Data protection breaches – Are you worried?

Given the bad news we are getting daily about data protection breaches and the good time hackers are having with our data, I am worried!!

How can we protect ourselves”? Let’s go back to basics:

What is data protection?

The concept of data protection encompasses the collection, usage, storage of personal information, as well as disclosure or transfer of personal data. The digital age of today has made personal data the lifeblood of businesses and the economy as people freely share data and information on a daily basis. To prevent unauthorized use of the personal information of individuals by organizations, data privacy laws were introduced in many jurisdictions worldwide e.g., Europe’s General Data Protection Regulation (EU GDPR), Singapore’s Personal Data Protection Act (PDPA), the Philippines’ Data Privacy Act (DPA) and Malaysia’s Personal Data Protection Act (PDPA).

Data protection laws require organizations that handle personal data to demonstrate accountability and responsibility. To be operationally compliant with the laws, organizations should have a data protection management program (DPMP) in place to translate the requirements of the law into their business practices.

What does a Data Protection Officer (DPO) do?

A DPO is essential in today’s environment as digitalization has made it convenient for organizations to collect and analyze data for various business purposes. However, this convenience has brought about vulnerabilities and risks that may not be factored in the organization’s overall governance, risk management and compliance strategy.

The main responsibility of the DPO is to assist the organization to govern how personal and sensitive data is being collected, used, disclosed, or stored within an organization according to the requirements of the data protection laws. If there are gaps in the operations that are processing personal data, the DPO works with the relevant departments to ensure that there are adequate controls to mitigate the risks and rectify the gaps. They also work with the relevant departments to ensure that the organization's privacy policy and data protection training is updated and communicated to staff.

What qualifications do you need to be a DPO?

All organizations that handle personal and sensitive data need to have a DPO.

Other than that, the pandemic has turbocharged the digital transformation for many organizations. Companies were forced to adapt to the wave of change in delivering products and services, as well as adapt to the new remote working concept. However, digital transformation comes with digital risks and vulnerabilities - both from a security and a privacy perspective.

A DPO must help the organization to transition through the change and ensure that new data protection measures are implemented to address these new risks.

Can the duties of the DPO be outsourced?

You can delegate the task, but not the responsibility.

Resources at the company may be stretched thin by the pandemic and therefore outsourcing a DPO may be considered. However, management should be mindful that the role of the DPO can be outsourced but the responsibility and accountability to their stakeholders still lie with them.

What is Data Protection-as-a-Service (DPaaS)?

Effective data protection practices enhance customer trust and maximize a businesses' value.

DPaaS can be an integrated bundle of data protection services that enable organizations to train their DPO and set up a Data Protection Management Program (DPMP) with the data breach management function included. It could also include outsourced advisory support towards operational compliance with data protection requirements. DPaaS and DPOinBox are data protection services developed by Straits Interactive Pte Ltd of Singapore.

Keep a lookout and join us in our regular data protection webinars where we bring professionals in our data protection community together to discuss, share and learn insights to drive data protection excellence within organizations. Straits Interactive partner in the Philippines, EITSC, will run its next webinar on Avoiding Data & Privacy Breaches on 12 November 2021. If you are interested, contact EITSC – www.eitsc.com

In conclusion, let’s just remember

* We need to achieve operational compliance with data protection laws,

* We need to implement data protection management programs,

* We need to demonstrate accountability to regulators, such as the NPC.

Doing this will allow us to build trust with our customers and stakeholder.

Feedback is appreciated; please contact me at [email protected]