Behind the extra checkboxes at the bottom of online forms and the specific requests for access permissions to the information in your mobile devices is a body of work known as data protection laws. By exploring how these laws came about, why they matter, and who they affect, we shed light on this major driver of proper data security practices today.
What are Data Protection Laws?
The main function of data protection laws, regardless of country, is to govern the collection, use, disclosure and care of personal data. As the amount of personal data around the world continues to grow, it becomes increasingly challenging for end users to know and protect their own personal data. Hence, organizations are required to take the necessary precaution to protect the data that they collect from end users.
Data breaches leave end users vulnerable to crime such as identity theft and victims of unsolicited contact from malicious organizations. When an organization is determined to be guilty of inadequate data protection practices — whether or not a breach actually happens — the organization is liable to punishment in the form of hefty fines.
Data Protection Laws around the world
Perhaps the most widespread of data protection laws is the General Data Protection Regulation (GDPR) of the European Union (EU). The GDPR does not only apply to organizations based in the EU and European Economic Area, but also any organization that manages data of people and entities based in those areas.
Other examples of data protection laws include Singapore’s Personal Data Protection Act (PDPA), which protects the interests and privacy of entities based in Singapore, and the California Consumer Privacy Act (CCPA), a state statute intended to enhance privacy rights and consumer protection for residents of California, United States.
Beginnings of Data Protection Laws
Why was the GDPR created in the first place? The GDPR was actually implemented in 2016, superseding the 1995-adopted Data Protection Directive.
The landmark event that accelerated the implementation of the GDPR was the 2018 Facebook–Cambridge Analytica scandal. In this scandal, the consulting and data analytics company Cambridge Analytica misappropriated the personal data of over 50 million Facebook users to influence their voting decisions in the 2016 US presidential election.
It was this event that revealed the enormous gap in accountability that organizations at that time had towards protecting the consumer data harvested in their operations.
Likewise, while the PDPA officially became Singapore law in 2013, it was not until recent years when financial penalties and jail terms were enforced.
What happens to organizations who breach Data Protection Laws?
The PDPA imposes a penalty of up to $1 million for organizations and up to $10,000 for individuals who break the law.
In 2019, sushi chain Genki Sushi was fined S$16,000 for breaching the PDPA. The investigation found that the organization had failed to correctly configure a server firewall, allowing a ransomware attacker to encrypt personal data belonging to about 360 current and former employees.
The sanctity of data protection laws is also called upon to address controversial cases such as a photo leak last week of a Raffles Medical Group patient’s confidential info after the patient was suspected of being infected with the novel coronavirus.
Compared to the PDPA, the GDPR imposes a much heavier penalty — up to 4% of a company’s annual revenue. In 2019, Marriott was fined £99M for exposing personal data belonging to approximately 339 million records of hotel guests. Investigations found that Marriott failed to do sufficient due diligence to secure its systems.
Holding Organizations Accountable
Prior to the enforcement of data protection laws, organizations were given free rein to collect any end user data as they desired, whether or not relevant to the purpose. Today, organizations must be transparent about how they manage the data of an end user’s. Individuals can even raise complaints if they have evidence that their personal data has been mishandled.
The responsibility now falls on organizations to implement sufficient cybersecurity and data protection practices to ensure that they follow best practices that dictate how data should be handled. This shift in accountability is part of a growing executive focus on cybersecurity in the gamut of organizations, which then benefits end users and facilitates better trust in how modern organizations conduct business.
Horangi has been helping industry leaders and the fastest growing companies in Asia with their cybersecurity strategies. If your organization is interested in conducting a cybersecurity assessment to better protect the personal data you manage, reach out to our world-class consultants on the form here.