It cannot be reiterated enough: personal information is property that belongs to the consumer, which companies must handle with a certain duty of care.
That makes privacy compliance a much more complex challenge. Companies need to think more about what's best for the consumer as we handle personal data, as well as how to accommodate the consumer and the rights he or she might exercise under various privacy regulations.
In short, businesses need to make a "culture of privacy" more of a priority, in much the same way anti-corruption activists like the Integrity Initiative and partners stressed the importance of a culture of compliance in the 2010s. A culture of privacy and security will be the watchword for the 2020s.
It forces deeper changes in business processes, policies, and corporate awareness of privacy - and any time we talk about changes in policy, procedure, and corporate culture, the compliance function is crucial to that.
Now let's get more practical.
When you translate those goals into capabilities that the company must have to get the job done, several emerge as the most important.
The regulation includes a list of specific types of information within the scope of the Data Privacy Law (DPA) - names, email addresses, photos, audio recordings, Internet search history, biometric data, and more - plus the catch-all "any information that can reasonably be associated" with a specific person.
The most fundamental compliance capability is simply to understand what personal data your company collects. Where does that data enter your extended enterprise? What business processes touch it? What third parties touch it? Where is the data stored?
Oversight of third parties is not a new capability per se, but the DPA pushes the need for that capability to new heights. For example, it draws a distinction between "service providers" and other third parties. A service provider receives personal data from your business as part of a written contract, to execute a specific task for you: write a legal brief, host a website, run payroll, and so forth.
This means compliance functions will need to sharpen their assessment of third parties, to understand the exact business relationship and assure that it meets all the criteria for service providers.
Remember, the DPA gives residents certain rights to their personal data. For example, under the DPA consumers have a right to see the data that a company has collected about them. Consequently, companies need to devise policies and procedures to fulfill that right: a way for consumers to submit the request, procedures to identify all the relevant data, and a way to present that list of data back to the consumer.
Well, security specialists have already identified bogus data access requests - where hackers pretend to be someone asking to see his data and dupe a company into sharing it. Companies will need to be aware of that threat and build identity-confirmation controls into their access request procedures.
Likewise, consumers can ask for companies to delete their personal data.
These are only three capabilities a company will need to develop to achieve DPA compliance; we could discuss many more. Fundamentally, the DPA will require the compliance function to get more involved in structuring business processes, since so many business processes now involve at least some processing of personal data—and achieving DPA compliance is about handling personal data with proper care, at all times.
By: Henry J. Schumacher
Feedback is welcome; if assistance is needed, let me know. You can contact me at schumacher@eitsc.com
Get access to news, enforcement cases, events, and actionable tips and guides
Get regular email updates and offers
Job opportunities, mentorship and career guidance
Exclusive access to Data Protection community - ask questions, network and share knowledge with peers and experts via WhatsApp and Linkedin
DPEX Network is a Community Initiative of Straits Interactive.
Copyright © Straits Interactive Pte Ltd. All Rights Reserved.
All intellectual property rights to logos and brands featured on this website remain the property of their respective owners.