FACEBOOK is once again in the news after the social media giant on September 28 revealed its largest security breach. Hackers exploited a vulnerability in its “View as” feature for testing privacy settings and stole access tokens.
This gave them to the ability to take over about 50 million Facebook user accounts.
The impact of this breach is a potential US$1.63 billion fine by the European Union under the latest privacy Act, subject to the Data Protection Commission (DPC) in Ireland determining the number of EU users impacted it.
Since the General Data Protection Regulation (GDPR) has already taken effect, Facebook’s security breach is going to be a case study for many organisations and lawmakers around the world as the first online privacy lawsuit by the EU. It will be observed for precedents and policy decisions for future reference and best practice.
Privacy Acts are becoming a central theme all over the world. With the recent Facebook breach and the borderless nature of the digital world, any organisation that has websites or apps allowing a Facebook log-in will need to determine the potential risks of the Facebook breach to their customers and the strength of their own data and privacy policies.
In Southeast Asia, the combined population of Asean’s 10 member nations is 634 million with a combined GDP of US$2.55 trillion reported in 2016. It is the sixth-largest economy in the world with a total trade of US$3.7 trillion. Forecast annual growth at 5 per cent sets expectations of it becoming the fourth-largest economy by 2030. It also has the fastest growing population of Internet and mobile device users, with online spending expected to reach $200 billion by 2025. This growth makes it a prime target for hackers.
Thailand has a multi-year blueprint to develop digital capabilities in all sectors of the economy and is expected to pass a Data Protection Act this year once the draft bill is approved by the Cabinet and submitted to the National Legislative Assembly.
The law is aligned to the EU’s GDPR, which means that most organisations that have taken measures to comply with the GDPR that took effect on May 25 will be compliant or have no trouble being compliant with Thai Data Protection Act in securing Thai citizens’ data.
What if you were not required to comply with the EU’s GDPR? How should your organisation go about preparing for the upcoming Data Protection Act or even prepare for the potential repercussions of the Facebook breach?
A quick start is to find out if you know the answers to the following questions:
1. Where is your business operating today?
2. What data does your business collect?
3. Where does your data reside?
4. Where do your customers reside?
5. What are the data protection and privacy regulations in the countries of all the above?
6. What is your business roadmap in the next five years?
The questions above will help your organisation to determine your next steps:
1. Scope of data privacy assessment for your organisation - to determine your risk levels and existing controls;
2. Implement data classification and labelling, and;
3. Implement data protection and data classification solution
The above steps ensure that the key principles of the GDPR or any robust data protection and privacy programme are observed. Those principles are:
1. New Data Subject Rights – especially data portability
The GDPR gives every individual the right to access their personal data on request, request a rectification to inaccurate data and object to the processing of their data and more.
In this case, your company must have the ability to provide your customer with a copy of all the
personal data that you have regarding them; and the ability to transfer that data to another data controller or service provider at their request.
This can lead to more competition as preferred services will have the advantage of retaining the customer’s data. Thus, businesses need to rethink their business strategy from customer experience to service value, and change their approach toward compliance into a customer-centric one.
2. Maintaining records of processing activities
A full overview of the processing activities that take place within an organisation is required and also that these activities to be documented accordingly. The breadth and depth of this requirement demands a proactive and collaborative approach from within organisations. To be successful, business units need to be involved to design a process with clear roles and responsibilities, and a central register for the records. The added benefits as a result may be streamlined processes, better risk management and deeper business/operation insights.
3. Privacy by design and by default
Privacy by design mandates the consideration of privacy at the development process of any product or service. While privacy by defaults requires privacy to be a default setting allowing a customer to customise how much to share with others.
This requirement is a good practice for the purpose of ensuring the privacy of customers are always protected , which allows trust to be built up again between customers and businesses.
Parichart Jiravachara is partner and risk advisory at Deloitte Thailand.