Spotlight On... Seah Teck Meng, Senior Legal Counsel at International SOS

In this edition, we feature Seah Teck Meng, FIP, CIPM, CIPP/A, CIPP/E, CIPT. A legal counsel with a medical service organisation.

Please share with us your background

I am a Senior Legal Counsel at International SOS, a global company providing medical and security assistance to travellers. My role is to manage risks for the company, one of which is to review and negotiate contracts to make sure contractual risks are mitigated.

Besides dealing with client contracts, I am also actively involved in negotiating IT contracts with vendors because of my background in technology (I used to be an engineer before switching to law).

How is it that you got interested in data privacy/protection?

My interest in data privacy came about when Singapore’s Personal Data Protection Act 2012 (PDPA) came into force, followed by the European General Data Protection Regulation (GDPR) in 2018. These laws had implications on my employer as we are dealing with patients’ health information on a global scale and had to comply with every data privacy law that is applicable.

The impact on me as legal counsel is that I am seeing more and more data protection provisions in the contracts I am reviewing, be it client contracts or contracts with vendors. At the beginning, I did not have a good understanding of data privacy laws or how they worked, which made it a challenge to negotiate the “right” data privacy clauses. That was when I realised I need training on the new subject.

What data privacy courses did you take from Straits Interactiev/DPEX Network and why?

Fortunately, a colleague recommended me to enrol in the 2-day course “GDPR and application on Asia” conducted by Straits Interactive. Attending that course was one of the best decisions I made. It not opened my eyes to the new world of data privacy but also made me realised GDPR is one part of a bigger puzzle as data privacy laws are becoming a global trend as many other countries are getting on the wagon. This spurred me to embark on an intensive 7-month journey from April to November 2019 where I completed all data privacy courses Straits Interactive had to offer and those that lead to international certifications; Advanced Certificate in Data Protection Principles, Advanced Certificate in Data Protection Operational Excellence, CIPP/A, CIPP/E, CIPM and CIPT.

What I liked about Straits Interactive’s courses to those of others is that the contents are well researched and supplemented by real examples that helped understanding, rather just regurgitating the principles or related laws.

Another advantage Straits Interactive has is its ability to bring both the legal and operational principles together and illustrate how one affects the other. Straits Interactive is able to amalgamate both because it has a consultancy arm helping companies achieve data privacy compliance and can share mistakes companies commonly make. Additionally, Straits Interactive/DPEX Network is well connected to ASEAN data authorities who frequently seek its help to train its officials or share best practices. In turn, Straits Interactive/DPEX Network gets insights to new laws and regulations contemplated by data authorities that it shares with its students. Access to data authorities is unique to Straits Interactive/DPEX Network.

What is your current job role?

In my introduction, I described myself as a legal counsel whose primary responsibility is to make sure my employer’s risk exposure is minimised in the contracts that it signs and the operations it undertakes. In terms of data privacy, I apply the law by negotiating clauses to be included in contracts to protect the company’s interests from the data privacy angle, for example, negotiating data processing agreement with processors to make sure they follow GDPR principles in processing the personal data my employer transfers to them.

What are the privacy/data protection opportunities do you hope to pursue?

My goal and interest in data privacy is to go beyond negotiating data privacy clauses. As an ex-engineer, I am also interested in technology. With my unique experience and knowledge straddling both law and technology, I believe I am in a position to make use of my legal knowledge on data privacy and translate into reviewing technology design, something which I am working on.

What practical advice would you offer to those wanting to implement a data protection management programme in their organisation? Any interesting case experience or scenarios to share for readers to get more insights into data privacy/protection?

For anyone planning to implement a data protection management programme, my advice is to first get strong buy in from management. The reason being developing and maintaining a data protection management programme is not a one-off effort. It requires constant training in upholding data primacy awareness in new and current staff, updating procedures, audit and inspection, something that must persevere through time. Data privacy compliance is also not a box ticking exercise where you simply show your internal data privacy documents to get a pass. There must be demonstration of bona fide data privacy compliance activities.

A good example of enforcement action taken by data authorities for non-compliance is the data breach at SingHealth in 2018, where personal records of almost 1.5 million patients were stolen through hack in the health record systems. This resulted in the regulator, the Personal Data Privacy Commission (PDPC), imposing the largest fine (S$1 million) allowed under PDPA on SingHealth, for failing to adequately train staff and patch identified system vulnerabilities on time, even though SingHealth had the necessary procedures in place. The SingHealth breach is clear evidence the regulator is not just looking whether an organisation has the necessary procedures but what it does (or does not do) with those procedures to maintain data privacy. In other words, the regulator is looking for action, not words.

What advice to you have for others?

For those out there who are thinking of a career in data privacy (there is growing demand for privacy professionals), now is the time to start. Data privacy is not about law or complying to the letters of the law, contrary to popular belief. More importantly, it is about operational compliance. Operational compliance is not paper compliance as we have seen in the case of breach at SingHealth. It is not sufficient to just have procedures or tick the right boxes. There needs to be constant training, audit, exercises and internal enforcement. This type of work suits a person with operational experience.

As with any new career, a career in data privacy will require training in the basics which companies like Straits Interactive can provide. For beginners, I strongly recommend Straits Interactive as it has the hands-on data privacy consultancy experience to illustrate data privacy principles in action, by backing up theory with real examples. These examples are a boon, they make learning easy and fun.

By Leong Wai Chong in an email interview with Seah Teck Meng, Senior Legal Counsel, International SOS Pte Ltd

The opinions expressed here are the interviewee’s personal views and do not represent the official position of International SOS.