Growing distrust and concern over data privacy has skyrocketed in the past years. Big tech companies are in the crosshairs of the public as the impact of breeches is intensifying. In the past decade alone, hundreds of millions of user records have been exposed, including partial payment data, login tokens and personal information.
With trust in corporations worsening and concerns about companies’ ability to self-police brought to question, how then will companies try to rebalance the scale and address public sentiment? Kevin Shepherdson, CEO and Founder of Straits Interactive Pte Ltd, has much to say on this topic.
An informed and cautious attitude towards data security is crucial. How has consumer trust changed the landscape of data security over the past decade?
Over the past decade, we have seen people become more comfortable with the digital landscape and actively engage in online activities and even trading their personal information for free services or convenience. Recent data and privacy breaches have, however, contributed to consumer distrust and raised consumer awareness regarding data protection and privacy. For instance, the Cambridge Analytica data scandal and the recent SolarWinds data breach.
The Consumer Intelligence Series: Protect.me research conducted by PwC United States in 2017 revealed that:
25% of survey respondents believe that their data is being handled appropriately by businesses.
80% of respondents believe that new technologies should be regulated by the government for consumer protection.
Although this research was conducted in the United States, it is also a strong indication of consumer concern regarding data protection. Meanwhile, the past decade has also seen data protection laws including the EU General Data Protection Regulation (GDPR), Philippines’ Data Privacy Act (DPA), as well as, Malaysia and Singapore’s Personal Data Protection Act (PDPA) coming into effect. Recent amendments to data protection laws are also a reflection of consumer concerns regarding data protection and privacy.
In fact, the issue of lack of transparency surrounding Singapore's TraceTogether app and WhatsApp's privacy policy controversy reflect both the public sentiments on security and privacy of their personal data.
How and what is end-to-end data protection and governance as-a-service?
As the term “end-to-end” suggests, this means that the Data Protection-as-a-Service (DPaaS) will be an integrated, holistic service provided to organisations in Singapore that covers all aspects of data protection - it starts from managing the way in which they collect personal data and then continues through the information lifecycle: how they use personal data, how they disclose personal data and how they store personal data, together with how they move towards operational compliance with data protection requirements.
The rationale for this is that compliance should not be a one-off effort and should not be simply a case of putting a few legal documents in place that do not necessarily reflect operational realities or reflect what an organisation actually does in practice. It should be systematic, sustainable and support business operations. To achieve it, an organisation needs to devote considerable resources to put together their operational compliance initiatives in order to demonstrate accountability. Hence they will need advisory support and relevant operational expertise to do this in a way that has buy-in from all levels of staff and management and that is therefore sustainable.
So DPaaS addresses this pain point by providing advisory support services and templates to help the organisation set up a data protection management programme, as well as data protection training for the relevant staff i.e. data protection committee within an organisation.
It is recommended for consumers to read the privacy notice to figure out the permissions and access that they need to provide to use an app or service.
What can consumers do to safeguard their personal data & privacy in today’s digital economy?
In today’s digital economy, many people may find themselves engaging in more e-commerce or online entertainment activities. And we are seeing a surge in online scams, including in Singapore. To safeguard themselves, consumers need to be cautious when providing personal data, especially when they come across a message, an email, or a telephone call that sounds too good to be true and promises a quick solution by clicking on a link, opening a document, or giving a caller access to sensitive personal data such as a bank account.
Before proceeding with an action e.g. sign up, buy or share, it is important to verify the actual source. Unfortunately, consumers need to learn to be suspicious by default and to keep in mind that both marketers and scammers use psychological triggers to entice consumers into sharing personal data about themselves.
Another good practice would be to ensure that all online accounts have two-factor authentication. This means, say, a password (one authentication factor) plus a code sent by SMS to a registered mobile number (the second authentication factor) for signing into online accounts. Passwords should be strong by including a mix of numbers, symbols, upper-case and lower-case letters. The same password should not be used for several accounts at any time, and certainly not for access to bank accounts, etc. In addition, it is also good practice for consumers to change their passwords from time to time - say, at least every few months.
Besides that, it is recommended for consumers to read the privacy notice to figure out the permissions and access that they need to give to a mobile app developer or to know how the organisation uses and stores their personal data when downloading free apps or signing up for memberships on an organisation’s website.
As many apps can be privacy-intrusive, consumers should not blindly click "I accept" to all the terms and conditions before reading the privacy notice. We hear many consumers say that they have no choice but to accept the privacy notice and that there’s no point in reading it because they can’t get it changed. They should actually be thinking about whether they really want and need to download the app.
Before downloading an app, think about:
1. Why has the app been made available and by whom?
2. Whether the app is made available free of charge by an unknown organisation for a frivolous, even entertaining, purpose or does it make good commercial sense?
3. How does the organisation that made it available make money from it?
If there is no clear and logical answer, then - if it is free - you are the product! Collecting and selecting personal data about you might be the only real purpose of making the app available.
What can businesses do to improve security attitudes and awareness?
