The modern consumer is keenly aware of businesses data collection habits. While the average person may not know too much, they are mostly aware that their details are being collected and analysed by businesses.
There is a direct relationship between growth in the tech industry and the need for user data. From consumer behavior to predictive analytics, businesses are able to convert the digital footprints of websters into a stream of revenue. This is done by capturing, unique patterns of behaviour, grouping them into consistent variables and analysing them for effective use.
While this all spells cheer for marketeers, companies need to be wary of the risks involved. With an enormous bank of customer data comes the risk of hackers. Customer data is an asset, and data breaches can be costly and detrimental.
With so much at stake, we will try to keep this article as informative as possible for your own understanding of data privacy; why you need to ensure that your data is secured and how you can do so.
This article will be broken down into 6 chronological sections. If you feel as if a certain section may be more relevant to you, feel free to skip ahead to it. If you would like a comprehensive overview of the topic at hand, here’s the breakdown:
i) What sort of personal data can businesses own?
ii) What methods are employed in obtaining this data?
iii) What data can be accessed or owned by businesses?
iv) How does a data breach impact a business?
v) Data Privacy Laws around the region
vi) How can small business owners implement these data privacy laws into their business?
1. What sort of personal data can businesses own? [restrict]
Customer or user data is essentially the backbone of all internet businesses. SME’s and larger corporations alike rely on their customer’s data as a tonic for their marketing and sales strategies. The more they know about their customers, the better they can perform.
As a user, the moment you sign up to a website or service, you are asked for details that inform these companies of your personage. The sort of personal data that most businesses own are:
• Email Addresses
• Phone Numbers
• Home Addresses
• Identification Details
• Passport Numbers
Additional data such as work salary, relationship status, general preferences, etc., are secondary and require a formal notice of consent as an ethical protocol. However, the personal data above helps businesses identify and segment their consumers on a basic level.
2. What methods are employed in obtaining this data?
Data Brokers specialise in the curation of personal data. They collect as much information as possible about individuals to eventually sell. The clients, usually large companies, use this information to accurately profile and segment individuals. This is the primary use of large user databases. The profiles allow marketeers to push targeted ads towards the right consumers, therefore increasing overall sales and revenue.
Traditionally, data is collected through physical in-store contract forms or surveys. The data is then organised on an Excel sheet for estimations and predictions. Customer’s are given a notice of their consent before collection.
In more modern times, data collection is much quicker through the use of social media platforms and Google.
Less people are willing to give their time to filling up forms these days. More deceptive parties tend to front their collection methods under the guise of apps and games. Fun little quizzes on Facebook pose themselves as ‘free’ but leverage consent for your personal data in exchange for your participation.
The recent data-mining scandal on Facebook saw the data of millions of people leaked. Cambridge Analytica, a political consulting firm affiliated with U.S. President Donald Trump, obtained the data inappropriately under the guise of a quiz. The firm is alleged to have created psychological profiles to influence voting behavior and political/societal outlooks during the last election.
This goes to show that many accept the T&C’s of these faux-services without understanding what is being given out in exchange. Some simply don’t care. Nevertheless, the scale of this scandal implies the influential perspective of user data.
3. What data can be accessed or owned by businesses?
Firstly, given no circumstances of foul-play, organizations only have access to data which you have granted them. While you may not have knowingly given consent, most T&C’s contain a formal notice of consent. Whether it is a computer program or a service form, if you have signed the T&C’s, you have agreed to all written terms, including a consent notice.
Now here’s where things get fascinating (or unnerving, depending on you). Google, the mega-behemoth-king-of-search, provides us with what sort of data is collected, and how it is used. Here are a few things they track:
• Searched Items
• Deleted Items
• Browsing Habits
• Application Usage
• YouTube History
• Events Attended
• Workout Routines
The list could go on, but these are some of the main things that Google tracks and provides for you when asked. Using all of these factors, Google is able to customize an advertisement profile that is specifically tailored to you. Overall, Google is pretty transparent with the data that they keep. If you click the link below, you’ll be able to see the ad profile that Google has made of you: google.com/settings/ads/
Given the list above, most companies will be able to track at least a few of those categories when you use their services. An online retail website like Amazon, for example, would prioritize tracking your browsing habits, searched items and locations in order to direct relevant items to you. This feature is an example of how user data benefits both the service provider and consumer.
4. How does a data breach impact a business?
A data breach is a security incident where sensitive, protected or confidential data is copied, transmitted, viewed stolen, or used by unauthorised individuals. There are a few ways in which this can happen, including cyber attacks and unintentional disclosure.
