DATA & PRIVACY ARTICLE - THE RISING CONCERN OF DATA PRIVACY AROUND THE WORLD

The Rising Concern of Data Privacy Around the World

For a long time, organisations large and small have been collecting data from their customers without their complete knowledge and consent. Since the true purpose of such data collection is kept hidden from consumers and tucked deep inside the terms and conditions, many consumers click the “agree to terms and conditions” check box without understanding its impact. They have handed over so much of their information to companies without even realising it.

User data has a huge market value, resulting in companies pooling and selling the personal data of individuals on a large scale. Websites all over the world collect and store this data in many forms:

  • Personal data, including an individual's name, gender, IP address, and location
  • Engagement data, such as text messages, emails, mobile apps, and social media pages
  • Behavioral data, in the likes of purchase history, visits to certain areas and product usage information
  • Behavioral data metrics, as in consumer satisfaction, purchase criteria, and product desirability

Global tech giants have been found to keep more information about users than what they require, and they often claim to use this data to personalise content and improve the user experience. However, the fact is that these companies sell this data to advertisers, publishers, and other third parties.

For instance, ad performance with respect to a particular user is shared with advertisers, who then customise their ads based on the user's behavior to hyper-target them for conversion. Users' location information is also commonly shared and used to display personalised local ads. In response, many data subject request have made attempts to erase their digital footprints and secure their personal information that's available online because of privacy concerns.

Typically, data refers distinct pieces of information, usually formatted and stored in a way that is concordant with a specific purpose whereas data privacy refers to protecting data in terms of data collection, use, and disclosure.

The aim is to secure multiple types of data, like first-party data (information that brands and creators collect directly from their consumers), second-party data (information acquired from the company that collected it), and third-party data (information purchased from other sources, ideally including data from different sources aggregated in one place).

As consumers become more knowledgeable about their data rights and how their data is used, they will demand that it be protected and secured. An increasing number of consumers have expressed concerns about the way their personal information is used by companies. With rising concern from the general population over the misuse and abuse of data, there is a need for global data regulations that focus on strengthening consumer privacy and data protection.

Over the last few years, data misuse has extended far beyond creepy advertisements that target individual customers. The increased focus on privacy concerns is driven by the numerous cybersecurity attacks that have led to massive breaches of personal data. Data breaches cost organisations time, money and more importantly, reputation. This loss happens in the form of data loss, which can be compensated to some extent, and through irreversible damage to their reputation, which eventually leads to the loss of customers. Customer loyalty is almost impossible to regain.

The global rise in ransomware attacks is a major source of concern for businesses. According to Security Brief Asia, 65% of Singapore organisations were hit by ransomware attacks in 2021, more than twice the number from the previous year (25%). 64% of attacks resulted in data being encrypted, a considerable increase from the 49% that was reported by respondents in Singapore in 2020. Organisations in Singapore that are hit by a ransomware attack are paying an average of around S$1.5 million.

Thus, many governments are starting to regulate data collection and management by companies. With privacy being declared a fundamental right by the United Nations Universal Declaration of Human Rights, there is an immediate obligation to preserve privacy rights.

Data Privacy Regulations: The Impact on Business

Data privacy regulations enable businesses to optimise their data handling practices and ease cross border digital transactions. However, they require businesses to strengthen their data management technologies in order to build strong digital capabilities. The core idea is to create compliant, efficient business models that protect customers' data privacy.

There are two major changes businesses can expect as a result of data privacy regulations. First, privacy will become a fundamental expectation among customers. Second, transparency in privacy policies will no longer be optional. As consumers become more aware about data policies and with governments enforcing privacy requirements, companies are learning that implementing data privacy policies can create a business advantage by keeping them ahead of the curve.

On the other hand, from a business standpoint, the cost of compliance will shoot up since organisations might have to allocate separate staff and financial resources just to keep up with these regulations. With high noncompliance penalties and the potential risk of losing their brand value, organisations will be forced to pay to achieve compliance. The other impact on businesses is overregulation of policies. Customers become burdened by endless consent forms for every data process, taking away the ease of use of online platforms.

Through widespread implementation of regulations across the globe, businesses are at risk of noncompliance and increased investment. Many frameworks are being developed to help businesses find the right combination of optimal investment and compliance with regulations. Gartner’s data security governance framework describes how businesses can meet legal requirements while dealing with consumer data.
The framework suggests the following steps:

  • Identify and discern the type of data that is impacted by data privacy compliance regulations.
  • Develop privacy impact assessments for data protection and administer these periodically while keeping all business stakeholders involved.
  • Configure technology controls to minimise risk to an acceptable level.
  • Review security policies methodically and whenever business risks change.

The common misconception about data privacy regulations is that they only impact the legal department. That said, the point often missed is that everyone who works with data in a company must be aware of the regulations and stay compliant. Many experts studying these regulations propose that this has less to do with data management and more to do with change management processes. Businesses need to rethink and restructure the way they handle customer data. The better approach to integrating these privacy regulations into a business is to implement change management.

The proposal is such that investing in analytics and automation technologies should be any company’s first step towards building a robust, compliant system that ensures adherence to most if not all privacy regulations. Most data privacy laws mention the customers' access rights, which essentially means that a customer can at any time ask for a copy of all the data that is being gathered on them, or for their data to be deleted.

Businesses will need digital, automated solutions to comply with these requests efficiently. For example, forms that autofill necessary details, desktop guidance tools, or virtual assistants will make the process faster with minimal manual effort. This will in turn reduce the possibility of mishandling data.

The constant shift of data privacy laws will only become more rigorous with time. The ideal step for any business to take would be to voluntarily comply with all the privacy laws in the locations where their businesses operate. Furthermore, countries and states affected indirectly by their businesses must also be taken into consideration as regulations like how the PDPA/GDPR require. In order to avoid or reduce exorbitant fines, operational interruptions, and the loss of customers, the sooner businesses plan and comply with these laws, the more successful they will be for all stakeholders.

Author Bio

Cecil Su currently leads various engagement teams on diversified advisory, security testing and threat intelligence projects across vertical industries for a mid-tier firm. Cecil has been a cybersecurity practitioner, consultant and advisor since the mid 2000s. 
He is a Fellow of the Association of Information Security Professionals (AiSP) and is involved in a wide range of cybersecurity initiatives in Singapore and globally.