From Compliance to Accountability: Leveraging Data Protection for Innovation

Recent high-profile data breaches have alerted many of us to the importance of securing our personal data. Yet, as we look to organisations and regulators to manage our data responsibly, questions arise: would stricter laws stifle innovation, and should businesses do just enough to comply? Infocomm Media Development Authority (IMDA)'s Yeong Zee Kin shares his perspective from the frontiers of data protection.





Q: Why is data protection important to businesses and Singapore as a whole?

 ZK: Put simply, data protection is good for business. Data breaches can happen to any organisation, and given the number of prominent cases in recent years, consumers   want to know how organisations can safeguard their data. And as Singapore advances its digital economy, data protection will play an increasingly vital role. It is important to   address issues such as trust and security of data use to fully reap the benefits of data-driven technologies such as Artificial Intelligence (AI), and facilitate industry progress.




Q: What is the current state of data protection in Singapore?

ZK: Singapore's data protection regime is relatively young and supple. It enables us to be nimble in anticipating challenges and opportunities as well as learn from our counterparts - important attributes for a new area of law that has to respond to and support technology developments. In this spirit, we are reviewing our Personal Data Protection Act (PDPA) to ensure it keeps pace with technological developments.

In addition, to enable more seamless data exchanges with organisations in participating Asia-Pacific Economic Cooperation (APEC) economies and uphold higher standards of data protection for cross-border exchanges, we support and participate in international systems like the APEC Cross-Border Privacy Rules and Privacy Recognition for Processors Systems. By staying open to change and learning from our counterparts, Singapore's current approach is a balanced one that combines strong safeguards and protection, while also enabling innovation to flourish

Q: How is the balance struck between data protection and innovation?

ZK: Contrary to common belief, data protection and innovation are not mutually exclusive. Take for example ride-hailing apps. They are useful for matching supply and demand between drivers and riders. Now, imagine how user experience can be personalised, driver assignment algorithms better optimised, and rides made cheaper with greater economies of scale if data on users' work schedules and preferred travel routes are available. But before that can happen, consumers must first feel comfortable providing their personal data, with assurance from organisations that the data is being handled with respect and care.

As more data-driven innovations move to the fore, mutual trust on the topic of data management has to be built between users and organisations. Only when organisations start being accountable and meet expectations for responsible and ethical use of data, will they be able to gain consumers' confidence in sharing their personal data for generation of better solutions.

Q: How then should organisations approach the issue of data protection?

ZK:As of now, many companies are still adopting a compliance-based approach - where regulations are translated into items on a to-do list, and simply checked off as they are completed. However, that does nothing to foster understanding of the intention behind the laws, nor is it adequate for a world where products, services and business models are constantly evolving.

This is why the Personal Data Protection Commission (PDPC) has been urging companies to adopt an accountability based approach, by first understanding the data protection principles, before adapting them into practices tailored for their organisation. This makes for a far more flexible approach that is crucial to tackling the issues surrounding data protection.

Q: What is PDPC doing to help organisations make this change?

ZK: To guide businesses on their data protection journey, we have introduced guides on accountability practices, and the first comprehensive Trusted Data Sharing Framework to push for responsible practices in data sharing. We hope that by publishing these best practices, key decision makers will become better informed and take the first step towards prioritising data protection.

For a more hands-on approach, organisations can also utilise our suite of data protection tools, such as a PDPA assessment tool to conduct a self-assessment on policies and practices, and the personal data asset inventory tool to map and track how they are currently using personal data.

To help organisations with transparent and accountable data protection practices gain a competitive advantage, we have also developed the Data Protection Trustmark (DPTM). Our research shows that two in three consumers prefer to buy from a DPTM-certified company, and four in five companies have also stated their preference to work with vendors that can manage personal data properly. Hence, we see the value of DPTM in fostering a virtuous data use ecosystem.