For the party that lets the data slip, the repercussions are seldom kind. The Ashley Madison breach (2015) is one of the biggest examples of data breach consequences, where hackers had both the business and its’ customers at their mercy. More than 25-gigabytes of user data was leaked, tainting the reputation of the website and prominent individuals who were anonymous users of the site’s hookup services.
Target’s breach (2013) was another incident where the credit/debit card information of roughly 110 million people were compromised. The breach cost Target $162 million, along with the resignation of their CIO and CEO in months following the breach. They were given 180 days to update their security software systems.
While the cost of a data breach does scale with the company’s size, the diminished reputation will not be easily restored. Companies tend to lose up to a third of their former clients after a data breach.
5. Data Privacy Laws
Most countries have adopted some form of Data Protection Laws to assist in cases of data breaches. The framework for these laws are generally similair, but there are some differences in penalties. Let’s take a look at the laws of some countries in South East Asia:
Under section 51(3)(b) and (c) of the Personal Data Protection Act (2012) an organisation or person that commits an offence is liable to:
• In the case of an individual, a fine not exceeding SGD$10,000 or to imprisonment for a term not exceeding 12 months
• In any other case, a fine not exceeding SGD$100,000
Under section 130 of Personal Data Protection Act (2010), the unlawful collection, disclosure or sale of personal data is punishable with a fine of RM500,000 or imprisonment of up to three years or both.
Under section 131, a person who abets or attempts the commission of such an offence is liable to the same punishment.
Section 25 of the Data Privacy Act (2012) carries a fine of:
• up to Php 2 million and imprisonment of up to 1 to 3 years for unauthorized processing of personal information.
• up to Php 4 million and imprisonment of up to 3 to 6 years for processing sensitive personal information without the consent of the data subject.
Indonesia is unique in that there is no general law on data protection. However, there are regulations concerning electronic data usage. The EIT Law (2008) and EIT Law Amendment (2016) provides criminal penalties for:
• up to R.p. 800 million and/or up to 8 years of imprisonment for unauthorized access
• up to R.P. 800 million and/or up to 10 years of imprisonment for interception/wiretapping of transmission
• up to R.p. 5 billion and/or up to 10 years of imprisonment for alteration, addition, reduction, transmission, tampering, deletion, moving, hiding, Electronic Information and/or Electronic records.
India has also yet to enact specific legislations on data protection. However, their Information Technology Act (2000) has been amended to include:
• Section 43A: parties that misuse sensitive personal data or computer-resourced data are liable to pay damages as compensation to victims.
• Section 72A: Parties may be fined up to INR 500,000 when personal information is breached, disclosed or processed without authorization.
6. Small Business Owners
For a small business, the most sought-after data that hackers want is your customer’s credit card information.
The first step to preventing this and any sort of attack is by educating your employees. Ensure that they are up to date with the latest methods being used by cyber criminals.
One of the best ways to test your businesses’ protection is to simulate a cyber attack. By doing this, you will gain a firm understanding of how secure your data is. Also, you and your employees will be better equipped to handle a crisis if it occurs.
Next, you should be aware of what data you have and where it is stored. It can be hard to keep track of all your data, so creating a simple spreadsheet that documents various types of sensitive data and their locations can be beneficial.
Besides that, also ensure that your data is securely encrypted. Most operating systems already come with inbuilt encryption tools. However, if you are transferring data such as through email, make sure that it’s encrypted. This will prevent other people from stealing or intercepting your data easily. Also, never transmit data over public WI-FI networks, as anyone can access and intercept your data.
Now, it is easy to believe that larger enterprises are the real targets in the game of cyber hacking. In reality, small businesses are just as profitable for these hackers. There have been cases where small businesses have lost tens of thousands in an attack.
Furthermore, it is not just you or your business at stake, it is your customers. By collecting their information, you are subject to laws and regulations regarding data collection. The blame for misuse can ultimately fall upon you if customers are dissatisfied. Taking a page from Google, try and be upfront with your customers about what data you collect and how it is being used.
With all that has been said in this article, there is a dire need for businesses to look after the data that they have stored. Data breaches are costly and embarrassing when mishandled. Drawing from past examples, we can see just how impactful a breach can be towards parties involved.
Despite regulations and laws, hackers are becoming increasingly crafty at stealing data. Many go by unnoticed and leave very little on their trails. The recent SingHealth data breach is an example of how hard it can be to resolve an incident.
Hopefully this article has provided you with information that can help you keep your data safe and secure. If you have any information concerning your country’s laws or data breaches in general, feel free to share them in the discussion below.