During her inaugural Committee of Supply (COS) speech in Parliament on March 4, 2022, Josephine Teo, the Minister for Communications and Information and Minister-in-Charge of Cybersecurity, announced the enforcement of increased maximum financial penalties for data breaches by organisations, as outlined in the 2020 amendments to the Personal Data Protection Act 2012 (PDPA). These changes are scheduled to be effective from October 1, 2022.
According to the updated regulations, organisations with an annual turnover in Singapore exceeding SG$10 million may face a maximum financial penalty of 10 per cent of their annual turnover, while in other cases, the maximum penalty is set at SG$1 million.
To provide context, the Personal Data Protection (Amendment) Bill was passed in Parliament on November 2, 2020, following its introduction for the first reading on October 5, 2020. The Personal Data Protection (Amendment) Act 2020 (“Amendment Act”) was gazetted on December 10, 2020. The Amendment Act commenced partially on February 1, 2021, implementing mandatory data breach notification requirements and introducing offences related to the mishandling of personal data. Provisions concerning data portability, higher financial penalties, and certain consequential amendments are set to take effect at a later date.
After this amendment, other ASEAN countries in the region have followed suit.
In August 2022, Malaysia announced that it would be introducing a New Cybersecurity Bill in development by the National Cyber Security Agency (NACSA) to be tabled in early 2024.
In September 2022, after a series of high-profile data breaches in recent months, Indonesia enacted the Personal Data Protection Law (PDP Law). The PDP Law places responsibility on both domestic enterprises and global corporations for mishandling the information of Indonesian customers.
Also Read: Holiday cybersecurity: Safeguarding businesses amidst increased cyber threats
Companies can be subject to a corporate penalty amounting to a maximum of two per cent of their annual revenue in the event of data breaches. Furthermore, individuals may be fined up to IDR6 billion (equivalent to US$400,000) for contravening the provisions outlined in the PDP Law.
Proactive measures for businesses
The announced increase in maximum financial penalties for data breaches by countries across ASEAN can have significant implications for businesses in the region, and they must respond proactively to ensure that they are sufficiently protected.
Here are key considerations and actions that businesses should take:
- Review data protection policies: Businesses should review and update their data protection policies and procedures to ensure alignment with the amended PDPA regulations. This includes incorporating measures to prevent data breaches and outlining procedures for handling and reporting incidents.
- Reassess cybersecurity measures: Evaluate and strengthen security measures within the organisation. This may involve implementing endpoint protection, email protection, patch management, and other safeguards to protect sensitive information. Conduct regular security audits and assessments to identify and address vulnerabilities.
- Data breach response plan: Develop or update a comprehensive data breach response plan. This plan should outline the steps to be taken in the event of a data breach, including notification procedures, communication strategies, and coordination with regulatory authorities.
- Employee training: Provide training to employees on data protection best practices and updated regulations. Employees should be aware of their roles in preventing data breaches and understand the importance of promptly reporting any potential security incidents.
- Conduct risk assessments: Regularly assess the risks associated with the processing of personal data within the organisation. This includes identifying and addressing potential vulnerabilities in systems, processes, and third-party relationships that could lead to data breaches.
In Conclusion
The consequences of a cyber data breach are no longer just a ‘slap on the wrist’ but have significant financial, reputation, and business continuity consequences. By taking a proactive approach to cybersecurity and user compliance, businesses can reduce the risk of data breaches, demonstrate accountability, and minimise the potential consequences.
—
Editor’s note: e27 aims to foster thought leadership by publishing views from the community. Share your opinion by submitting an article, video, podcast, or infographic
Join our e27 Telegram group, FB community, or like the e27 Facebook page
Image credit: everythingpossible
The post Singapore’s data protection act sends shockwaves through the region: Strategic responses for business owners appeared first on e27.