Data Protection: Turning compliance into opportunity

Written by Lyn Boxall one of our expertise panel members in the area of Data Protection.

Data protection regulations are now in force in Singapore.

data protection

The Do Not Call (DNC) Registry rules took effect on 2 January 2014. Holders of Singapore telephone numbers have been able to register and avoid receiving unwanted text, voice or fax marketing messages.

After an 18-month “sunrise” period to allow organisations to get their internal processes in order, nine personal data protection obligations and limitations took effect on 2 July 2014. Organisations must comply with them when they collect, use or disclose personal data from or about individuals, including their employees.

Compliance-based approach

Boards of companies need to ensure that management implements a robust compliance framework as part of its overall risk management responsibilities. In implementing this framework where the law is clear, management should act on an understanding of what is permissible and what is not. Where the application of the law is subject to interpretation, management should proceed in a way that is consistent with the risk appetite developed by the Board.

The DNC rules present a good example. They do not prevent organisations from sending marketing messages to Singapore telephone numbers in all circumstances. For instance and leaving aside the data protection rules for the moment, the DNC rules are clear that marketing messages may be sent to numbers that are not listed in the DNC Registry.

Where a number is listed in the DNC Registry, marketing messages may nevertheless be sent in the context of an on-going relationship if the purpose of the message is related to the subject of the ongoing relationship. There could be genuine debate as to whether there is an on-going relationship in any particular case and/or about whether the message has the necessary connection with that relationship. A decision consistent with the organisation’s risk appetite must be made before deciding whether or not to proceed with sending the message.

Yet, it appears that some organisations in Singapore have simply tipped targetted marketing messages into the “too difficult basket” and stopped using them altogether.

Similarly, the data protection rules do not prevent organisations from continuing to use personal data for the purposes for which they were collected prior to 2 July 2014. And yet, rather than applying a risk-based approach to determining the purpose for which personal data was collected, many organisations play it safe by burdening their stakeholders and requiring them to give specific consent for the continued use of personal data.

Beyond compliance to opportunities

The practical outcomes currently observed suggest boards need to guide management to not only apply a risk-based approach, but to also try another perspective: stop seeing data protection merely as a legal and compliance requirement that stands in the way of doing business.

Boards can, and should, communicate to management an expectation that they will implement data protection requirements in ways that find new opportunities to enhance operations and customer relationships.

One example is SingTel. It went beyond the current data protection rules to build a portal which provides customised options for its users on the type of marketing messages they want to receive. The greater granularity of options is beneficial to its customers but also provides the telco greater insights into its customers’ preferences. On top of that, the widely-reported pioneering response made good marketing copy.

As I observe the implementation of data protection laws in Singapore and elsewhere, the common factor is that legal or compliance staff are expected by management to take “ownership” of the issue. This yields a necessarily conservative outcome because legal and compliance staff are tasked with minimising risk, not with making decisions that take the company’s risk appetite into account.

Fundamentally different outcomes would occur if the issue of data protection was “owned” by chief executives and their sales and marketing teams, with expert input by legal or compliance staff.

This turns the conversation, and therefore the outcome, on its head. It stops being “tell me what I can and cannot do” and becomes “how do we make it happen – within acceptable legal parameters? What are the risks and options for such decisions?”

This solution-led approach could creatively improve customer service and relationships in the new data protection era. It directly confronts the key operational premise: how can we do better at winning and retaining customer loyalty in this new reality?

Clearly, I am not advocating non-compliance of the law. However, practical requirements can give rise to a considerable grey area, and the need to “make a judgment call”. The board must guide management towards decisions based on sound risk management, not just from a minimal-risk perspective.

Data protection laws are here to stay. The response from boards and management should be to leverage these laws while complying with them.

Lyn Boxall is a member of the Professional Development Committee of the Singapore Institute of Directors.

This article was first published in The Business Times and BT Invest (a financial portal of The Business Times), under the column “Boardroom Matters” by the Singapore Institute of Directors.

Data Protection: Hackers expose 83 million JPMorgan Chase & Co accounts

Over 83 million households and small business accounts at JPMorgan Chase & Co had their personal information exposed after one of the biggest data breaches in history.

The bank, which is the largest in the United States, revealed that its computer systems were recently compromised by hackers, exposing the names, addresses and email addresses of millions of account holders, including current and former account holders and individuals who entered their contact information on the bank’s online portals.

Although there was no evidence that account numbers, passwords, birthdates or Social Security numbers had been stolen, security experts have advised that scammers may attempt to use the exposed information to engage in various types of fraud. Fears have been raised, for instance, that criminals could attempt to use the information to steal the identities of businesses and individuals and engage in cybercrime.

JPMorgan chief operating officer, Matt Zames, sent an email to employees, describing the attacks as “highly unfortunate and also a reminder that we all must be increasingly vigilant in the cyber world.”

The case highlights the far-reaching consequences of data breaches for both customers and businesses, and the importance of ensuring data protection remains a priority.

Talk to GRC Solutions today about our Data Protection course.

Source: Wall Street Journal

Data Protection Risks: Chinese hackers attack U.S. government agency

Data protection 

An attack by Chinese hackers against the databases of a United States government agency risked the personal information of tens of thousands of employees who had applied for top-secret security clearances. Although the hackers were thwarted by authorities before any information was stolen, the attack highlights the increasing importance of universal data protection.

The United States Office of Personnel Management is responsible for managing the e-QIP system, through which federal employees seeking security clearances enter some of their most personal information, including financial data. In March, Chinese hackers broke into the Office’s network, gaining access to some of the Office’s databases containing the sensitive information. However, authorities detected and blocked the threat before any information was stolen.

This attack was particularly notable because although hackers attempt to breach United States government networks on a daily basis, they rarely succeed. The incident forms the latest in a series of rare but serious government information security breaches, including a 2013 attack on the United States Department of Energy in which hackers successfully made off with the personal information of employees and contractors.

Information security breaches can originate from any country and affect any organisation. Organisations must ensure that data protection remains a priority, particularly where the personal information of employees or clients is at risk.

Talk to GRC Solutions today about our Data Protection course.

Source: New York Times