DATA & PRIVACY ARTICLE - GDPR FOR CYBERSECURITY PRACTITIONERS
What cybersecurity practitioners need to take note of GDPR
European Union's General Data Protection Regulation (GDPR) is known to be more stringent
than
Singapore's Personal Data Protection Act (PDPA). With the latest amendments to the PDPA,
Singapore's
data protection regime has incorporated certain aspects of the GDPR, such as the mandatory
data
breach notification and higher penalty.
As Asia deepens stronger economic links with the European Union (EU), it is viable for
cybersecurity
practitioners to know more about GDPR, to benefit the organisations they serve in. This can
also
help our information security professionals to prepare ahead for forward-looking data
protection
practices as Singapore's PDPA progresses.
PDPA Versus GDPR
Here is a quick comparison between Singapore's PDPA and EU GDPR,Legislation | SG PDPA | EU GDPR |
---|---|---|
Applicable to | Private sector (including sole proprietorship) | Comprehensive (including public sector) |
Record keeping | An organisation must keep records on the ways it has used or disclosed personal data for at least 12 months as part of its obligation to provide individuals with access to their personal data. No mention of employment size. | Derogation for organisations with fewer than 250 employees with regard to record-keeping. |
Data Protection Officer | Mandatory, including sole proprietorship | If fulfil these conditions,
|
Sensitive personal data | Though the PDPA does not have a special or separate category of "sensitive" personal data, the PDPC does take a stricter view when considering a case where the personal data compromised is of a sensitive nature. Disclosure of such data may expose the client to the risk of fraud and identity theft. | Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation. |
Individuals | Data protection for a deceased individual for 10 years from the date of death.
Individuals affected by a data breach can only bring an action against organisations (and not data intermediaries) for losses and damages suffered as a result of the breach. |
Living individuals only.
Data subjects affected by a data breach can take action against both controllers and processors. |
Both do not apply to the processing of personal data by a natural person in the course of a purely personal or household activity. | ||
Extraterritorial effect | Physical presence of the
organisations does not
matter.
GDPR: It applies to entities located outside the EU, and it imposes a number of direct obligations on data processors. |
|
Basis of processing | Consent is the only basis of processing. Arising from the Amendments, deemed consent framework is expanded and there are new exceptions to the express consent requirement. | High standard for consent, and it is not the only basis. |
Data breach notification | Arising from the Amendments , organisations need to abide with the mandatory data breach notification obligation (3 calendar days), including financial information, sensitive health information. | Controller must report such a breach to the supervisory authority within 72 hours, and possibly to affected data subjects. |
Penalty | Arising from the Amendments, increased financial penalty which would take effect
at a later
date:
|
The EU's data protection authorities can impose fines of up to up to €20 million, or 4% of worldwide turnover for the preceding financial year—whichever is higher. |
Observations on our cybersecurity practitioners’ application of GDPR in Singapore
I have the opportunity to moderate a panel session:GDPR for Cybersecurity Practitioners webinar on 29 June 2021, organised by the Association of Information Security Professionals (AiSP). The panelist - Joyce Chua, UOB; Bryan Tan, Pinsent Masons LLP, and Ivan Lai, Crypto.com, shared their observations on our practitioners’ application of GDPR in Singapore. Here are some highlights of our virtual session,
What are the common misconceptions of GDRP in our local cybersecurity community?
They think their organisation is not offering services in EU and they may not understand
what cannot
be done. Practitioners are handling personally identifiable information, but they are not
adhering
to the GDPR. As the businesses are focusing on increasing customer base, there is not much
development in the procedures involved.
Coincidentally, from 1 February 2021, new amendments to the Personal Data Protection Act
(PDPA) have
come into force. With the new amendments, there is an increased emphasis for organisations
to better
protect personal data that is under their care.
Also, some Singapore companies perceive that it is not necessary for them to understand GDPR
as PDPA
would suffice.
Has GDPR changed the dynamics how MNCs conduct their businesses in the region outside of the European Union?
