In a world full of costly data breaches and invasive privacy incidents, Singapore is not immune. It’s not just the big threats such as cyber criminals, nation-state hackers and cyber espionage—even simple employee mistakes can end up exposing private data and costing your organisation millions.
To combat the growing wave of privacy and cybersecurity issues, Singapore passed the Personal Data Protection Act (PDPA) 2012. These regulations are complemented by the Data Protection Trustmark (DPTM), a voluntary certification that helps organisations demonstrate that they have appropriate protection and privacy practices in place to guard their personal data.
But the threats are constantly evolving and compliance regulations are incredibly complex, so how should your organisation navigate them? Our guide will help to break it down for you.
Current Market Challenges
While Singapore is renowned for its safety, things aren’t so secure in the online world. A shocking 26.8 percent1 of all crime in the country comes from cyber incidents, many of them involving breaches of private data.
Perhaps the high ratio comes from the fact that the laws, police force and culture that keep Singapore so safe don’t apply to the greater online world, and many threats originate internationally. From a business perspective, the reasoning behind it isn’t so important. What matters is just how large the privacy and security threat has become, and that it keeps trending upward with massive jumps each year.
According to the Singapore Cyber Landscape 2019 report (see infographic below), published by the Cyber Security Agency of Singapore, there were:
- 9,430 cases of cybercrime reported in 2019. This is up from 6,215 in 2018, an increase of 51.7 percent in just a single year.
- 47,500 Singapore-hosted phishing URLs detected in 2019, up from 16,100 in 2018. Phishing websites are often used to steal credentials and other private data.
In line with global trends, Singapore witnessed an increase in cyber threats targeted at various local industries such as e-commerce, banking and finance. This ever-growing menace makes privacy and cybersecurity issues a significant challenge for organisations. As a means of addressing them, the Personal Data Protection Act (PDPA) was passed in 2012.
The PDPA complements industry specific regulatory frameworks by providing a baseline standard for protecting personal data. It includes a range of requirements which organisations and individuals must abide by, including how they collect, use, disclose and care for personal data.
Given the significant threat to privacy, doing the bare minimum may not be enough. The Data Protection Trustmark (DPTM) is an additional voluntary certification that demonstrates that an organisation has responsible practices in place to protect personal data. The DPTM Certification Framework aligns with the PDPA and incorporates international best practices.
Organisations can get certified through a number of different Assessment Bodies, however the process can be complicated.
The Benefits of Proactive Privacy
Some organisations may struggle to see the point of addressing privacy issues and taking steps to minimise cybersecurity incidents. Getting non-mandatory certifications such as the DPTM, and taking other proactive measures can seem like a waste of time, money and energy. But not when you consider the other side:
The average cost of a breach was US$2.712 million for the ASEAN region in 2020.
It’s easy to ignore privacy and cybersecurity issues if your organisation has never experienced the fallout from them, but once you realize the immense costs, you need to take a different approach. The consequences of a data breach can be absolutely devastating to companies, including:
- Criminal penalties
- Legal fees
- Disruption to normal business operations
- Loss of customers
- Damage to a company’s reputation
Given these tremendous costs and the ever-growing cybersecurity threats, the only smart business decision is to invest in proactive data protection.
The benefits of bolstering defences and acquiring certifications go beyond just minimising the high costs of data breaches. The DPTM and other certifications can also help businesses build trust with their customers, and increase their competitive advantage. Ultimately the modest investment in a more proactive privacy approach can be returned many times over.
How Can Your Organisation Address Its Privacy and Security Issues?
Once you realise the tremendous costs that privacy breaches bring upon organisations, it becomes clear that the best move forward is to put the right data protection measures in place. But how can your business go about such a complex task?
It could start by assessing all of its sensitive data and the systems that need to be protected. It could then calculate the risks it faces, then come up with a comprehensive plan of security measures and policies that mitigate these risks and also meet the compliance obligations. Alternatively, your organisation can collaborate with an experienced partner like Privasec, which can use its years of expertise to make sure the job is done smoothly and correctly.
The Privasec Approach
Privasec offers a number of services that help your organisation manage its data privacy. These include:
- PDPA Privacy Assessment – This maps out your organisation’s personal information footprint, assesses its current status and establishes a roadmap toward compliance.
- The Data Protection Trademark (DPTM) certification program – Privasec helps to bring your organisation’s practices and policies up to speed, then reviews and prepares submissions for the DPTM certification.
- Privacy Governance and Management Framework Assessment – This service includes building an integrated privacy management system for managing the privacy of personal data and helping to meet regulatory obligations.
Privacy and compliance often require a combination of both the right cybersecurity know-how, and legal prowess. That’s why Privasec has partnered with legal firms that specialises in technology and privacy law. Together, we can provide our clients the best advice and services, from both a technical and legal standpoint.
