Managing outsourcing risks is another key component of making reasonable security arrangements. Outsourcing does not excuse an organisation from its obligations under the PDPA or make it less accountable to its customers and stakeholders The South Korean, SCB and Sony Network cases illustrate the data security perils that third party service providers can cause. An organisation must choose the right service provider and institute proper legal risk management practices. The Guidelines also provide that organisations should ensure that IT service providers are able to provide the requisite standard of IT security.
Organisations should therefore evaluate at the outset whether the service provider is able to meet the expected standard of care to protect personal data. Besides technical competence, experience and practice of keeping up with evolving industry standards, organisations should also consider the service provider's financial viability and business contingency plans, reliance on sub-contractors to process data, track record for data security as well as relevant political, economic, social or legal factors of the service provider's operating jurisdiction.
In addition, organisations should obtain from the service provider clear and enforceable service level requirements, so that they can detect and rectify any weaknesses early. For instance, an organisation should have the right to review the service provider's systems, policies, procedures and controls regularly and assess whether they are in accordance with industry standards. Also, upon discovering any actual or threatened breach regarding the organisation's data, the service provider should be required to notify the organisation immediately.
In this digital era of proliferating personal data, organisations must be mindful of the likelihood and potential repercussions of a data security breach. To protect consumers and themselves, organisations must comply with their legal obligations under the PDPA and implement comprehensive data security measures to manage current and evolving threats, as well as outsourcing risks.
Wun Rizwi is partner, Intellectual Property & Technology Practice at RHTLaw Taylor Wessing LLP, and his areas of expertise are Copyright & Media, Corporate & Commercial, Information Technology & Telecommunications, Trade Marks, Designs & Patents. He can be reached at email@example.com
Sign up for CIO Asia eNewsletters.