While data protection is a core part of an organisations business value proposition, policies and approaches for ensuring information safety might not be enough. Only 57 per cent of companies in Singapore believe they have an obligation to protect consumers personal information (significantly lower than the global average of 71 per cent).
This is according to The Accenture Global Data Privacy & Protection survey, which was conducted in 19 countries among more than 5,500 business leaders and 15,500 adult consumers.
Paul ORourke, Accentures Asia Pacific security lead, shared his views on the survey results on Singapore and what can be done to improve data security.
Q: What are some of the numbers that jump out at you and how do they compare with the global figures?
It would probably be the small number of companies that have acknowledged data breaches in Singapore. This 31 per cent have acknowledged leaking personal sensitive information in Singapore against the global average of 58 per cent and 80 per cent in the US. So theres a significant difference there. You can read it in one of two ways. Either the acknowledgement is a lot higher in the US or the controls and processes are a lot tighter in Singapore.
Q: The survey shows that Singapore does not have a local data protection law?
Singapore is not the only country that doesnt have data protection laws. I do think it ties back to the lower statistics of data breaches in Singapore. Singapore has in the past demonstrated a greater control around data management than other markets so I do not see it as a material issue in Singapore as against other markets.
Q: So how important is consumer personal information and how does it affect the business reputation of a company?
Some countries like the US have mandatory disclosure breach legislation and a number of other countries are just introducing this now which means that with any breach of personal information, the company must announce it to the market. And youve seen in the past where X company in the US has lost 20 million credit card data stores.
There is the financial impact, being fines by regulators or government and if its very material, it can actually impact share prices because youre actually impacting public perception of that organisation. So it can have and it is most likely a reputational hit for large companies and a financial impulse as well.
Q: So what can be done?
One action is to assign a data protection and privacy owner. Most organisations have numerous owners, it might be in legal, it might be in IT and it can be the business owner. Its about having a single owner of data protection and privacy and around that developing a formal government programme.
Sign up for CIO Asia eNewsletters.