GDPR is recognised as the golden standard among data protection laws. If you look at the
sweeping
changes in how we work in the non-EU countries, since GDPR comes into effect on 25 May 2018.
Companies have to review and update their data protection measures, paying more attention on
how to
implement their measures. There was chaotic change among the vendors due to the US’s Privacy
Shield
, which EU does not deem as an adequate GDPR compliance mechanism. Data subjects’ Right to
delete is
not easy to be implemented when you have different systems in different regions. More
efforts are in
place to manage data inventory and the regulatory requirements for data breaches.
There is a stronger emphasis to use Privacy Impact Assessments (PIAs, or in Singapore’s
case, Data
Protection Impact Assessment) for specific purposes that leverages processing of personal
data. This
risk-based assessment enables senior management to prioritise controls and resources for
risky
activities that are important for business processes and innovation. There is also greater
demand to
ensure the business processes have controls in place on daily basis, which gives rise to the
mobile
applications for companies to track and monitor the controls and compliance efforts.
Companies in general, not just the MNCs, are relying more on their legal counsels to
navigate
GDPR-related contractual terms. Overseas insurers are more well-versed in managing breaches
while
some legal counsels are not aware of what is ransomware. Data subjects are asked to file
class suit
for damages by lawyers and this would become more common as more cybersecurity incidents
occur.
During your engagement with companies on their cybersecurity posture and strategies, what are the common questions they have on data protection compliance in Singapore? Is there a difference when they are evaluating their data protection strategies in Singapore and Asia?
There is no magic bullet in the terms and conditions for Singapore companies when working with clients and partners that have to be GDPR-compliant in Asia; it is a lot of hard work, depending on how the organisation is set up. No organisation is identical in its compliance measures, and business owners should be aware that the legislation is evolving and there are new developments in overseas markets. For instance, Hong Kong, Japan, South Korea are ahead of us, while there is no much enforcement in Malaysia. Singapore takes enforcement seriously while some countries have not put in their data protection legislation.
For cybersecurity practitioners have to work with different external partners in the cross-border supply chain in MNC environment, what are the common challenges or areas they face for data protection?
The most common areas would be partnership and outsourcing. The practitioners may not be
using PIAs
to identify their risks, especially when it comes to vendor due diligence. There could be
better
understanding of data minimisation while balancing business objectives. On the data breach
aspect,
incident response management and reasonable security measures can be improved as well. On
manging
data risks, it is important to review the data lifecycle and assess the criticality of
vendors.
The panel also addressed participants’ questions on qualifications for data protection
officer,
cybersecurity insurance, employee data, vendor due diligence, privacy concerns over
virtual and
digital platforms during Covid period. AiSP members are welcome to playback the recorded
webinar, by contacting
the
Secretariat.
How our cybersecurity professionals can benefit from understanding the GDPR?
Knowing the GDPR and implications to Singapore-based organisations enable our information
security
professionals to prepare ahead for forward-looking data protection practices. GDPR
emphasises on
areas where our professionals can advance and value add, e.g.,
- Provide technical and development teams with training on data protection by design, and keep the relevant training records.
- Organisations must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
- Benchmark against ISO 27001 and other international standards, as well as setting business KPIs for the cybersecurity team.
More Asian countries are embracing GDPR such as Japan and South Korea. If companies want to stay ahead to capitalise on the EU market, our cybersecurity practitioners should consider taking proactive steps ensure their knowledge is relevant in the fast-developing borderless world, especially during the Covid times. Contributed by Yvonne Wong, Co-opted Committee Member, EXCO, Association of Information Security Professionals (AiSP)
About the Author
Yvonne Wong
Yvonne is currently a Co-opted Committee Member, EXCO, in AiSP. She is volunteering in the Cyber Threat Intelligence Special Interest Group (SIG), and Data and Privacy SIG. Yvonne has been a practitioner, consultant and trainer for Governance, Risk and Compliance (GRC) since 2015. Prior to GRC, she has been involved in branding, communications, intellectual property management and strategic planning work in private and public sectors. She is presently the Senior Manager in the Yishun Health Data Protection Office.