AiSP

DATA & PRIVACY ARTICLE - GDPR FOR CYBERSECURITY PRACTITIONERS

What cybersecurity practitioners need to take note of GDPR

European Union's General Data Protection Regulation (GDPR) is known to be more stringent than Singapore's Personal Data Protection Act (PDPA). With the latest amendments to the PDPA, Singapore's data protection regime has incorporated certain aspects of the GDPR, such as the mandatory data breach notification and higher penalty.

As Asia deepens stronger economic links with the European Union (EU), it is viable for cybersecurity practitioners to know more about GDPR, to benefit the organisations they serve in. This can also help our information security professionals to prepare ahead for forward-looking data protection practices as Singapore's PDPA progresses.

PDPA Versus GDPR

Here is a quick comparison between Singapore's PDPA and EU GDPR,

Legislation	SG PDPA	EU GDPR
Applicable to	Private sector (including sole proprietorship)	Comprehensive (including public sector)
Record keeping	An organisation must keep records on the ways it has used or disclosed personal data for at least 12 months as part of its obligation to provide individuals with access to their personal data. No mention of employment size.	Derogation for organisations with fewer than 250 employees with regard to record-keeping.
Data Protection Officer	Mandatory, including sole proprietorship	If fulfil these conditions, Processing is carried out by a public authority or body, except for courts acting in their judicial capacity; Core activities of the controller or the processor* require regular and systematic monitoring of data subjects on a large scale; or Core activities of the controller or the processor consist of processing on a large scale of special categories of data (refer to sensitive personal data below) or personal data relating to criminal convictions and offences.
Sensitive personal data	Though the PDPA does not have a special or separate category of "sensitive" personal data, the PDPC does take a stricter view when considering a case where the personal data compromised is of a sensitive nature. Disclosure of such data may expose the client to the risk of fraud and identity theft.	Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.
Individuals	Data protection for a deceased individual for 10 years from the date of death. Individuals affected by a data breach can only bring an action against organisations (and not data intermediaries) for losses and damages suffered as a result of the breach.	Living individuals only. Data subjects affected by a data breach can take action against both controllers and processors.
	Both do not apply to the processing of personal data by a natural person in the course of a purely personal or household activity.
Extraterritorial effect	Physical presence of the organisations does not matter. GDPR: It applies to entities located outside the EU, and it imposes a number of direct obligations on data processors.
Basis of processing	Consent is the only basis of processing. Arising from the Amendments, deemed consent framework is expanded and there are new exceptions to the express consent requirement.	High standard for consent, and it is not the only basis.
Data breach notification	Arising from the Amendments , organisations need to abide with the mandatory data breach notification obligation (3 calendar days), including financial information, sensitive health information.	Controller must report such a breach to the supervisory authority within 72 hours, and possibly to affected data subjects.
Penalty	Arising from the Amendments, increased financial penalty which would take effect at a later date: Maximum financial penalty for organisation's annual turnover in Singapore that exceeds S$10 million is organisation's 10% of the annual turnover in Singapore.	The EU's data protection authorities can impose fines of up to up to €20 million, or 4% of worldwide turnover for the preceding financial year—whichever is higher.

_{*Controller and processor refer to organisation and data intermediary in Singapore's}

Observations on our cybersecurity practitioners’ application of GDPR in Singapore

I have the opportunity to moderate a panel session:GDPR for Cybersecurity Practitioners webinar on 29 June 2021, organised by the Association of Information Security Professionals (AiSP). The panelist - Joyce Chua, UOB; Bryan Tan, Pinsent Masons LLP, and Ivan Lai, Crypto.com, shared their observations on our practitioners’ application of GDPR in Singapore. Here are some highlights of our virtual session,

What are the common misconceptions of GDRP in our local cybersecurity community?

They think their organisation is not offering services in EU and they may not understand what cannot be done. Practitioners are handling personally identifiable information, but they are not adhering to the GDPR. As the businesses are focusing on increasing customer base, there is not much development in the procedures involved.

Coincidentally, from 1 February 2021, new amendments to the Personal Data Protection Act (PDPA) have come into force. With the new amendments, there is an increased emphasis for organisations to better protect personal data that is under their care.

