How to navigate the changing terrain of data policies

By Edwin Concepcion

The importance of implementing data protection guidelines correctly

As data breaches are increasingly making headlines, businesses and consumers are becoming more concerned about the security of data. Data protection or privacy laws are being passed or amended to keep up with new technologies, and companies are scrambling to comply with these new changes.

With the introduction of data protection or privacy laws, regulators or regulatory agencies are established to ensure compliance with the laws. These regulators also provide data protection or privacy guidelines that organisations can implement to increase the accountability of the organisation. For instance, Singapore’s Personal Data Protection Commission has the “Advisory Guidelines on Key Concepts in the Personal Data Protection Act” to increase the understanding of the law. By implementing the data protection guidelines accurately, organisations are able to demonstrate accountability to stakeholders by building stronger data protection practices.

How individuals can spot potential data breaches before they happen, both in the workplace and their own personal profiles

It is important for individuals to know their rights under the PDPA and to ask the firms collecting their personal data why and how they will use and protect that data. The more information the organisations ask for, especially the sensitive information, the more the individual should conduct appropriate due diligence for these firms to see they adhere to standards for sound data protection practices. In this aspect, the privacy policies of the companies can provide the most insight into the purpose behind the collection of data and how the companies process it. It is good practice to make it a habit to read the privacy policy before downloading an app, for instance.

Among the red flags for a potential workplace data breach are the lack of data protection training or an onboarding process for data protection policies, the absence of a data protection officer (DPO) or committee, and the absence of a data protection management programme (DPMP). These are the baseline requirements for basic data protection practices within the organisation. In the absence of DPMP implementation and a designated DPO overseeing DPMP operations, an organisation is at a high risk in regards to the likelihood of a data breach.

How to identify and overcome flaws in corporate data protection policies

When it comes to handling personal data, ethical practices include organisations obtaining consent from individuals for the use of such data relating to them, being transparent about the purposes for which the personal data will be used and allowing individuals to acknowledge the purpose and usage to which they consent.

In order to govern data effectively, it is crucial that organisations are aware of how personal data is collected, used, disclosed, and stored (CUDS) within their business processes. It is also important for organisations to assess the risks relating to the processing of personal data across the organisation (data flows), implement control to mitigate them, build a data inventory and conduct data protection impact assessments (DPIA).

After assessing the risks, it is important to protect the organisation’s information assets by assessing the data protection risks faced by the organisation and developing and implementing controls to manage them. This includes implementing policies and processes / standard operating procedures (SOPs) that support business operations in compliance with data protection laws and training staff.

In addition, it is essential that the organisation sustain its compliance efforts by educating stakeholders about the personal data protection policies, including conducting regular data protection audits and consistent risk assessments. Another key element would be to ensure that the organisation has a plan to respond to breach incidents, if they do not already have.

What factors encourage users to share their information

In the past decade, we have witnessed consumers becoming more comfortable with the digital landscape and actively engaging in online activities. Consumers even routinely trade personal information for free services. Oftentimes, if something like this is free, the cost to an individual takes the form of personal data being harvested and capitalised upon.

Many websites also have social login, which enables users to sign up for their website by providing information in their social media accounts. This provides a seamless experience for users and that could be a contributing factor for users to share their information more readily. Users may also be more likely to share their information with websites or apps, if many of their family or friends are doing it as well.

How to break bad habits that lead to data breaches

Individuals should always read the privacy policies before providing consent to any website or app they intend to use. In organisations, human error often leads to breaches, so staff training is crucial. As important as initiating the program is sustaining it. The organisation must maintain compliance efforts by educating stakeholders about the data protection policies, including conducting regular data privacy audits and consistent risk assessments.

Edwin Concepcion is the Country Manager of Straits Interactive the Philippines. Straits Interactive is a leading data privacy consultancy across the entire ASEAN region. For more information, please visit