Accredify Digest: CRO (DPO) Edmund Chew on Data Privacy
Accredify Digest is a series of ideas, opinions, and observations from Accredify’s employees. Hiring a highly invested team also means welcoming passionate voices that need to be heard. Find out what the brains behind Accredify think about strategy, tech, operations, security, and culture in this series.
Today is Data Privacy Day, a global event that takes place on 28 January every year. The purpose of Data Privacy Day is to raise awareness and encourage data protection best practices. In this issue of Accredify Digest, Accredify’s Chief Risk Officer (Data Protection Officer) and Co-Founder, Edmund Chew, reflects on how data privacy has, and will, evolve and how organisations can implement policies to remain compliant with ever-changing data privacy regulations.
The world has undergone salient digital transformation. Both personal and business activities have migrated to the cloud, where personal data is being stored and used for business-customer interactions, giving rise to an accelerated digital economy. In a Gladly 2020 Customer Expectations Report, 79% of respondents said they value business experiences that are unique and personal. As the demand for personalised service grows, how can companies ensure their strategies and policies around customer engagement stay compliant with data privacy rules?
Broadly, data privacy means the right of an individual to determine the way data about them is collected, used, and disclosed to others – including the duration of access to their data, and what their data can be used for. Data points about an individual can be the individual’s name, address, contact information, and their online or real-world behaviour.
To ensure that these rights are respected, organisations need to have an internal management system in place for the proper management of personal data, with a focus on ensuring compliance with data protection regulations like Singapore’s Personal Data Protection Act (PDPA) and the European Union’s General Data Protection Regulation (GDPR).
The importance of developing and implementing systems for businesses to maintain client data privacy cannot be stressed enough for a multitude of reasons. In many countries or regions, especially in the European Union, data privacy is a fundamental human right and data protection laws are in place to protect an individual’s civil liberty with regards to personal data. But most importantly, for individuals or organisations to even consider providing their personal data to service providers, whether to interact with or engage the services of these external vendors, they must first believe that their personal data will be handled with utmost care.
Organisations with effective management systems of data protection policies and practices will be able to demonstrate to their customers and users that they comply with current data protection laws.
In addition to having the responsibility of being Accredify’s Chief Risk Officer (CRO), I am also the company’s appointed Data Protection Officer (DPO). My role as Data Protection Officer (DPO) is to:
- Ensure compliance with data protection laws when developing and implementing policies and processes for handling personal data
- Foster a data protection culture among employees and communicate personal data protection policies to stakeholders
- Manage personal data protection related queries and requests
- Alert management to any risks that might arise with regards to personal data
- Liaise with regulators on data protection matters, if necessary
The evolving landscape of data privacy
During my time as Accredify’s CRO (DPO), I have witnessed significant changes in data privacy laws and its enforcement. The single most significant change with regards to data privacy in recent years is the European Union’s General Data Protection Regulation (GDPR) that came into effect in 2018 which imposed major compliance responsibilities on organisations.
The GDPR grants individuals with rights that can be enforced on organisations, and this impacts almost every area of operation in an organisation, from sales and marketing, to engineering and operations. These rights include the “right to be forgotten” which allows individuals to request that organisations erase their personal data and the right of individuals to gain access to their personal data.
The regulations of the GDPR are extraterritorial in nature. This means that even if organisations are based outside of the EU, organisations may still be required to comply with the GDPR. Compliance with the GDPR will therefore be in addition to an organisation’s domestic data protection laws that are enforced wherever they are based.
There are heavy penalties imposed on organisations for not complying to the GDPR. The maximum penalties for non-compliance under the GDPR are the greater of EUR 20 million or 4% of the organisation’s worldwide annual turnover for the preceding financial year.
Implementing effective policies, procedures, and agreements in an organisation requires significant time, effort and expertise. This means a significant commitment of resources is required to maintain an organisation’s compliance with data privacy.
Firstly, data protection laws will continue to be tightened so as to enforce greater organisational accountability and strengthen consumer protection. An example of this would be the recent key changes to the PDPA that include the obligation to notify PDPC and affected individuals in the event of a data breach (data breach notification obligation) and the obligation of organisations to ensure that an individual’s personal data can be transmitted to another organisation (data portability obligation).
