Towards a business culture of protecting data

The Data Protection Excellence (DPEX) Centre, the autonomous research and education arm of Straits Interactive, announced in September that the number of organisations breaching Singapore’s Personal Data Protection Act (PDPA) has reached record levels and have already surpassed the total number of enforcement cases in 2018. 

As of end August 2019, there were 26 organisations who were either fined or warned in enforcement cases as compared to 23 organisations recorded in the full year of 2018.

According to Kevin Shepherdson, Head, DPEX Centre and CEO, Straits Interactive, 80% of valid cases were due to the “breach of the protection obligation where personal data was compromised and was leaked”. Of these, only 15% of such cases were due to cyberattacks, with the majority caused by “organisation’s employee error or negligence.”

Initiatives such as the Data Protection Trustmark (DPTM) certification introduced by IMDA are designed to counter such trends. Launched in January 2019, this establishes a robust data governance standard to help organisations increase their competitive advantage and built trust with their clients since they can demonstrate accountable and responsible data protection practices.

Going further, Singapore Management University’s (SMU) professional training arm, SMU Academy, and Straits Interactive announced ‘Trustmark Journey-as-a-Service’ (TJaaS), an end-to-end service to assist small and medium-sized enterprises (SMEs) to seamlessly achieve the Data Protection Trustmark (DPTM) certification.

We contacted Kevin Shepherdson for a discussion of Singapore’s data protection environment and how TJasS aims to support a business culture of data protection among local SMEs.

Responses have been edited for concision.

How do Singaporean companies measure up globally in terms of their data protection standards?

It depends on whether you are looking at an ASEAN perspective or an international perspective.   

The culture of data protection in ASEAN is relatively new. Singapore’s PDPA is the most mature and we are the only country that has been very active in enforcement. Hence, our data protection standards are much higher than our ASEAN counterparts as more organisations have put in place data protection measures.

However, if compared to EU countries like the UK or France, where GDPR is now in force and privacy awareness is much more mature, Singapore still has a way to go in terms of reaching world standards. But with all the efforts we are seeing from IMDA and PDPC, we are certainly heading in the right direction.

What is the level of interest and awareness regarding data protection among Singaporean SMEs? In your opinion, is this sufficient? 

With all the recent enforcement and publicity of data breaches, there certainly has been increased awareness. We are seeing many more inquires and increased attendance for our joint courses with SMU. We do not think that this is because the number of breaches has gone up.

While the level of interest and awareness has gone up, SMEs need to do more in terms of protecting personal data rather than just passive compliance. It is about ensuring that SMEs comply with the PDPA from an operational perspective, putting in place specific measures and Standard Operating Procedures as opposed to just high-level policies. A good way to build upon the foundation of operation compliance would also be to embark on Data Protection Trustmark (DPTM) certification as well.  There are real business benefits in being able to demonstrate accountability towards PDPA compliance. 

What are the challenges faced in increasing interest and awareness regarding data protection among Singaporean SMEs?

The PDPA  is about rules that govern how data is collected, used, disclosed, stored or disposed of.  It is not only about getting all organisations including SMEs in Singapore to comply but establishing a business culture of protecting data in the course of doing business. This, of course, takes time – especially the fact that SMEs key focus is on growth or, in today’s challenging business climate, survival.  Therefore data protection will not likely be a top priority.

Yet, the increasing digitalisation we are seeing inevitably involves the huge processing of personal data for the respective business purposes. Unless the organisation operates in a regulated environment, it will be a bigger challenge to get any management buy-in to support any compliance effort.  

So it’s no wonder that the PDPA requires all organisations to appoint a Data Protection Officer dedicated to ensuring safeguards are put in place to protect personal data.  This presents another challenge for SMEs – additional costs of compliance.

Further obstacles are created for SMEs as the DPO may not always be properly trained in the first place to effectively perform their roles  – especially in evangelising the importance of data protection and creating the necessary awareness in terms of training staff, so that data and privacy breaches can be proactively avoided. In this respect, the DPEX Centre, of which SMU Academy and Straits Interactive are members of, offer a range of DPO courses (via SMU Academy), from foundational right up to advanced level to assist DPOs in their profession.

What are some challenges faced by Singaporean SMEs seeking to improve their standard of data protection? How does TJaaS address these?

Their challenges can be summarised as “no time”, “no budget”, and “no resource” which are consciously addressed in our related TJaaS offerings jointly delivered by SMU Academy and Straits Interactive.

Many organisations aspire to have trustmark certification but have done little in terms of their data protection compliance efforts. We then recommend our In-house consultancy and advisory services to assist organisations to fully comply with the local data protection law as a first step, and then subsequently go for trustmark certification in the shortest amount of time. This is done with the help of our software tool that automates the assessment and compliance process. While a traditional consultancy engagement involving interviews might take four to six months to complete, our blended approach using technology cuts the time by almost half, while helping to improve their personal data protection standards in a more productive way, therefore requiring fewer manpower resources. 

For those with limited budgets, the systematic training we include is SSG funded of up to 90%. And as goodwill, we also include our software for use for one year with no charge, and also foot the cost of the external data protection trustmark (DPTM) assessor. 

To qualify for TJaaS, organisations must first demonstrate that they have already implemented an internal data protection management programme (DPMP). This is because the TJaaS is more of an audit management programme which also includes the external third-party audit, instead of a dedicated PDPA compliance programme. The objective is to provide these organisations assistance towards ensuring effective and productive achievement of the DPTM requirements in the shortest time possible. This will therefore not be suitable for organisations which have yet to fully comply with the PDPA. They can instead opt for a different service available called Data Protection In-house Engagement which also has SSG funding support.