Data protection - taking the 'It will happen to us' approach
By Lyn Boxall
The Business Times, 10 February 2020
RECENT events have driven home the importance of data protection, especially of personal data. For example, in early 2018, it emerged that consulting firm Cambridge Analytica had misappropriated the personal data of millions of Facebook users without their consent. The information was then manipulated for political campaigning, with the intention to influence election outcomes.
This was a wake-up moment for the world.
"Data breach", previously confined to accidental loss of personal data, suddenly raised the spectre of intentional fraud and exploitation on an unprecedented global scale.
Closer to home, in 2018, up to 1.5 million SingHealth patients' records were stolen, including information on outpatient dispensed medicines records, in what was termed as Singapore's most serious breach of personal data.
Less than six months later, it was revealed that in a separate incident, the personal data of HIV-positive patients on the official medical registry had been compromised.
The consequences of data loss may involve financial penalties.
Fines handed out by the Personal Data Protection Commission (PDPC) of Singapore are relatively low. In the three years from 2016 to 2018, the PDPC took enforcement action against 64 organisations and imposed fines totalling S$339,000. In 2019, enforcement was scaled up, and 50 organisations were fined a combined total of S$1.54 million.
The biggest fine the PDPC can dish out is S$1 million - which it did to SingHealth and its provider, Integrated Health Information Systems, in 2019.
Other jurisdictions are less forgiving. British Airways was ordered to pay an eye-watering fine of £183 million (S$328 million) in July 2019. It was the biggest penalty to be handed out under new rules provided by the European Union's General Data Protection Regulation (GDPR).
The GDPR lists a set of principles relating to the processing of personal data and states that the controller (the organisation that determines the means and processing of personal data) "shall be responsible for, and be able to demonstrate compliance with, (those principles)". The penalty for failing to do so is up to 20 million euros (S$30 million) or 4 per cent of total worldwide annual turnover, whichever is the higher.
In July 2019, the PDPC published its Guide to Accountability under the Personal Data Protection Act, and announced that the "openness obligation" would be updated to the "accountability obligation".
Specifically, accountability in relation to personal data protection is now defined as the undertaking and demonstration of responsibility for personal data in an organisation's possession or control.
An organisation demonstrates accountability by having developed and implemented a systematic framework for compliance with data protection laws within the organisation.
Such a framework includes compiling a personal data inventory for the organisation, mapping the flows of personal data within the organisation and to third parties, identifying the compliance risks in such flows and then devising written policies and standard operating procedures to manage those risks. Accountability is also demonstrated by records of staff being trained in them and by records of regular compliance audits.
In the past, the need for compliance with laws and regulations has been based on taking a passive, "checklist" approach. If nothing goes wrong, the checklist is obviously working; otherwise, the checklist needs to be tweaked.
Role of the board
Why should boards be concerned?
The cost is not just the fines, which may seem small (at this time), especially for large corporations, but the reputational and other damage, and the cost of clean-up, for instance.
The PDPC's Guide to Accountability states that: "A key step to ensuring a commitment to accountability is to embed personal data protection into corporate governance as the involvement of senior management is crucial."
As part of corporate governance, the role of the board is thus particularly relevant in personal data protection. The board must ensure that management has the necessary budget and headcount resources and implements the processes necessary for the organisation to demonstrate its compliance with data protection law.
The board should lead accountable - responsible - organisations to embrace data protection as a core value that is embedded into corporate culture and processes.
Shareholders expect the value of their investment in the company to be maintained. Fines in Singapore are not the real risk to shareholder value. Loss of reputation, brand damage and loss of customer trust are real pain points that can decimate shareholder value.
In addition, where there is a regulatory investigation, its costs are very real even where there is no regulatory penalty imposed. Senior staff are distracted from their business priorities that generate revenue and the costs of consultants to assist in the investigation can easily run into six figures.
Personal data protection is becoming a differentiator in an increasingly competitive market. Brand and reputation count. In this landscape, with a heightened sensitivity among customers about whether an organisation can be trusted to protect their personal data, customers can always take their business elsewhere if they suspect that the organisation does not treat their data with the respect and seriousness it deserves.
Boards, which cling to the approach of "It won't happen to us", must wake up to the changing reality and business landscape. They should accept and prepare for the situation where "It will happen to us".
The writer is a former member of the Professional Development Committee of the Singapore Institute of Directors.