Businesses should adopt data protection practices/ standard operating procedures (SOPs) that support their business and train all employees in them so that good data protection practices become simply “the way we do things here for our customers and for ourselves”.
Employees who are well-trained in well-designed data protection practices that support their business understand the role that they play in safeguarding personal data within the organisation and what they should do to safeguard such personal data.
Employee training is an ongoing process. It should be conducted at regular intervals and should address the practical aspects of their jobs. It needs to be kept up-to-date as the operations in the organisation change over time (for example, where a new product or service line is developed or when systems or processes are overhauled) or where there are updates to the data protection policies and SOPs within the organisation due to a change in local data protection laws or a change in the expectations of the data protection regulator due to changing community expectations.
On the consumer front, businesses can improve the security attitudes of customers by communicating information about the collection, use or disclosure of personal data in a clear, straight-forward and non-legalistic way. In this manner, customers are assured of the security of their information and that the business is serious about protecting customer data.
Data protection laws and regulations such as the GDPR, PDPA, DPA, etc., are there to protect the privacy and integrity of personal data.
Are there any tools to assess the privacy practices within an organisation?
There are many tools available to ensure compliance with data protection laws ranging from software with resources such as frameworks, templates, inventory management and scanning. An example of a tool would be IAPP’s GDPR Genius which provides resources related to the GDPR to its members.
At Straits Interactive, we have an integrated privacy management tool, DPOinBOX that helps our users and their organisation achieve operational compliance, implement data protection or privacy management programs and demonstrate accountability to regulators.
Authorities in the European Union have introduced AI governance frameworks promoting principles such as accountability, transparency, fairness, and more.
Is there a benchmark to measure compliance with data privacy regulations among countries or organisations?
While not constituting a benchmark to measure compliance with data privacy laws overall, ISO 27701 is the industry standard for privacy management systems and is being adopted widely among international organisations.
Meanwhile, in Singapore, we have IMDA’s Data Protection Trust Mark (DPTM) that is awarded to organisations that can demonstrate to an independent assessor that they have all the policies and SOPs in place to achieve compliance with the PDPA in Singapore. So the DPTM might be said to measure compliance with the PDPA among organisations in Singapore.
There are other standards and certifications that are emerging at an APEC and at an ASEAN level that have the potential to serve as compliance with data privacy regulations among organisations in different countries.
Amidst continuous concern over WhatsApp’s updated privacy policy, what are the common consumer misconceptions?
The most common consumer misconception seems to be either:
- WhatsApp collects personal data that is included in messages sent by users of WhatsApp; or
- WhatsApp is going to be collecting other personal data that is intrusive without users quite knowing what it might be collecting or not being able to distinguish between what it needs to collect in order to be able to operate as expected.
For example, WhatsApp needs to have access to our photos so that we can attach photos to messages and needs to have access to our contacts list so that we can communicate with people in our contacts list via WhatsApp.
These misconceptions arose through a combination of arguably poor communication by WhatsApp of the changes it was making, coupled with a lack of trust in Facebook regarding personal data that has arisen due to past data privacy scandals in which Facebook has been embroiled - the Cambridge Analytica scandal, for example. They were fanned by commenters writing about the changes without looking at what WhatsApp was actually changing or understanding what personal data is required in order for WhatsApp to work in the ways with which we are familiar.
In addition, commenters did not seem to know or understand that there are two different versions of WhatsApp:
- Users of WhatsApp may interact with family and friends, work colleagues, etc. using WhatsApp, a process with which most of us are now very familiar.
- WhatsApp also has an app for business, under which users may interact with businesses, for example, when they have queries about products or services or want to purchase products or services from businesses using the WhatsApp Business app.
The most significant update in WhatsApp LLC's new privacy policy where users do not choose to interact with businesses that use WhatsApp for Business is that WhatsApp has added more information about how it will use their users' metadata (data about data) such as the time, frequency and duration of a user's activities and interactions with other users. Such usage information does not depart from what we typically see in apps and data analytics - both to improve technical aspects of the service and to increase its attractiveness to users.
WhatsApp LLC was already collecting additional information about a user's hardware model, operating system and phone number. However, the update states that WhatsApp will also collect other information such as battery level, signal strength, app version and mobile operator. WhatsApp LLC also collects the user's IP address. Still, they have clarified that this is with only enough precision to estimate a user's general location (e.g. their city and country) unless the user permits the collection of more precise location information.
The major change is where users decide to interact with businesses that use WhatsApp Business. Such businesses may provide WhatsApp LLC with information about their interactions with WhatsApp individual users. WhatsApp LLC clarified that the new update relates to how merchants using WhatsApp Business to chat with customers can share data with Facebook, who could use the information for targeting ads. In addition, where a user chooses to use Facebook information about their interactions may be provided by Facebook to WhatsApp LLC.
Do note that this is up to users to decide if they will interact with businesses using WhatsApp Business and/or if they will use Facebook. If they choose not to do so, their data will not be collected. Similarly, many have misunderstood and shifted to other messaging platforms due to the fear for their privacy.