Secondly, the enforcement of data protection laws will become more stringent. We see this in the changes to the PDPA – the maximum financial penalty for contravening the PDPA will be increased to up to 10% of an organisation’s annual turnover in Singapore, or SGD 1 million, whichever is higher.
Lastly, individuals, not just the organisation itself, may now be held accountable to data protection offenses that they commit. The PDPA sets out offenses that hold individuals accountable for egregious mishandling of personal data which includes knowingly or recklessly committing any unauthorised disclosure of personal data, use of personal data for wrongful gain or causing a wrongful loss to any person, or re-identification of anonymised data.
Even new technologies that utilise consumer data, such as artificial intelligence and data analytics, can expect to be highly regulated to ensure the fair, ethical, accountable, and transparent use of personal data.
Data privacy best practices
1. Data Inventory Map
The first step for organisations to take is to understand how personal data is handled within the organisation, across departments. Organisations can visualise this using a data inventory map. A data inventory map will show where and how the organisation collects personal data, where the data is stored, how and why the organisation uses and discloses personal data, when the organisation ceases to retain personal data and how it securely destroys or deletes it.
2. Data Protection Impact Assessment
When there are major structural or operational changes in the organisation, or when commencing a new project, the information security and data protection team should conduct a Data Protection Impact Assessment (DPIA). A DPIA helps organisations identify, assess and address personal data protection risks based on the organisation’s functions, needs and processes.
When in doubt about how you can ensure your organisation is compliant with data protection laws, consulting guidance provided by data privacy regulators is a good way to seek answers. In Singapore, the PDPC provides a substantial amount of useful guides on how organisations can implement measures to be compliant with the PDPA.
3. National or International Certifications
Organisations may also decide to have their policies, processes and implementations be certified in order to conform to internationally or nationally recognised standards. These standards include Singapore’s Data Protection Trustmark (DPTM), ISO/IEC 27001:2013, and ISO/IEC 27701:2019.
This in turn will uplift the organisation’s brand trustworthiness over the long term. These certifications also provide information security and data protection teams with holistic guidelines to ensure that the company is handing client data to the highest standards.
Accredify and data privacy compliance
Ensuring information security is our top priority in Accredify. As such, we have implemented numerous measures to ensure a high standard of security. These measures span across our use of cloud computing environments, the development lifecycle of applications, product design processes, and human resources policies. If you’d like to learn more about our data security measures, detailed information can be found on our website.
Accredify was certified for conformance to the ISO/IEC 27001:2013 in 2020. To further demonstrate Accredify’s compliance to data protection, we have plans to be certified for conformance to other standards and certifications in the near future too.
To ensure that all employees are aware of their roles in ensuring data protection, all employees in Accredify are trained in data protection when they join the company as part of the onboarding process. We also organise refresher training sessions every year for all employees.
Of course, ensuring employees understand their role in and the importance of data privacy is easier said than done. Data privacy can often be seen as a dry subject to employees. That’s why Accredify is planning to create bite-sized content about data protection and privacy, which will be shared through engaging formats such as polls and infographics on Accredify’s internal community page.
Data protection is everyone’s responsibility
Organisations used to view data privacy compliance merely as a need to meet regulatory requirements. However, as the world begins taking data privacy ever more seriously, compliance is becoming a strategic long-term approach to build trust with stakeholders and in many cases, compliance is even becoming a competitive advantage.
To have an effective data protection management system in an organisation, data protection must be a responsibility that everyone in the organisation holds. It is not just the responsibility of the data protection department. To facilitate the understanding and the undertaking of the joint responsibility of data protection, the information security and data protection teams must collaborate closely with HR and communications teams to convey the importance of data protection to an organisation’s team members.
With more of our lives moving from offline to online, data protection laws, regulations, and best practices will continue to change significantly and rapidly. In order for organisations to adapt quickly and stay current with the coming changes in data protection, organisations must invest in a long-term commitment to data privacy – from training employees, to setting up information security and data protection departments and processes, to being audited by external and independent auditors to achieve certifications.
After all, how can your stakeholders trust your brand if they don’t trust you with their personal data?
The document has been provided for general informational purposes only. Nothing in this document shall be construed to be legal or any form of advice. By accessing the document and the information set out in the document, you undertake that no reliance shall be placed on the information set out herein and you agree and acknowledge that you shall not hold Accredify Pte. Ltd. and/or its officers, affiliates, consultants, and/or its employees liable for any of the content set herein.