Spotlight on Lyn Boxall

Spotlight On Lyn Boxall, Certified Information Privacy Manager (CIPM), Certified Information Privacy Professional, Asia (CIPP/A), Certified Privacy Professional, Europe (CIPP/E) and Fellow of Information Privacy (FIP). She is also certified by Exin (the global independent certification institute for ICT Professionals) as a Privacy and Data Protection Practitioner.

Can you briefly share with us what you do?

The easy answer is to say that I’m a lawyer, which is true. But lawyers are like doctors – we all have our different specialities, and we try to work in areas that interest us. What I like to do is to solve practical problems and to make things work well in a business sense.

I was lucky when I started out as a lawyer because I had a really good boss who trained me. I learned a lot from him about how the law should provide solutions to business problems, not create roadblocks. He taught me to think carefully about how to achieve a good outcome, rather than simply regurgitate tedious legal theories.

How did you get into this field?

After a few years in private practice in Melbourne, I went over to the in-house side of the law. I did that for quite a few years, including here in Singapore since 2000. Then the company I worked for restructured in 2009 and transferred a lot of operations to the US. So, I did not have a job anymore and was not sure that I wanted to get on the corporate treadmill again either. I tried out a few things, and all of a sudden it was 2013 and the PDPA was a new field that was just starting up and I decided to do some voluntary work helping VWOs to put their data protection processes into place.

In 2015, I met up with Kevin Shepherdson and we concluded very quickly that his operational focus on data protection was an exact fit with my interest in using my legal experience to make things work well in a business sense. So, I have done a lot of data protection work with Straits Interactive in the past nearly six years. With other clients too, mostly in the startup sector and mostly in relation to data protection. From about the middle of 2016 that included working on the GDPR as well as the PDPA because lots of startups in Singapore were technology-focused and keen on selling their services into the European market.

You have been in the forefront of data protection since it started (in Singapore and expanded across the region). Can you share with us how the field has developed?

For the first couple of years after the PDPA came into force nothing happened on the regulatory front. It is easy to forget now that the first enforcement decision was not published by the PDPC until 21 April 2016. (Ha, ha – today is the fifth anniversary of the K Box decision and its $50,000 fine.) So, it was nearly two years after the data protection obligations came into force on 2 July 2014. It is not surprising that businesses weren’t taking PDPA compliance seriously five years ago.

The PDPC has made up for lost time though and, as we all know, it has been a very active regulator and that is especially in the last couple of years and even with COVID shutting things down for a while in 2020. The amendments to the PDPA that came into effect on 1 February 2021 include a significant change in the enforcement mechanism for Do No Call so I am expecting a lot of Do Not Call enforcement, along with heavy fines, in 2021.

It is really noticeable how much more seriously businesses are taking PDPA compliance now and the increasing prominence of publicity for data breaches businesses are now appreciating that getting data protection right is important from a reputation and trust perspective. It is even more noticeable that this is feeding through into there being more data protection jobs advertised in Singapore and we are seeing them becoming more senior roles within organisations.

Across the region, I would say that Singapore is the leader with the Philippines nipping at Singapore’s heels. We can expect changes in Malaysia soon, a new law coming into force in Thailand and new laws emerging in both Indonesia and Vietnam. If we go a bit further afield, we should see a new comprehensive data protection law in both India and China soon – maybe as soon as before the end of 2021.

How is data protection from operational compliance different from legal compliance?

Legal compliance with the PDPA is like when you tell your kids to tidy up their room and all they do is push their toys and their unwashed clothes under the bed – when you have a quick look in their room it looks like they’ve tidied it up and you can feel good about how they’ve done what you wanted.  But actually, they haven’t done anything except trick you… and perhaps trick themselves a bit. Nothing has really changed. Same, same – if someone such as a law firm provides pages and pages of policies, whether or not any staff actually look at them or change how they do things, the organisation hasn’t done anything except let itself feel good. Oh, and at the high price of having to pay the lawyers’ fees!

Operational compliance is actually doing things properly by building them into work practices. Kids that do room tidying properly put the toys back into the toy box and the unwashed clothes into the laundry basket. Oh, and wouldn’t you love it if the kids went the extra mile and hung up their wet towels instead of leaving them on the bathroom floor?

OR Many see data protection as an extension of the compliance portfolio in an organisation. In what way is this true, and how is operational compliance different from legal compliance?

The fault is that organisations say that the PDPA is a law and therefore it is the responsibility of legal and compliance.  They can equally well say that workplace safety and health requirements are laws and that they too are the responsibility of legal and compliance. Well, the legal and compliance people do not walk around construction sites every day figuring out where an accident is going to happen, any more than they work at the front line every day figuring out what can go wrong with data protection from an operational point of view.

I have a favourite story about when I went to a new clinic a couple of years ago. The nurse receptionist handed me a patient registration form and asked me to fill it up and said something about PDPA, so that I was quite impressed with how well she had been trained. But it turned out that she had only been trained from a legal compliance perspective and not from an operational perspective. I stood at the counter in the clinic and filled up the form, but when I turned it over I found the previous patient’s completed form with all their personal data exposed to me. And when I looked underneath that one, I found another patient’s completed form. Operationally, the nurse receptionist had not been trained to move the completed forms off the counter and to put them out of sight of other patients.

Do you see the regulatory guidelines of data protection developing in tandem with development in technology and other factors (e.g. COVID-19)?

Yes. One of the most interesting things about working in data protection is figuring out how to make everything work in the context of continuing technological innovation and the changing physical environment (including COVID-19).

How have such developments impacted your work?

Fundamentally, if you look back more than 20 years – I can remember how primitive things used to be. But even relatively recently I have come across lawyers who get their PA to print all their emails for them and then they use a Dictaphone to dictate a response for their PA to type for them and send to the sender. I am NOT making this up!

Significantly, even if you only look back a couple of years. Lots of changes between 2016 when we wrote 88 Privacy Breaches to Beware Of and 2018 when we wrote 99 Privacy Breaches to Beware Of. The additional chapters were nearly all about new technology that existed in 2016, but that had become mainstream by 2018. 

In 2015 when I set up my law firm, I wanted it to be ‘virtual’ with no formal office and everything based on technology and remote working. Mostly people thought that was totally crazy, while I thought it was sensible because it is efficient and keeps overhead costs low. Now it is totally normal, though that would not have happened so quickly without COVID-19.

What are the developments you foresee in the data protection field in the near future (two-four years)?

Continuing technological change, but also changes in expectations of individuals about privacy. Whether Singaporeans will become more or less concerned about privacy, I have no idea. Exchanging personal data for a better deal, such as special offers, will probably continue to be popular. On the other hand, if we get hit with identity theft on anything but a very small scale Singaporeans might decide that better deals are too high a price to pay and decide that they are no longer OK with sharing their personal data.

Email interview by Leong Wai Chong, CIPM, GRCP  with Lyn Boxall FIP, CIPM, CIPP/A, CIPP/E, EXIN

The opinions expressed here are the interviewee’s personal views and do not represent the official position of organisation the interviewee works for.