Come 2014, companies in Singapore can be fined up to S$1 million for mishandling customers’ data. They can also be fined up to S$10,000 for every unsolicited marketing call or message they make to customers who do not want to be solicited.
This scenario is one that organisations face with the passing of the Personal Data Protection Act in October 2012.
Are companies here staring at financial ruin in the face? Or will they be able to safeguard their reputation?
Three speakers addressed this at the Privacy and Data Protection Seminar held recently at ISS.
Lim Kian Kim, the President of Singapore Cloud Forum, an association for cloud computing professionals, painted the big picture.
Lim Kian Kim: “Soon, organisations can’t hide behind standards as a defence. The act requires you to do what is reasonable in any situation.”
According to him, Singapore’s Personal Data Protection Act is a 2-in-1 act; It covers data protection (the protection, collection, use and disclosure of data) as well as privacy protection of consumers. By mid 2014, organisations will not be able to collect, use or disclose personal data without the consent of the owner of the data. They will have to inform their customers of the purposes for which their data is being sought or disclosed. They will also be held responsible for the safeguarding of the data under their custody or control.
The law applies to all organisations from sole proprietors to the multinationals, with only public agencies exempted.
His advice for organisations: Review your data protection system for robustness. Develop data breach management procedures. Draw up a shared responsibility agreement with third parties regarding customers’ data and designate someone to ensure compliance to the act. The person in charge of this should be legally and IT trained.
He added, “You need to have a “public facing” person who is proactive or the regulator will become suspicious and call for an audit. Audits are painful. You will face lawyers who are competent in IT and who know the game.”
The panel of speakers that had the audience enraptured. From left: Professor Abu Bakar Munir, Lim Kian Kim, Avinash Kadam, Zaid Hamzah, Dr Leong Mun Kew, Abdul Hamid Bin Abdullah
Kian Kim, who is also an editorial board member of The Journal of Information Privacy and Security, was formerly the Chief Privacy Officer/Corporate Counsel (Asia Pacific) for a US healthcare research company.
Also speaking at the seminar was Professor Abu Bakar Munir, a professor of law at the University Of Malaya. He outlined recent developments in data protection laws around the world.
Professor Abu Bakar Munir: “Nearly 90% of online customers want the right to control how their personal information is used after it is collected.”
Finally Avinash Kadam, a leading authority on information security, detailed how COBIT5, an international business framework of best practices for the governance and management of IT, helps organisations secure data.
Avinash Kadam: “The hard work is to create policies and practices to ensure compliance with the act. The harder work is to implement these policies and practices. They have to pass the scrutiny of every auditor, pass muster with every customer complaint and ensure that you are not only abiding by the spirit of the law but also the letter of the law.”
ISS conducts Data Governance & Protection professional courses regularly. Sign up today for the course!
If you would like to attend events like this in future, please write in to issmarketing@nus.edu.sg or visit our event page.