Data protection, cybersecurity and data privacy are critical topics that an entity or not for profit entity of any size needs to address. The issue for management is not when to address but how to address this issue within a reasonable cost. The pandemic of 2019 to 2021 has advanced digitisation globally by not in a matter of weeks or months but years. In short, the pandemic has brought forward the role and importance of digitisation to the forefront for both companies and consumers alike, ranging from food purchases to the need to rent offices.
Frequently Asked Questions (FAQ)
What is the difference between cybersecurity, data protection and data privacy for an entity operating in Singapore?
The critical question for any entity is whether Singapore has a law or legislative regime to govern each specific topic that the entity must comply with. For example, the subject matter of cybersecurity is governed under the Cybersecurity Act of 2018 and data protection is governed under the Personal Data Protection Act of 2012. In contrast, we do not have a regime for data privacy such as the General Data Protection Regulations or GDPR issued by the European Parliament for European Union member countries. But this does not mean that privacy is not essential or that an entity can ignore it concerning their daily operation.
How should an entity approach this issue to be compliant with the laws?
Understand the business first
The approach taken by Clayton Law LLC is not to “jump in” and start to craft or review any entity’s current data protection or privacy policy. Instead, the first and most important task is to understand the business goals of the entity. The next task is to know how the data flows in the entity, including the technical setup such as the network map, devices used, etc. Having understood both, we will craft a technically sound policy that is easy for the users and legally compliant.
Is this “business-technical-legal approach expensive” and time-consuming?
As most of this information is already with the entity, it should not be expensive since the information is readily available. Furthermore, it will reduce the time to craft the entity’s legally compliant and technically feasible data protection policies and procedures.
How do I manage a data breach if one should happen?
The question is similar as to what happens if my house or apartment is on fire? Although we do not encounter fire daily unless we are in the fire brigade, fires break out and destroy everything a person may have. An entity needs to prepare for a data breach in the same situation. This preparation includes having proper legally compliant policies and training for the staff on what to do when a fire breaks out.
We are a regional entity, and how do we manage data protection and privacy?
Singapore is home to thousands of regional operational headquarter (OHQ), and we have provided regional advisory to companies operating across the region. In addition, we also work with our Asean network of data protection legal and technical specialists.
My entity is an SME. Do we need and can we afford data protection services?
Its size or revenue does not determine the need for data protection in an entity. As long as personal data are involved in the operation of the Company, the entity has a legal obligation to comply with the laws on data protection.
We are a not for profit and a charity body, and are we obligated to comply with the legal regime?
The is no distinction between a commercial operator and a not for profit and/or a charity entity as the legal obligations are the same. In fact, the volunteers of such organisations are also required to comply with the legal regime. The responsibility is on the management of the not for profit or charity body to ensure compliance.
My entity’s IT operations are outsourced to the “cloud” and or a third-party provider. Does my entity still need to comply with the legal regime?
The short answer is yes. Outsourcing your technical operations does not absolve an entity from complying with the legal regime. The entity cannot “outsource” its legal obligations. On the contrary, the entity needs to ensure that the outsourced party has sufficient technical and organisational procedures to protect the entity data. The entity also needs to understand the legal obligations between the outsourced provider and the entity as to what happens when a data breach occurs either at the outsourced provider or the entity itself.
Post-Breach Assessment /Incident Response/Formal Inquiry by the Regulators
Where there is a data breach or an incident in your entity, or you face a formal query by the regulators, we will collaborate with our technical experts to review the current data protection controls and policies and represent you to the Regulator.
Related Technology Matters
Technology Valuation and Acquisition Due Diligence
The technology of an entity can be a significant revenue contributor to a prospective buyer. A technology due diligence should be conducted before buying an entity for its technology. Every major purchase requires a careful evaluation, and the same applies to potential investments based on the technologies of another entity. The specific areas covered would include evaluating the system’s vulnerability, clarifying its ownership were relevant and code stability of the software programme if necessary.
Employment and Technology
Mobile /Social Media Legal & Technical Advisory
An entity’s staff uses their mobile devices and the myriad of social media messaging systems such as WhatsApp, WeChat etc., to communicate for personal and commercially sensitive information. We are happy to provide a legal review of the Company’s policies and solutions where relevant to ensure that your Company’s trade secrets are protected and potential issue of defamation caused by communication on these social media.
Personal Matters and Technology
The deployment of technology has also invaded our private spaces within-person dispute with another party or divorce. We provide the necessary legal and technical support and advice within these contexts
Technology Related Dispute Management Service
It is undoubtedly true that not all disputes end in courts to be litigated, and there is always room to manage a disagreement privately, away from the public’s glare. As we have the necessary technical understanding, our team stands ready to assist you in this area.
I have further question/s.
Please send your question to query@claytonlaw.com.sg
