to any website or app they intend to use.

In organisations, ‘tone at the top’ is fundamentally important. Senior management and the board must make it clear that the organisation takes data protection seriously and must provide resources – financial budget and headcount – accordingly to put a DPMP in place. Staff training in the resulting policies and SOPs is crucial. We often see data breaches being described as ‘human error’, which is unacceptable to regulators and should not happen where there is sufficient staff training and strong ‘tone at the top. As important as initiating the DPMP is sustaining it. The organisation must maintain compliance efforts by educating stakeholders about its data protection policies, including conducting regular data privacy audits and regular risk assessments.