by Kevin Shepherdson, CEO and Founder of Straits Interactive and author of “99 Privacy Breaches to Beware Of: Practical Data Protection Tips from Real-Life Experiences”
Many organisations are finding their already-stretched resources spread thinner by COVID-19. Prior to the pandemic, in the face of Industry 4.0, businesses were making haste in digitalising to adapt to the evolving landscape. With widespread remote work measures added into the mix, this accelerated digital transformation could be taking place without the necessary consideration of risks, vulnerabilities and compliance with data protection/privacy laws.
The key question that start-ups, and even large organisations, may now find themselves asking is, “Why should my organisation be concerned about data protection/privacy when we are focused on business survival in the pandemic?”
If the start-up’s business model is based on processing personal data then complying with the data protection/privacy laws in the jurisdictions they operate is a must. In addition, having good data protection/privacy practices can promote a better reputation and earn them an edge over their competitors. In a similar fashion, stakeholders (especially investors and VCs) are also increasingly expecting organisations to demonstrate accountability proactively rather than reactively.
Considering that many countries have already adopted laws regarding data protection and privacy, establishing and implementing effective data management policies and practices should be an organisational priority. In certain jurisdictions, for example, Europe’s General Data Protection Regulation (EU GDPR) and Singapore’s Personal Data Protection Act (PDPA), the laws are rigorously enforced and penalties are imposed upon organisations.
There is a general consensus that the EU’s GDPR serves as, if not a de facto standard for data protection, then at least a valuable reference point for countries that are drafting data protection laws. The upcoming changes to the Philippines Data Privacy Act, for example, are intended to bring the local legislation closer to GDPR provisions. Meanwhile, Thailand, Indonesia, India and China appear to have used the GDPR as a reference standard, even while moulding the laws more closely to their cultural norms and considerations.
In this context, startups and other organisations must safeguard customer and regulatory privacy because a breach will raise concerns from both their existing and potential customers, as well as from their local data protection/privacy regulators.
In a survey conducted by the Data Protection Excellence (DPEX) Centre, it was found that in Singapore, Malaysia and the Philippines
- more than 90% of local mobile apps were found to request more than one permission vs a worldwide average of 75%.
- about 70% require the location permission (vs 32%)
- more than 30% request permission to the camera (vs 10%)
In view of privacy-intrusive mobile apps, organisations should develop a proactive personal data protection culture and analyse the data flows within the company to identify the privacy gaps in its products, services and processes, and to rectify them.
Best data protection/privacy practices to boost stakeholder confidence and trust
The following tips are examples of good practices that startups or any organisations should adopt to build trust and confidence among stakeholders:
- Consider the privacy implications of your product’s features and functionalities
- Consider the security of the mobile or online applications of the organisation and the permissions sought by their mobile applications
- Take careful consideration when planning out the company’s marketing strategy and be cautious of overzealous marketing tactics
- Embed privacy into the organisational culture and everyday operations
- Adopt Privacy by Design principles in all phases of the organisation’s software development life cycle (SDLC) model
- Conduct a Privacy Impact Assessment (PIA) of the organisation’s current application and each time a new feature is implemented
- Fix any vulnerabilities in the organisation’s software by conducting a penetration test or vulnerability assessment
- Draft and implement an information security policy as well as an internal data protection policy to ensure compliance with the organisation’s local data protection law or in any jurisdiction that the organisation operates in
Importance of improving data protection and security attitudes and awareness
In the past decade, we have witnessed consumers becoming more comfortable with the digital landscape and actively engaging in online activities – they even trade their personal information routinely for “free” services. Oftentimes, if something like this is free, the cost to an individual takes the form of personal data being harvested and capitalised upon.
Nevertheless, recent data privacy and security-related news such as the SolarWinds breach, WhatsApp vulnerabilities and Accenture’s ransomware attack, has drawn global media attention and increased consumer distrust of companies’ purported pledges to safeguard privacy.
Although these incidents have helped improve public awareness of data protection and security issues, they also reflect the need for more significant commitment towards, and competency in, data protection by organisations and individuals.
On the business front, organisations should improve their security attitudes by communicating information about the collection, usage or disclosure of personal data in a clear, straightforward and non-legalistic way. In this manner, individuals can be assured of the security of their private information and that the business is serious about protecting data.
As the CEO and Founder of Straits Interactive, Kevin Shepherdson provides and drives the vision, strategy and innovation of the company’s Data Privacy & GRC (Governance, Risk Management & Compliance) offerings that build upon the foundation of enabling trusted businesses and responsible marketing. He is the author of “99 Privacy Breaches to Beware Of: Practical Data Protection Tips from Real-Life Experiences”.
