The basic tenets of the European Data Protection Regulation (GDPR) are not much different from what is common knowledge. However, what differs now is that it has been codified into a regulation, something which was only a topic of discussion back in 2012.
With GDPR finally in place since May 2018, many companies have since relooked at their data privacy policies and implemented measures in compliance to the new regulations.
Asia is no exception. Malaysia, for instance, has established The Personal Data Protection Act 2010 (Act 709), enforced by the Commissioner of Personal Data Protection Malaysia; was passed by Parliament on 10 June 2010 and came fully into force on 15 November 2013
It has 7 principles; namely:
- General Principle;
- Notice and Choice Principle;
- Disclosure Principle;
- Security Principle;
- Retension Principle;
- Data Integrity Principle; and
- Access Principle
Non-compliance by a data user of any of the 7 principles constitutes an offence under the PDPA and is liable to a fine not exceeding three hundred thousand ringgit (RM300,000.00) or
imprisonment for a term not exceeding two years or both.
With all the recent news traction around data privacy and GDPR, do business leaders understand what exactly are its impacts on their companies?
Why is data privacy important?
Our constantly connected world has increasingly become digital to an extent that now it is possible to live comfortably without having to ever step out of our homes – we can work remotely, order food from home, communicate with our loved ones digitally and shop online.
However, what this means is also that the amount of digital footprint that we are leaving behind and the volume of data that is recorded, transmitted and generated about ourselves have intensified.
With this increase in digital information about anyone and almost everyone, it is meaningless – maybe even unwise – to ask why data security is important. In the pre-digital era, we would protect our offline assets.
Similarly, in the post-digital era today, when our physical assets have been virtualized, there is hence also a need to protect these digital assets.
Impact of a data breach
Data breaches often bring about significant negative impacts on organizations with one being a permanent loss of goodwill.
The impact takes a long time to fizzle out as such breaches can potentially serve as examples of how companies should not handle their data as they get quoted over and over again, in conferences, in discussions, during audits, in training programs.
Companies in South East Asia are no strangers to data breaches which usually result in some very costly repercussions.
In Singapore, 380,000 Singapore Uber users were affected as a result of a 2016 massive data breach – owning up to what is Singapore’s largest breach to date. In May 2018, Singapore’s Personal Data Protection Commission (PDPC) fined three insurance companies for lapses leading to leakage of their policyholder’s personal data. The watchdog has imposed penalties of SGD30,000 on Aviva, SGD10,000 on NTUC Income, and SGD9,000 on AIG Asia-Pacific Insurance.
In Malaysia, the personal data of 46.2 million of Malaysians were stolen and sold online, in what is possibly the country’s biggest personal data breach. Following the incident, a civil lawsuit has been filed against the Malaysian Communications and Multimedia Commission (MCMC) and a local firm.
What does GDPR mean for consumers and businesses?
Consumers in general are not against the idea of sharing their personal information with businesses. However, they would react strongly when their privacy has been compromised.
This could stem from an organization doing something with their data which they did not give consent for, or something that they did not expect an organization to do, or something that they were clearly against when sharing their data.
Consumers are especially offended when organizations take them for granted and do something that undermines their value. They also tend to get upset when their trust is implicitly breached due to organizations not implementing adequate levels of security, and eventually, leading to a leakage of their personal data.
In such cases, consumers will usually be more forgiving as long as the organization is genuinely apologetic and takes measures to tighten data security. Such cases have played out several times as with Sony PlayStation, Target, LinkedIn and Equifax, all being major breaches due to lower standards of security but have followed up their breach with improved standards of security.
With this increased scrutiny on data privacy in the region, it is critical that organizations adhere to data-protecting regulations such as GDPR and PDPA.
The regulations address all issues of consumer trust by making it mandatory and explicit for organizations to ensure that certain standards of security are met.
This includes ensuring proper consent is obtained; data is handled exactly as indicated – and never carelessly; adequate measures of security are implemented to protect user data; control of data is handed back to consumers; and data is deleted when no longer required.
Organizations will no longer need to self-regulate. Adhering to GDPR makes it easy and clear on what set of rules they should be imposing. This will in turn improve the trust levels of consumers on businesses as how organizations are handling their personal data have now become transparent.