On 2 Nov 2015, it was revealed that 90% of mobile apps could be in breach of Singapore privacy law as mobile apps do not adequately declare what consumer data is collected and how it is used.
These days in Singapore, it’s hard not to recognise the existence of The Personal Data Protection Act 2012 (PDPA), after much awareness on the legislation. Businesses are particularly cautious of this latest enforcement, in fear of breaking the law and ending up in dire consequences. In fact, a recent industry survey revealed that 92% of organisations in Singapore are aware of the PDPA. Of which, 86% of organisations had some compliance measures in place and 77% were able to comply with ease.
Current Business Practice
The PDPA takes into account 3 main concepts:
- Consent – Organisations may collect, use or disclose personal data only with the individual’s knowledge and consent (with some exceptions);
- Purpose – Organisations may collect, use or disclose personal data in an appropriate manner for the circumstances, and only if they have informed the individual of purposes for the collection, use or disclosure; and
- Reasonableness – Organisations may collect, use or disclose personal data only for purposes that would be considered appropriate to a reasonable person in the given circumstances.
On the internet, it is fairly common to see businesses reiterate the PDPA on websites, indicating the purpose and consent from visitors on the use of personal data. Such practice addresses the PDPA directly; however, there is still a potential risk of personal data leakage (data breach) that most businesses are unaware of, often so because of inadequate web security measures such as encryption. From membership registration sign-ups to warranty registration forms, personal data are collected openly via the internet for convenience and quick turnaround by businesses.
Risk of Data Breaches
Not to say that collecting personal data online is wrong but under such collection methods, precautionary security measures should be adopted. Unrestricted by geographical boundaries, the internet is open to anyone and everyone from around the world, including unscrupulous black-hat hackers looking to steal data for personal gains and/or self-satisfaction.
On the dark web, financial details cost as low as $5 and hackers often get hold of these data through the use of phishing methods, such as replicating websites that make use of weak or no encryption. Should your website fall victim to a data breach, you risk losing brand reputation, confidence and not to mention the investigative cost needed to resolve the problem. In 2015, Ponemon Institute estimates the average cost paid for each lost or stolen record containing sensitive and confidential information at US$154.00.
Overall, the impact of a data breach in the personal data collection may outweigh that of a PDPA violation and good cyber security protection should be used to complement the collection of personal data online.
Learning from the Big Players
One might think that the financial sector is a more likely target given the collection of highly sensitive information such as username and pin number on banking platforms. But that has changed since the past 2 years. In light of data breaches, banks and insurance companies have stepped up cyber security protection making it harder for hackers to hijack and steal personal data from these channels. Cyber attackers, in turn, target small to medium businesses because of weak security protocols.
It is good practice to learn from the big players and their success in data breach prevention. For example, site encryption is a must-have tool to safeguard consumer’s data online for over-the-net communication. This is done so by the use of Secure Socket Layer (SSL) certificates.
Image: DBS Bank using EV SSL Certificate
Other security measures include 2 factor-authentication, Distributed Denial of Service (DDos) prevention methods such as using a Content Delivery Network and training employees on basic cyber security practice.
Customer Data in Your Hands
PDPA is merely a touch point and baseline of personal data protection. While you may have consent from customers or visitors to use their personal data for membership, warranty or advertising, customers entrust you as a business owner to safe keep the data that was given. This ties down to cyber security to be used in line with PDPA.
About Ashlee Ang
Ashlee is a content writer at Cyber Secure Asia where she writes about introductory topics on cyber security and cyber-related happenings in Singapore & South East Asia.