Data Protection Lessons that ASEAN can learn from Enforcement Cases in EU and SG - Webinar Summary

On 29 March 2022, Straits Interactive and DPEX Network held a webinar on recent trends in data breaches and enforcement cases, as decided on by regulators in the ASEAN region and in the European Union.

With the rising adoption of data protection laws in ASEAN, and around the world, there are many lessons data protection officers (DPOs) can learn from the enforcement decisions in Singapore and the EU. DPOs need to be aware of the trends in enforcement cases, including the most common breaches and pitfalls, so that they can take the appropriate measures to prevent their own organisations from falling into the same traps.

The panel of speakers were:

• Dr Prapanpong Khumon, former Advisor to the Secretary-General of the Personal Data Protection Commission in Thailand
• Raymund Liboro, former Privacy Commissioner and Chairman of the National Privacy Commission of the Philippines (NPC)
• Lyn Boxall, Director of Lyn Boxall LLC, a Singapore law firm specialising in data protection/privacy
• Bay Chun How, Director of the Consumer Services & Investigation division of the Personal Data Protection Commission in Singapore (PDPC)
• Kevin Shepherdson, CEO of Straits Interactive

To watch the webinar in full, please sign up to be a DPEX Network community member, log in and visit the Resources > Videos section on www.dpexnetwork.org, where the evergreen recording will be made available within two weeks following the webinar.

Rising cases, rising fines, new laws

There has been an upward trend in the number of enforcement cases in both Singapore and the EU, Shepherdson pointed out at the start of the webinar, adding that average fines have also been increasing through the years.

PDPC’s Bay noted that this was possibly due to the growing number of data breaches caused by cyber attacks.  “We see more cases of higher scale due to cyber incidents. If you lose a couple of physical mails, it is quite different as opposed to someone breaching your system and exporting your entire database. The increase in fines would be due to the increase in the scale and the harm [of a breach].”

In 2021, 60 percent of the 25 Singapore organisations investigated for personal data incidents were fined; of them, five had to pay financial penalties of more than 25,000 SGD. In the same year, 23 companies in the EU were fined more than 1M EUR, which is 40% higher than the previous year.

Dr Khumon noted that data like this is extremely valuable for countries emerging in the data protection space. He said, “The statistics are very good for Thai data protection circles moving forward. The Thai law is based heavily on the EU GDPR (General Data Protection Regulation) and covers both public and private sectors, including NGOs. A lot of businesses are liable to get penalised, so it is a good learning curve for us moving forward.”

The Thai Personal Data Protection Act will be fully enforceable from 1 June 2022.

Meanwhile, in Singapore, the maximum fine for data breaches will be adjusted upward soon. On 1 October 2022, the maximum fine will be increased to 1M SGD or 10% of the organisation’s local annual turnover if that turnover exceeds 10M SGD, whichever is higher.

Another new data protection law came into effect last year on 1 November 2021, China's Personal Information Protection Law (PIPL). To learn more about data protection principles and requirements in China and Taiwan, take our course here.

Overcoming negligence in protecting personal data is key

When it comes to data breaches, the failure to protect the data in your care is the most common weakness of most organisations. In 2021, 85% of enforcement cases in Singapore were due to inadequate protection measures which resulted in unauthorised access of personal information.

What does this mean for DPOs? Shepherdson said, “Looking at this, it suggests that a lot of a DPO’s work and time should be focused on protecting personal data.”

The need for DPOs to pay more attention to protection of data is supported by the finding that a majority of the protection breaches in Singapore were actually preventable. Although there has been an increase in the number of cyber attacks in recent times, more than 80% of these protection breaches were due to negligence.

Bay emphasised the need for organisations to beef up their security systems in place. He said, “If you do not update your software regularly, if you do not have adequate processes, or if you have weak passwords, and if you leave [coding] entirely to your vendors and you don’t check if the configurations are done properly, these can all be perceived as negligence of the data owner. Because you cannot pass on the liability to your intermediaries.”

Lawyer and data protection specialist Lyn Boxall added that she had also seen preventable cases in her line of work. “There are cases that are due to carelessness,” she said, “but are well within the control of the organisation, [such as being due to] not changing passwords and lack of training.”

One way of enhancing an organisation’s data protection measures is to consider pursuing the new Cyber Essentials and Cyber Trust mark announced by the Cyber Security Agency of Singapore. These enable organisations to augment and benchmark their information security management systems.

“If you just want to deal with protecting personal data, go for the DPTM (Data Protection Trustmark). If, for example, you are a logistics company, and most of the data you handle is business contact information, then you want to protect business data, and whatever is in your server, consider CyberEssentials certification,” said Bay.

EU ramping up enforcements, ASEAN should keep watch

During the webinar, it was highlighted that total fines due to GDPR violations had increased tenfold from 2020 to 2021, due to hefty fines imposed on tech giants Amazon and Whatsapp. For example, Amazon was fined a whooping 746M EUR, while Whatsapp lost around 225M EUR due to fines.

Dr Khumon noted that the data further emphasises the need for a holistic and proactive approach to data protection.

He adds, “The statistics are telling us that we should put in the design of the process. You design, you assess what you’re lacking, then it’s time to put in the adequate protection. So it’s asking you to look at it step by step.”

Failure to notify regulators of a breach is another violation of the GDPR. This has only been implemented recently in Singapore as the Data Breach Notification Obligation. However, it has been part of the Philippine Data Protection Act (DPA) for quite some time.

Former Commissioner of the NPC of the Philippines Liboro advises, “To all the DPOs here, it’s not a crime to be breached, but it’s a crime if you do not disclose to the NPC a notifiable breach, and it’s a crime to be negligent. For the Philippines, you have a 72 hour rule for notifiable breaches.

He adds, “Sometimes if you do not disclose these to the authorities, the news gets to the authorities through other channels. Hackers brag about it on the dark web and it reaches us. There are also whistleblowers. The regulator will follow these leads. Many jurisdictions now have automatic breach notification rules. Follow them and practise them.”

Learn how to implement and sustain an effective data protection management programme (DPMP) for your organisation through our course here.

Questions on: adequate measures, standards-based compliance and getting solution providers to comply with regulations

The audience was also invited to post questions after the panel discussion. Some questions answered by the panel included:

• Given that the GDPR and other data protection laws generally do not provide much prescriptive details on security measures, how do organisations go about ensuring their measures are indeed adequate?

• Can you speak about the adoption of standards-based compliance (e.g. trust marks, ISO) in the Philippines and in Thailand?

• What are the tell-tale signs you look for that show whether an organisation has appropriate governance, robust risk assessment, and adequate operationalisation?

• How do we get our solution providers to comply with the PDPA?

• How prepared are participating countries and organisations to comply with the APEC Cross Border Protection Rules (CBPR)?

To watch the webinar in full and hear the trends directly from our panel of regional experts, please sign up to be a DPEX Network community member, log in and visit the Resources > Videos section on www.dpexnetwork.org.