DATA & PRIVACY ARTICLE - THE RISING CONCERN OF DATA PRIVACY AROUND THE WORLD
The Rising Concern of Data Privacy Around the World
For a long time, organisations large and small have been collecting data from their customers
without their complete
knowledge and consent. Since the true purpose of such data collection is kept hidden from
consumers and tucked deep
inside the terms and conditions, many consumers click the “agree to terms and conditions” check
box without
understanding its impact. They have handed over so much of their information to companies
without even realising it.
User data has a huge market value, resulting in companies pooling and selling the personal data
of individuals on a
large scale. Websites all over the world collect and store this data in many forms:
- Personal data, including an individual's name, gender, IP address, and location
- Engagement data, such as text messages, emails, mobile apps, and social media pages
- Behavioral data, in the likes of purchase history, visits to certain areas and product usage information
- Behavioral data metrics, as in consumer satisfaction, purchase criteria, and product desirability
Global tech giants have been found to keep more information about users than what they require, and they often claim to use this data to personalise content and improve the user experience. However, the fact is that these companies sell this data to advertisers, publishers, and other third parties.
For instance, ad performance with respect to a particular user is shared with advertisers, who then customise their ads based on the user's behavior to hyper-target them for conversion. Users' location information is also commonly shared and used to display personalised local ads. In response, many data subject request have made attempts to erase their digital footprints and secure their personal information that's available online because of privacy concerns.
Typically, data refers distinct pieces of information, usually formatted and stored in a way that is concordant with a specific purpose whereas data privacy refers to protecting data in terms of data collection, use, and disclosure.
The aim is to secure multiple types of data, like first-party data (information that brands and creators collect directly from their consumers), second-party data (information acquired from the company that collected it), and third-party data (information purchased from other sources, ideally including data from different sources aggregated in one place).
As consumers become more knowledgeable about their data rights and how their data is used, they will demand that it be protected and secured. An increasing number of consumers have expressed concerns about the way their personal information is used by companies. With rising concern from the general population over the misuse and abuse of data, there is a need for global data regulations that focus on strengthening consumer privacy and data protection.
Over the last few years, data misuse has extended far beyond creepy advertisements that target individual customers. The increased focus on privacy concerns is driven by the numerous cybersecurity attacks that have led to massive breaches of personal data. Data breaches cost organisations time, money and more importantly, reputation. This loss happens in the form of data loss, which can be compensated to some extent, and through irreversible damage to their reputation, which eventually leads to the loss of customers. Customer loyalty is almost impossible to regain.
The global rise in ransomware attacks is a major source of concern for businesses. According to Security Brief Asia, 65% of Singapore organisations were hit by ransomware attacks in 2021, more than twice the number from the previous year (25%). 64% of attacks resulted in data being encrypted, a considerable increase from the 49% that was reported by respondents in Singapore in 2020. Organisations in Singapore that are hit by a ransomware attack are paying an average of around S$1.5 million.
Thus, many governments are starting to regulate data collection and management by companies. With privacy being declared a fundamental right by the United Nations Universal Declaration of Human Rights, there is an immediate obligation to preserve privacy rights.
Data Privacy Regulations: The Impact on Business
Data privacy regulations enable businesses to optimise their data handling practices and ease
cross border digital
transactions. However, they require businesses to strengthen their data management technologies
in order to build strong
digital capabilities. The core idea is to create compliant, efficient business models that
protect customers' data
privacy.
There are two major changes businesses can expect as a result of data privacy regulations.
First, privacy will become a
fundamental expectation among customers. Second, transparency in privacy policies will no longer
be optional. As
consumers become more aware about data policies and with governments enforcing privacy
requirements, companies are
learning that implementing data privacy policies can create a business advantage by keeping them
ahead of the curve.
On the other hand, from a business standpoint, the cost of compliance will shoot up since
organisations might have to
allocate separate staff and financial resources just to keep up with these regulations. With
high noncompliance
penalties and the potential risk of losing their brand value, organisations will be forced to
pay to achieve compliance.
The other impact on businesses is overregulation of policies. Customers become burdened by
endless consent forms for
every data process, taking away the ease of use of online platforms.
Through widespread implementation of regulations across the globe, businesses are at risk of
noncompliance and increased
investment. Many frameworks are being developed to help businesses find the right combination of
optimal investment and
compliance with regulations. Gartner’s data security governance framework describes how
businesses can meet legal
requirements while dealing with consumer data.
The framework suggests the following steps:
- Identify and discern the type of data that is impacted by data privacy compliance regulations.
- Develop privacy impact assessments for data protection and administer these periodically while keeping all business stakeholders involved.
- Configure technology controls to minimise risk to an acceptable level.
- Review security policies methodically and whenever business risks change.
The common misconception about data privacy regulations is that they only impact the legal department. That said, the point often missed is that everyone who works with data in a company must be aware of the regulations and stay compliant. Many experts studying these regulations propose that this has less to do with data management and more to do with change management processes. Businesses need to rethink and restructure the way they handle customer data. The better approach to integrating these privacy regulations into a business is to implement change management.
The proposal is such that investing in analytics and automation technologies should be any company’s first step towards building a robust, compliant system that ensures adherence to most if not all privacy regulations. Most data privacy laws mention the customers' access rights, which essentially means that a customer can at any time ask for a copy of all the data that is being gathered on them, or for their data to be deleted.
Businesses will need digital, automated solutions to comply with these requests efficiently. For example, forms that autofill necessary details, desktop guidance tools, or virtual assistants will make the process faster with minimal manual effort. This will in turn reduce the possibility of mishandling data.
The constant shift of data privacy laws will only become more rigorous with time. The ideal step for any business to take would be to voluntarily comply with all the privacy laws in the locations where their businesses operate. Furthermore, countries and states affected indirectly by their businesses must also be taken into consideration as regulations like how the PDPA/GDPR require. In order to avoid or reduce exorbitant fines, operational interruptions, and the loss of customers, the sooner businesses plan and comply with these laws, the more successful they will be for all stakeholders.
Author Bio
Cecil Su currently leads various engagement teams on diversified advisory, security testing and
threat intelligence
projects across vertical industries for a mid-tier firm. Cecil has been a cybersecurity
practitioner, consultant and
advisor since the mid 2000s.
He is a Fellow of the Association of Information Security Professionals (AiSP) and is involved
in a wide range of
cybersecurity initiatives in Singapore and globally.