CommunicAsia2017 Summit speaker, Steve Tan, Partner, Deputy Head
– Technology, Media & Telecommunications, Rajah & Tann LLP, shares the
legal aspects of adopting new technology and ensuring compliance with data
protection regulations.
– Technology, Media & Telecommunications, Rajah & Tann LLP, shares the
legal aspects of adopting new technology and ensuring compliance with data
protection regulations.
With increasing access to mobile
devices and the internet, the amount of data created annually worldwide is
predicted to soar to 180 zettabytes (180 trillion gigabytes) in 2025, with
approximately 80 billion devices connected to the Internet.
devices and the internet, the amount of data created annually worldwide is
predicted to soar to 180 zettabytes (180 trillion gigabytes) in 2025, with
approximately 80 billion devices connected to the Internet.
 |
| Steve Tan, Partner, Deputy Head – Technology, Media & Telecommunications, Rajah & Tann LLP |
As organisations look towards data
to track consumer patterns and guide business direction, they should also be
mindful of the legal regulations that govern the protection of data and the
possibility of a data breach. In the past year, we have seen some of the
largest data breaches in history with millions of accounts compromised and the
release of personal data such as addresses and telephone numbers for sale on
the black market. Such high-profile data breaches have been increasing in size
and prevalence in recent years, with cyber criminals (and even state actors)
taking keen interest in obtaining sensitive corporate and personal information.
Besides such hacking attacks, a data breach can also arise from employee
mischief or neglect, an inadvertent leak, lack of or failure in security
measures, just to name a few.
to track consumer patterns and guide business direction, they should also be
mindful of the legal regulations that govern the protection of data and the
possibility of a data breach. In the past year, we have seen some of the
largest data breaches in history with millions of accounts compromised and the
release of personal data such as addresses and telephone numbers for sale on
the black market. Such high-profile data breaches have been increasing in size
and prevalence in recent years, with cyber criminals (and even state actors)
taking keen interest in obtaining sensitive corporate and personal information.
Besides such hacking attacks, a data breach can also arise from employee
mischief or neglect, an inadvertent leak, lack of or failure in security
measures, just to name a few.
Regardless of the cause, the threat
of data breaches is imminent and can have severe repercussions for
organisations, especially if they are found guilty of failing to take
sufficient measures to secure their data. Singapore’s data protection law has
one of the highest fines in Asia with each breach subject to a potential fine
of S$1 million. Similarly, breaching Europe’s new General Data Protection
Regulation can result in a fine of the larger of either 20 million Euro or 4
per cent of the organisation’s global annual turnover.
of data breaches is imminent and can have severe repercussions for
organisations, especially if they are found guilty of failing to take
sufficient measures to secure their data. Singapore’s data protection law has
one of the highest fines in Asia with each breach subject to a potential fine
of S$1 million. Similarly, breaching Europe’s new General Data Protection
Regulation can result in a fine of the larger of either 20 million Euro or 4
per cent of the organisation’s global annual turnover.
Beyond financial penalties, a data
breach can cause irreversible damage to a company’s reputation as well as
potentially significant damages payable in civil liability to third parties,
not to mention possible personal criminal liability for senior management.
breach can cause irreversible damage to a company’s reputation as well as
potentially significant damages payable in civil liability to third parties,
not to mention possible personal criminal liability for senior management.
Ensuring compliance in an evolving
landscape
landscape
Organisations should be well aware
of the prevailing legal regulations that govern ever growing popular technology
solutions such as cloud storage, collection, analysis, and offshore storage of
customer data. Here are a few tips for organisations to ensure that they comply
with the legal regulations where they operate in.
of the prevailing legal regulations that govern ever growing popular technology
solutions such as cloud storage, collection, analysis, and offshore storage of
customer data. Here are a few tips for organisations to ensure that they comply
with the legal regulations where they operate in.
1. Have a clear
understanding of how personal data is used and managed in your organisation. Some
questions that business leaders need to ask include what personal data has been
collected, who has access to this data, whether the purposes of processing of
such personal data are lawful, where and how it is kept and secured, and how
long such personal data is kept on file. In some instances, data storage and
protection is managed on behalf of an organisation by an outsourced service
provider. Organisations need to ensure that they understand the level of
protection to the data provided by the outsourced service provider and
ascertain whether regulations, including sector-specific ones, permit
offshoring or cross-border data sharing. In some countries, there appears to be
a growing trend of data localisation which means organisations are not
permitted to transfer any such data overseas. Data protection regulations in
ASEAN countries are also set to develop in future in light of commitments
arising from the formation of the ASEAN Economic Community (AEC) in end 2015
and the continued digitalization of everything. Singapore, Malaysia and the
Philippines are presently the only countries with dedicated robust data
protection laws, and it is only a matter of time before the rest of the ASEAN
countries follow suit, with significant implications for foreign organisations
operating in those countries.