Also, some Singapore companies perceive that it is not necessary for them to understand GDPR as PDPA would suffice.

Has GDPR changed the dynamics how MNCs conduct their businesses in the region outside of the European Union?

GDPR is recognised as the golden standard among data protection laws. If you look at the sweeping changes in how we work in the non-EU countries, since GDPR comes into effect on 25 May 2018. Companies have to review and update their data protection measures, paying more attention on how to implement their measures. There was chaotic change among the vendors due to the US’s Privacy Shield , which EU does not deem as an adequate GDPR compliance mechanism. Data subjects’ Right to delete is not easy to be implemented when you have different systems in different regions. More efforts are in place to manage data inventory and the regulatory requirements for data breaches.

There is a stronger emphasis to use Privacy Impact Assessments (PIAs, or in Singapore’s case, Data Protection Impact Assessment) for specific purposes that leverages processing of personal data. This risk-based assessment enables senior management to prioritise controls and resources for risky activities that are important for business processes and innovation. There is also greater demand to ensure the business processes have controls in place on daily basis, which gives rise to the mobile applications for companies to track and monitor the controls and compliance efforts.

Companies in general, not just the MNCs, are relying more on their legal counsels to navigate GDPR-related contractual terms. Overseas insurers are more well-versed in managing breaches while some legal counsels are not aware of what is ransomware. Data subjects are asked to file class suit for damages by lawyers and this would become more common as more cybersecurity incidents occur.

During your engagement with companies on their cybersecurity posture and strategies, what are the common questions they have on data protection compliance in Singapore? Is there a difference when they are evaluating their data protection strategies in Singapore and Asia?

There is no magic bullet in the terms and conditions for Singapore companies when working with clients and partners that have to be GDPR-compliant in Asia; it is a lot of hard work, depending on how the organisation is set up. No organisation is identical in its compliance measures, and business owners should be aware that the legislation is evolving and there are new developments in overseas markets. For instance, Hong Kong, Japan, South Korea are ahead of us, while there is no much enforcement in Malaysia. Singapore takes enforcement seriously while some countries have not put in their data protection legislation.

For cybersecurity practitioners have to work with different external partners in the cross-border supply chain in MNC environment, what are the common challenges or areas they face for data protection?

The most common areas would be partnership and outsourcing. The practitioners may not be using PIAs to identify their risks, especially when it comes to vendor due diligence. There could be better understanding of data minimisation while balancing business objectives. On the data breach aspect, incident response management and reasonable security measures can be improved as well. On manging data risks, it is important to review the data lifecycle and assess the criticality of vendors.

The panel also addressed participants’ questions on qualifications for data protection officer, cybersecurity insurance, employee data, vendor due diligence, privacy concerns over virtual and digital platforms during Covid period. AiSP members are welcome to playback the recorded webinar, by contacting the Secretariat.

How our cybersecurity professionals can benefit from understanding the GDPR?

Knowing the GDPR and implications to Singapore-based organisations enable our information security professionals to prepare ahead for forward-looking data protection practices. GDPR emphasises on areas where our professionals can advance and value add, e.g.,

Provide technical and development teams with training on data protection by design, and keep the relevant training records.
Organisations must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Benchmark against ISO 27001 and other international standards, as well as setting business KPIs for the cybersecurity team.

More Asian countries are embracing GDPR such as Japan and South Korea. If companies want to stay ahead to capitalise on the EU market, our cybersecurity practitioners should consider taking proactive steps ensure their knowledge is relevant in the fast-developing borderless world, especially during the Covid times. Contributed by Yvonne Wong, Co-opted Committee Member, EXCO, Association of Information Security Professionals (AiSP)

About the Author

Yvonne Wong

Yvonne is currently a Co-opted Committee Member, EXCO, in AiSP. She is volunteering in the Cyber Threat Intelligence Special Interest Group (SIG), and Data and Privacy SIG. Yvonne has been a practitioner, consultant and trainer for Governance, Risk and Compliance (GRC) since 2015. Prior to GRC, she has been involved in branding, communications, intellectual property management and strategic planning work in private and public sectors. She is presently the Senior Manager in the Yishun Health Data Protection Office.