Singapore wants ‘data protection by design’

By Nurfilzah Rohaidi

The Infocomm Media Development Authority is working on a guide to help industry to implement this concept across systems.

The Singapore Government wants companies to cultivate a “data protection by design” approach to managing data, Assistant Chief Executive Yeong Zee Kin of the Infocomm Media Development Authority (IMDA) of Singapore has told GovInsider.

Data management systems will be more secure and robust if they had been designed with data protection considerations in mind from the very start, Yeong explained.

“If after you've built the whole system, then you start putting in IT security requirements, it's more costly and it's never as effective,” he noted on the sidelines of the Gemalto Evolution 2018 conference on 12 April 2018 in Singapore.

The agency is creating an industry guide for data protection by design, he said, where the intent is to help companies implement this concept into their systems, processes, workflows, and even physical environment. “When we tried to look for more practical guides and documents, there aren't that many,” said Yeong.

“The guide will provide practical steps for IT managers to take their data protection obligations and build it them into the design of systems and processes,” he explained.

One way to look at it is to separate personal data from other company data, and store them on separate databases. “By breaking it up physically, you are able to implement different types of security,” Yeong explained. “This is the kind of thought process that the designer should go through early on.”

Yeong is also the Deputy Commissioner of Singapore’s Personal Data Protection Commission, which administers and enforces the Personal Data Protection Act and supports industries in their bid to raise their standards of data protection. He believes this is crucial for Singapore’s continued boost for innovation within the digital economy, as consumers will only trust businesses and services when personal data is appropriately used and secured.

“We will be a trusted ecosystem when businesses can make use of data and consumers trust businesses with their personal data so that collectively, we are able to benefit from the new technology that we have,” said Yeong during his keynote speech at the summit.

IMDA is working closely with industry to figure out how to allow businesses to use personal data responsibly, with the intent to create new products, business models and services. Regulatory sandboxes are one way to do this, Chief Executive Tan Kiat How told GovInsider.

The European Union’s new data protection laws require companies to have “data protection by design and default”. Under the General Data Protection Regulation, companies must implement technical and organisational measures to protect users’ data.

The GDPR, which will come into effect next month, will affect businesses all over the world. As long as a company is collecting or using data from users within the EU, it will have to comply with the GDPR’s privacy standards.