Personal data -- we all have it. Today, how this data is being collected, used, disclosed, and cared for is of greater concern, as data breaches and targeted attacks to snatch or swindle our data, and do all sorts of nefarious things with it, become more prevalent.
To be clear, danger lurks both in consented or unconsented use of data, for both the data processor (an organisation) and the person whose data is processed; usage of personal data in accordance with data protection law can be ethical or unethical as well, depending on the circumstances and the parties involved.
Data ethics entails the integrity, privacy, and principled use of personal data relating to individuals. According to the practical application of ethics, it is the process by which value judgments and methods of creating, analysing, and disseminating data are made. A sound understanding of data protection law, as well as the appropriate use of new technology, should go hand in hand with the ethical usage of data, which can be seen in organisations using or analysing collected data for its intended purpose, as an individual or groups of individuals have provided consent for. Unethical usage of data would be to process and utilise the data beyond that consent.
According to Harvard Business School Online, five well-known principles of data ethics, considerations that all organisations should bear in mind, are: ownership, transparency, privacy, intention, and outcomes. In essence, these principles align very closely with the fundamental tenets of data privacy and protection.
When it comes to handling personal data, good and ethical practices include organisations obtaining consent from individuals for the use of such data relating to them, being transparent about the purposes for which the personal data will be used, and allowing individuals to acknowledge the purpose and usage to which they consent.
Some countries have their own versions of these principles. As an example, the Office of the Privacy Commissioner for Personal Data, Hong Kong, also has three core values of data ethics, which encourage small and medium enterprises (SMEs) to be mindful of being respectful, beneficial, and fair when handling personal data.
The upcoming Thai Personal Data Protection Act 2019 (PDPA) -- which will be mandated this June after a year of postponement, contains a principle that stipulates that personal data must be collected for "specified, explicit and legitimate purposes" and not further processed in a manner that is incompatible with those purposes.
In an age where trust is easy to lose and difficult to gain, it is essential for organisations to keep ethical principles and values in mind when doing business. An organisation can do this by setting up a robust and effective data protection management programme (DPMP) that is overseen by the data protection officer (DPO) and the data protection committee.
It is vital for the data protection committees within organisations to stay on top of industry updates to their data protection or privacy legislation in their respective jurisdictions. The DPO and data protection committee should monitor the organisation's DPMP, audit it periodically to mitigate risks, and communicate data protection practices and policies to employees as needed.
It may also benefit DPOs to connect with fellow professionals within the industry, and with regulators, such as by participating in discussions within the data protection and privacy community. Another way to keep abreast of developments is to monitor the local regulator's website and announcements on a regular basis.
Data protection laws and regulations are becoming increasingly stringent in various jurisdictions, so misuse of consumer data is no longer only about losing the trust of customers. Instead, organisations are risking breaking the law, incurring heavy penalties, and having widespread negative media coverage that severely damages their reputation.
Some companies that have been under scrutiny for their data protection and privacy practices include Facebook and Amazon. And, in June last year, Didi Global's app was removed from app stores by the Cyberspace Administration of China (CAC) after they uncovered that the ride-hailing giant had illegally collected users' personal data.
From the user perspective, technology has become increasingly prevalent within our daily lives in recent years. Consequently, more people than ever are using computers and mobile devices for a variety of purposes.
We access social media sites, shop on virtual marketplaces, conduct banking via apps on smartphones, and pay our bills online. This increased reliance on digital technology, however, has also created a number of problems.
Cybercriminals have discovered ways to access sensitive information by exploiting vulnerabilities in software programmes, for example, which has led to multiple breaches.
Currently, there is no end in sight to breaches of data and privacy; rather, they are becoming more common and should remain prevalent in the future. Due to the growing trend of remote work, intrusive home surveillance by organisations may also pose a new privacy concern for employees, and data collection risk for the organisations, as well.
That aside, more enforcement against social media and online companies for intrusive privacy practices and illegal processing may also happen in the near future -- a harbinger of things to come is in the earlier example of Didi Global.
Greater regulatory emphasis on big tech companies will set the stage for more organisations to find themselves afoul of data protection laws by the local regulators. In fact, Facebook, faced with recent substantial enforcement by the Irish Data Protection Commission, is threatening to withdraw from Europe altogether.
In terms of data protection laws in the region, new legislation is expected to be introduced in India. The Philippines, for example, has an existing data privacy law and is looking to update it, and Singapore amended its Personal Data Protection Act a year ago in order to keep up with evolving data protection trends, new technologies, and increasingly commonplace breaches.
As another consequence of our increasingly digitalised world, and with increased consumer privacy concerns, and updated data protection and privacy regulations, the demand for DPOs is already on an upward trend. While more organisations and jurisdictions are committing to safeguard your personal data, it still remains to be seen if data ethics will remain a high priority.
Kevin Shepherdson, CEO and founder of Straits Interactive, is a data privacy specialist in the Asean region.