Getting Serious About Protecting Personal Data

Businesses need to take action to ensure that they comply with recent changes to Singapore’s Personal Data Protection Act.

A Bill to amend Singapore’s Personal Data Protection Act (PDPA) was passed in Parliament in November 2020 to strengthen data protection and enforcement standards. The new legislation will not only help companies build consumer trust in the use of their data, but also strengthen data security practices of businesses in a dynamic cyber threat environment.

Under the amendments, businesses will face stiffer penalties for data breaches, be required to notify authorities of such incidences, and take stronger actions to mitigate malicious cyber threats. Experts say that local enterprises will need to comply with the changes by reviewing their approaches to data governance and cybersecurity.

To make sense of what PDPA 2.0 means for businesses, BiZQ speaks to Teo Xiang Zheng, Head of Advisory at cybersecurity firm Ensign InfoSecurity, to get his views on the issue.

Teo Xiang Zheng, Head of Advisory at Ensign InfoSecurity

What are the key changes to the PDPA that businesses should be aware of?

The amended PDPA Bill serves to enhance the position of data governance for many businesses, especially the small and medium enterprises (SMEs), as they may have fewer resources compared to larger corporations. The Bill also serves to highlight what cybersecurity really means for companies, regardless of their size.

In the amendments, we see a pivot towards better practices in managing data security, which has traditionally been focused on maintaining the confidentiality of data. With some of these amendments, you start seeing the introduction of integrity verification, which adds accountability in the business context.

We will see higher financial penalties for non-compliance, up by 10 percent of the company’s annual turnover in Singapore, or up to S$1 million, whichever is higher. We also see the need for mandatory notification of a data breach, which forces organisations to be prepared to report any notifiable data breach to the Personal Data Protection Commission (PDPC) within 72 hours from detection. Beyond that, affected individuals must also be notified if the breach is deemed to cause personal harm to them.

What is the rationale behind these changes?

In recent years, we have seen more incidents where organisations, which process personal data as part of their service or product offering, slipped up when it came to the management of personal data. These incidences have occurred more frequently, or at least recurred in some cases, over the past two years. As such, it is timely and important for the government to want to stem such repeat occurrences and send a strong signal to organisations to remain mindful that personal data is something that we want to protect as a nation. This rides on the interest in Singapore establishing Digital Defence as the sixth pillar in our Total Defence in 2019.

How will the amended PDPA bill affect businesses in Singapore, especially in areas of data governance and cybersecurity approaches?

Small businesses and start-ups may not have the luxury of resources to put in place systems that properly document this information and may find it challenging to lay on proper protective measures. The amended Bill is aimed at encouraging these organisations to really start thinking about having a more protected and secure way of keeping such records.

Since the start of the pandemic, the government has provided significant funding for businesses to take advantage of the drive to digitalise. Businesses can tap on some of these funds to better position themselves to address data protection, and to keep information safe and secure.

Financing and funding details can be found on the Economic Development Board’s website and include the Digital Resilience Bonus, Enterprise Development Grant, and Productivity Solutions Grant. Furthermore, Workforce Singapore and the Infocomm Media Development Authority have additional funds and financing schemes to support employee development through skills acquisition and upgrading, including SkillsFuture Singapore, SG: Digital Scholarships, and TechSkills Accelerator (TeSA).

How can SMEs with fewer resources embark on this journey to become more data secure and comply with the PDPA?

The PDPC has laid out several guidelines and advisories to the public. These guidelines are quite easily digestible and simple to understand.

In addition, the Cybersecurity Agency of Singapore has also set out some of the best practices and guidelines for SMEs, through the GoSafeOnline programme, to quickly adapt and be able to work in a more secure manner when it comes to data protection.

If the business is a little more well-resourced and require more personal advice, there is no shortage of service providers that are well versed in this; whether it is a law firm, an accounting practice, or maybe service providers like us. Services can range from obtaining managed security services, and advisory, to transformation programmes.

That said, taking action to preserve and protect personal data does not necessarily mean having to spend a significant amount of money. The resources have already been made available to us to make the most of. Businesses need to be aware of these resources, spend some time and effort to understand them, and share that knowledge with their employees to increase their awareness.

What are some of the prevalent cybersecurity risks and threats to businesses today?

Cybersecurity risks and threats continue to evolve and increase in dynamism. However, what we are clearly observing is that the complexity and the impact of cyberattacks have been increasing.

We have observed that watering hole attacks (where the attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit) and phishing attacks (meant to steal user data, including login credentials and financial information) are becoming more prominent and prevalent in Singapore. They account for 84 percent of all the cyberattacks that we detect here.

In the past year, many attackers have also taken advantage of the anxiety over the COVID-19 pandemic to successfully launch social engineering attacks such as phishing. Our phishing exercises in the past year saw failure rates going up from 15-20 percent to 25-30 percent for our clients on average.

We are also observing that the cyber-attacks have shifted to take advantage of cyber supply chains’ trusted business partners and associates — through which they access their targets. Such attacks can exploit the common software and hardware used by organisations or the suppliers to launch attacks of widespread impact. We saw the two most complex cyberattacks of this nature in the last six months, and they have already affected companies globally in the double digits.

What more can businesses do to enhance their data security?

Cyberattacks are not so much about the technology. It is the people who are at the centre of vulnerabilities within any organisation. I always put across this key point to my clients that the technology, in and of itself, does not cause problems because it operates as it was designed to. We need to remember that it is us humans who designed and created the technology, and that human interaction exposes the vulnerabilities for exploitation.

Awareness training for employees is therefore of utmost importance. We need to educate people to be more aware and careful about what cyberattack campaigns look like, and how to know when something is amiss, so that we can act immediately when a cyberattack takes place.