understanding of how personal data is used and managed in your organisation. Some
questions that business leaders need to ask include what personal data has been
collected, who has access to this data, whether the purposes of processing of
such personal data are lawful, where and how it is kept and secured, and how
long such personal data is kept on file. In some instances, data storage and
protection is managed on behalf of an organisation by an outsourced service
provider. Organisations need to ensure that they understand the level of
protection to the data provided by the outsourced service provider and
ascertain whether regulations, including sector-specific ones, permit
offshoring or cross-border data sharing. In some countries, there appears to be
a growing trend of data localisation which means organisations are not
permitted to transfer any such data overseas. Data protection regulations in
ASEAN countries are also set to develop in future in light of commitments
arising from the formation of the ASEAN Economic Community (AEC) in end 2015
and the continued digitalization of everything. Singapore, Malaysia and the
Philippines are presently the only countries with dedicated robust data
protection laws, and it is only a matter of time before the rest of the ASEAN
countries follow suit, with significant implications for foreign organisations
operating in those countries.
2. Conduct regular
audits and penetration testing. The authorities do recognise the fact
that cyber criminals often use sophisticated measures in their attacks.
However, as seen with the many data breaches around the world, it is most often
the case that the organisation itself has failed to have sufficient security
measures in place. It is also a known fact that many organisations are not
doing enough to protect customer data or their important data. At the bare
minimum, organisations need to meet the regulatory standards for data
protection and compliance. Beyond this, they should also conduct regular audits
and security assessments such as penetration testing, to ensure the integrity
of their security framework and that employees are abiding by set guidelines,
especially when handling sensitive information.
audits and penetration testing. The authorities do recognise the fact
that cyber criminals often use sophisticated measures in their attacks.
However, as seen with the many data breaches around the world, it is most often
the case that the organisation itself has failed to have sufficient security
measures in place. It is also a known fact that many organisations are not
doing enough to protect customer data or their important data. At the bare
minimum, organisations need to meet the regulatory standards for data
protection and compliance. Beyond this, they should also conduct regular audits
and security assessments such as penetration testing, to ensure the integrity
of their security framework and that employees are abiding by set guidelines,
especially when handling sensitive information.
3. Be willing to seek
external advice. By working closely with professionals such as
specialised lawyers with the relevant expertise, organisations will be able to
have a better understanding of other factors that could affect their business
decisions, such as a digital transformation initiative to move data to the
cloud. Legal advice is also important for organisations that operate in a
highly regulated industry, such as financial institutions, which could have
sector-specific laws that add on a further layer of compliance by the
organisation. In the event of a data breach or cyber-attack resulting in leaked
data, that organisation would suffer the brunt of not only data protection laws
but also sector-specific laws.
external advice. By working closely with professionals such as
specialised lawyers with the relevant expertise, organisations will be able to
have a better understanding of other factors that could affect their business
decisions, such as a digital transformation initiative to move data to the
cloud. Legal advice is also important for organisations that operate in a
highly regulated industry, such as financial institutions, which could have
sector-specific laws that add on a further layer of compliance by the
organisation. In the event of a data breach or cyber-attack resulting in leaked
data, that organisation would suffer the brunt of not only data protection laws
but also sector-specific laws.
Ultimately, the burden of cyber
security falls on the organisation itself, and regulations call for them to
ensure that sufficient security measures and practices are put in place. The
proper use, storage, and security of data should not be seen solely as the
responsibility of a ‘few good men’ within the organisation such as the IT head
or the data protection officer, but rather as a culture that permeates
throughout the entire organisation.
security falls on the organisation itself, and regulations call for them to
ensure that sufficient security measures and practices are put in place. The
proper use, storage, and security of data should not be seen solely as the
responsibility of a ‘few good men’ within the organisation such as the IT head
or the data protection officer, but rather as a culture that permeates
throughout the entire organisation.
New technological innovations have
the potential to disrupt current practices and pose challenges for security
management, but with the right data protection measures in place, organisations
will be able to take full advantage of these to drive their business forward.
the potential to disrupt current practices and pose challenges for security
management, but with the right data protection measures in place, organisations
will be able to take full advantage of these to drive their business forward.
For more insights, join Steve Tan, Partner,
Deputy Head – Technology, Media & Telecommunications, Rajah & Tann LLP
at the CommunicAsia2017 Summit on Conference Day 2, 24 May 2017 speaking on the
topic ‘Grappling with the Internet of Things, Disruptive Technology, Cloud of
Things and Data Privacy’.
Deputy Head – Technology, Media & Telecommunications, Rajah & Tann LLP
at the CommunicAsia2017 Summit on Conference Day 2, 24 May 2017 speaking on the
topic ‘Grappling with the Internet of Things, Disruptive Technology, Cloud of
Things and Data Privacy’.
Send your feedback at startupterminal@gmail.com
