Online privacy regulations
Online privacy made headlines in 2018, most famously with the Facebook-Cambridge Analytica incident. In Singapore, confidential medical information of 1.5 million users was leaked from a government agency.
Last year also saw the EU’s General Data Protection Regulation (GDPR) come into force. The GDPR is a regulation on how companies should process the personal data of their users. It sets out responsibilities for businesses to ensure the privacy and security of personal data, while giving users certain rights. Businesses must be able to demonstrate accountability to regulators when asked or face fines if they are unable to comply with GDPR requirements.
Why does the GDPR matter?
An important aspect of GDPR for businesses to note is that it does not only apply to businesses located in the EU or if the data collected is stored in the EU. As long as a business collects personal data on citizens in EU countries, it will need to comply with the GDPR, even if the business is located outside of the EU. Enforcing this is another matter and for small businesses it may not be worth the effort, but striving for GDPR compliance is a worthwhile goal - both in terms of respecting personal data and as a marketing bullet point.
The GDPR sets out rules on how personal data is processed, how it should be stored, the rights of users, prevention of data breaches, and expectations on how data breaches that have happened should be handled. Non-compliance could cost a business dearly in fines as well as in a loss of reputation. A common myth about GDPR is that it requires you to store the data within the EU, this is not the case. You can store it anywhere as long as you can sufficiently protect it. Do note that some governments and regulatory bodies may require data to be kept within the country, but this is not related to GDPR. (More details on the GDPR here.)
In Singapore, the Personal Data Protection Act (PDPA) regulates the collection and use of personal data and covers personal data collected in electronic and non-electronic forms. The PDPA regulates organisations in areas of consent, purpose and reasonableness. In a step up in data privacy protection, unnecessary collection of national identity card numbers will no longer be allowed from September 2019. This has driven more local organisations to adopt tighter data protection measures - much needed as the country’s digital economy rapidly grows. (Read about the PDPA here, and about the new measures here.)
In the US, where online privacy is remains largely unregulated, there could be growing appetite for more regulations along the lines of the GDPR to give users more rights and avenues to seek redress if their data is breached. The introduction of such privacy regulations would affect the way many businesses operate. This is why getting your business in line with the GDPR - which is currently the strictest regulation when it comes to privacy, is wise, even if your business operates outside the EU. (Read more here.)
Note that personal data of children up to 16 are under special scrutiny. You need written consent from their legal guardian to collect any personal data from them which can be challenging to do and to prove that it was really provided by the guardian.
1. Be transparent with your intentions
Be transparent and upfront with your intentions for collecting personal data, and do not ask users for information you do not need. If it is not an absolute must for your project goals, then do not include it. Be aware that it will not be well perceived if you are collecting personal data that you might need only at some point or with a very ambiguous reason, even if it is still legally compliant. Remember that you must be able to confidently defend your reasons for having each piece of data if you are challenged and your response could easily end up in a public forum.
Other questions to ask yourself:
- Who will have access to the user data you collect?
Will it be available to you and your staff at any point in time or only if an audit is needed? Will third parties or other users have access? How about the public?
- What do you plan to do with the data?
Are you collecting data for identification and audit purposes, or are you collecting data for mining information or to serve relevant content? Are you planning to sell the data to third parties?
- How will you protect the data?
You should have a technical plan, assuming "the developers will take care of it" is no longer sufficient. You should have specific requirements in your project brief such as encryption of data at rest and in transit, web applications and any APIs should be using SSL, as well as clear security policies for handling data. Access for your staff, developers and any other parties should be clearly defined in these policies - do all members of the development team need access to the production database for example?
It is also good practice to include contact details of the person in your team that is responsible for privacy and data protection. A policy generator is a good place to start but you will likely need to further customize it to make sure it is relevant to your application.
Remember that an IP address is also considered personal data, this means you may need to mention any analytics trackers and other monitoring tools that you might have installed in your application.
3. Conduct a risk assessment
Conducting a risk assessment is especially useful for GDPR compliance as you will be able to map out what data you store and process on EU citizens and understand your level of risk towards GDPR and the gaps you need to fill.
Assess the database design and where user data is stored. One of the requirements is to be able to delete a user's personal data on request, this will be difficult if it is spread across several databases. Try to keep personal data all in a single database, or, even better, in a fully managed service such as AWS Cognito.