If we look at the specific context where WhatsApp collects and shares personal data in the business context of the WhatsApp Business app in terms of :
- Enabling customer service
- Interacting or discovering a business online
- Shopping experiences including enabling transactions
The image below is an example of a business promoting its business products and services on Facebook:
Currently, the “Message” button enables the user to utilise Facebook Messenger to contact the business. However, it may be possible that an additional option to WhatsApp the business will be included in the future. This will be useful for people who do not use Facebook messenger and prefer using WhatsApp as it may be more convenient for them to do so.
Next, the image below is another random example of a company that sells its products on Facebook.
In this example, the same “Message” button is used to enable an e-commerce transaction. Using Facebook’s new hosting services, businesses or business service providers can use the WhatsApp Business Application Programming Interface (API) to conduct their e-commerce services. This means that users can easily transact with businesses via the WhatsApp engine. This is where personal data could be shared with businesses in order to help fulfill the transaction. Additionally, WhatsApp states that in this context, personal data can be used in targeted advertisements and recommendations.
For individuals who engage in online shopping activities, these scenarios may be familiar:
- Recommended products that appear next to your chosen product
- Customised advertisements related to your previous purchases or activity
The above scenarios would not have been possible if the individual's website and product browsing history was not tracked and shared with third parties. Analytics and tracking results show that users respond well to recommendations. It provides them with convenience and reduces the time needed to research and compare other products.
Regarding tracking and analytics, the privacy concerns may be valid, at least if WhatApp is able to identify the individual concerned. In other words, the tracking options may be:
- track what a user does in the knowledge that the user is Jim Lim; or
- track what a user does and know that it is the same individual, but not being able to identify them.
People may well think that option (1) raises privacy concerns, while option (2) does not and/or any privacy concerns are overridden by the benefit of receiving targeted advertising.
In any event, it is not only Facebook and its group of companies that does it. Every online business and mobile developer that provides a product or service free of charge is actually doing this with the good intentions of enhancing your customer experience while monetising your personal data. It just so happens that in the case of WhatsApp Inc. it has been more transparent than some others and/or it’s simply been unfortunate to attract more attention than others - perhaps because Facebook has a less-than-stellar reputation in connection with privacy.
The fact is that online business entities with whom users are communicating or transacting via WhatsApp (or any mobile app for that matter) can also abuse personal data. Thus, for WhatsApp users who choose to use WhatsApp in the above business context, it is crucial to read the privacy policy and conduct due diligence.
As businesses can now have access to such personal information, the onus is now on them (and not only Facebook or WhatsApp as they have their own privacy policies) to safeguard the personal data in their possession and put in proper transparent practices to ensure the data is used responsibly and according to their declared purposes.
This is where local data protection laws and the EU GDPR keep such companies in check by ensuring they follow specific rules when collecting, using, disclosing, or storing personal data.
As part of our analysis of data protection trends in 2021, we expect to see more privacy breaches along with the usual data breaches. While WhatsApp is secure, there will inevitably be user ignorance where they attach unsecured documents containing personal data in chat groups or sharing such information with the wrong recipient.
What are the app’s new features and how does it comply with regional data protection guidelines?
As a company that is based in the United States, WhatsApp LLC faces few local legal requirements in relation to data protection/privacy; however, it seems that they have chosen to comply with the transparency requirements that are typically seen in data protection laws. Arguably, they have been more transparent than is required under the PDPA in Singapore.
What are your thoughts on privacy and data ethics in new technologies, as we head towards data protection excellence?
New technologies are created with the positive intention to improve the lives of individuals. However, as new innovations in technologies are introduced (IOT, Artificial Intelligence/Machine learning, Big Data, etc.,) there will definitely be social concerns and the questions of ethics will certainly arise in terms of how data will be used or processed.
In fact, data ethics is becoming prominent with ethical issues such as biases, discrimination (whether it is algorithmic or even inherent with the developers), and those related to privacy creating concerns. The smarter the product, the more intrusive the application could be. This is an evolving area, where there is a need to balance technological capability with public expectations, including as they develop over time. Regulators are well aware of emerging concerns and have been proactive in stimulating dialogue about them while taking care not to stifle innovation.
For example, because of the advancement in artificial intelligence, machine learning and automated decision-making, authorities in the European Union have introduced AI governance frameworks promoting principles such as accountability, transparency, fairness, and so forth.
Singapore’s Personal Data Protection Commission (PDPC) has proposed a model AI governance framework for organisations using AI in decision-making to ensure that the decision-making process is explainable, transparent and fair as well as human-centric.
Kevin has strong expertise in systematic Data Privacy, GRC & Operational Compliance (Advisory, audit and platform solution). He has taken on senior leadership roles with close to 20 years of experience in End-to-End Marketing (Consumer, Corporate, Internet) & Business Development/ Sales experience covering computer software, computer hardware and consumer electronics industry.