PDPA Privacy Assessment
Privasec partners with law firms that specialises at the intersection of technology and privacy. Under our PDPA Privacy Assessment, a senior consultant and privacy lawyer will review your organisation’s compliance and readiness against the PDPA as well as other relevant privacy legislation. This covers the latest updates to the PDPA, effective as of January 29, 2021. The process includes:
- Identifying the flows and storage of each type of private data within your organisation. This includes an impact assessment, as well as a review of the compliance of your organisation’s footprint against the PDPA.
- Reviewing your organisation’s information management process, as well as its ability to handle a data breach. We will also assess whether it is capable of complying with the mandatory data breach notification requirement that was introduced when the amendment to the PDPA came into play in 2021.
- The privacy lawyer will also review a sample of your organisation’s third-party contracts that are related to its overall security and privacy compliance. This includes parties such as cloud providers, data entry providers and others.
Data Protection Trademark (DPTM) Certification Program
As specialists in privacy and cybersecurity, Privasec can help make the Data Protection Trademark (DPTM) certification process as smooth as possible. Our approach includes:
- Developing or enhancing the appropriate data protection policies and processes.
- Conducting workshops that provide guidance for asset and data inventory, data flow diagrams, and data mapping.
- Training and raising awareness for employees and other stakeholders.
- Assessing any gaps in current policy and practices, then finding solutions that make organisations ready for DPTM certification.
- Reviewing and preparing submissions for DPTM certification.
Privacy Governance and Management Framework Assessment
Privasec can help to design and build a Data Protection Management Program (DPMP) that provides a simple path for organisations to develop and implement privacy management systems. These systems help to manage ongoing compliance with the PDPA. We are also experienced in global governance and management frameworks such as ISO 27001 and NIST CSF. These frameworks help to demonstrate good information security and privacy information standards. Not only can they address regulatory requirements, but they can also enhance customer confidence.
Can Your Organisation Protect Itself? Does It Really Need an External Partner?
Every organisation will have its own unique set of circumstances; from the stripped-down setups of sole-traders, up to large enterprises with burgeoning IT departments. If your company falls on the latter half of the spectrum, replete with its own techs and legal department, you may think it has what it takes to protect the privacy of its data and comply with the relevant legislation.
Technically, your company could try to take care of all aspects of its privacy and cybersecurity internally. However, it’s probably not a good idea.
While your staff may be knowledgeable in many areas of legal or tech, it's unlikely that they have significant experience in these specific compliance issues, nor would they be accustomed to working cohesively as a team on these sorts of problems.
Sure, they could attempt to assess the organisation’s current situation, the risks it faces, and the steps that it needs to take for compliance and certification, but could they do it well? Would they make mistakes? Would they be efficient? Would they be much better off dedicating their time to the tasks they’re good at instead?
When you really think about it, it stops sounding like such a good idea.
Remember, this is for a large and capable organisation, with a wide range of expertise and immense resources. Due to the technical nature and wide range of skills involved, smaller businesses don’t really stand a chance of being able to adequately and efficiently address their privacy issues on their own.
Compare the above approach to a specialised provider like Privasec. Privacy, security and compliance are some of our main focuses. We are familiar with the relevant frameworks and practices needed to appropriately protect your data. Because we do this work for many clients, we have honed our skills and our approach, enabling us to do a comprehensive job in a much more efficient manner than those approaching the task for the first time. We know the hurdles and stumbling blocks, so we are also far less likely to make errors that could end up costing your organisation significantly in the long run.
While it’s true that your company can attempt to do this on its own, it’s still not a good idea. It works out much cheaper and with far less headaches if you engage an expert provider to help guide you through the many complicated hoops.
It’s clear that an external specialist is the best choice to navigate the complex waters of privacy, but why should you choose Privasec?
- The expertise you need – Our consultants have more than a decade of experience and industry knowledge, servicing sectors across-the-board.
- An obsession with excellence – We are dedicated to the highest standards, both for ourselves, and for each of our clients.
- Independence – We don’t sell our own products, so we aren’t incentivised to use those that may not align with your company’s interests. We’re independent and we value integrity, so we focus on finding the best solutions for your organisation’s security and privacy needs.
- Bridging tech and business – We understand that your organisation has many competing interests, and at the end of the day, any privacy measures have to make sense to the bottom line. We take both the business and technical sides into account, ensuring that our solutions are the best fit for your company’s unique circumstances.
GET YOUR PRIVACY UNDER CONTROL
Talk to one of our consultants or call us to find out how we can help solve your data privacy problems.
1. Above infographic source: Singapore Cyber Landscape 2019, published by the Cyber Security Agency of Singapore, June 2020, retrieved 9 February, 2021
2. Cost of a Data Breach Report 2020, published by IBM and the Ponemon Institute, July 2020, retrieved 9 February, 2021