Assess who has access to personal data and when. Do you need to keep personal data in your development environment or can you limit it to only production? Do developers need access to the production database once it has been created?
A good risk assessment should also outline measures taken to mitigate risks, and should help you reveal all shadow IT that might be collecting and storing personal data (such as backups) so that you account for it in your plans.
4. Involve all departments
Data protection and privacy is not only a security issue but a business risk that involves all stakeholders. Your IT department alone will not be able to meet all requirements. One option is to create a team including representatives from all functions (marketing, finance, sales) to share information and work together on technical and procedural changes needed. Whatever the size of your business it is good practice to appoint a Data Protection Officer to oversee your entire data protection strategy.
Training is also recommended, at least at an executive and manager level. There are both free and paid courses of varying levels available. Find those from a reputable source as there are many out there just seeking to sell you unnecessary "GDPR" services. It will be important for managers to relay and monitor this to their teams, everyone that interacts with personal data at any level needs to be familiar with at least the basic requirements.
Lastly, keep in mind that you are also responsible for your partners and vendors. They need to be GDPR compliant too, and if they are not then you should avoid sharing any personal data with them if possible. Sharing anonymised data might be a bit more work but considerably safer and usually gets the job done.
5. Have an incidence plan and test it
No one hopes for a security breach, but most cyber security experts and ethical hackers agree that it's not a question of "if you get breached", but "when". Like a fire drill in an office, you need to plan for this eventuality. How will your team respond to minimize damage? Who needs to be informed and when? The GDPR requires companies to report breaches within 72 hours. How well you respond will have an impact on how severely your business will be penalised. Testing it out ensures you are able to handle the incident and report it within the time limit.
You can facilitate this by building relevant features into your application. The ability to email the affected users about the data that was compromised for example. Pre-made and approved templates for such emails can also help speed up the process.
6. Make data security an ongoing process
Remember that security is not a “one time setup”. Ensuring data protection and security is a an ongoing process. Not only do you want to be in compliance with regulations, you need to remain in compliance, which will require monitoring and continuous efforts and improvement. This should be considered when developing the application as adding auditing and monitoring tools during development will be easier than adding them later.
If you are developing a cloud-based solution, make sure to involve at least one person in your team who is familiar with the relevant security, auditing and monitoring tools typically available on most cloud providers. For example, AWS has several services such as Cognito that are compliant with many of the global security standards related to data protection and using these will make it significantly easier for you to be GDPR compliant.
Security access should also be closely monitored and provided on a need-to-know and, crucially, "WHEN-to-know" basis. A database specialist in the team needs access to create a database at the start of the project for example, but once it has been created they should no longer need this so it can be removed.
In our digital economy, and there is a good chance that your business has stored at least some personal data. Online privacy and personal data protection is increasingly regulated today, most notably through GDPR that covers all businesses handling the personal data of EU citizens. Time will tell if there is a ripple effect across other regions. Singapore is increasing its personal data protection measures this year.
Specifically to applications:
- Make sure you are using current security best practices such as end-to-end encryption of data at rest and in transit - including backups and logs!
- Store personal information in a single database or managed service, avoid having bits spread around your application.
- In serverless architecture, you can ensure only 1 microservice has access to personal data. This microservice functions as the gatekeeper and should include detailed monitoring and logging of anyone accessing the data.
- Ensure access to your system, code, back-end, cloud, etc. is on a need-to-know and when-to-know basis. What does each individual need access to now, nothing more. This also applies to vendors and partners, do they need access to personal data or will anonymous data suffice.
- Only collect data that you need to ensure operation of your business and application, do not add fields to user forms that you don't have a clear and current reason for.
- Avoid collecting data from children (16 and below) if you can, this involves many additional requirements and scrutiny.
- Have measures built into your application that can handle a breach event such as targeted notifications and pre-approved messages.
- Build in features so that you can support privacy requirements such as "The right to be forgotten" and "the right to my data".
- Lastly, make sure you have a complete and relevant privacy statement that covers all the data you collect, the reasons, how you protect the data, how long you will store the data and what you will do with the data. Make sure to include your data protection officer's contact information