Data Protection – A Legal Professional’s Gateway to the Digital Future
The legal landscape in Singapore has seen a fairly significant transformation in recent years. The onset of the COVID-19 global pandemic, with the resultant drastic restrictions in workforce mobility, has caused many companies (law firms included) to implement or fast-track their digitalisation process. That is not to say that the drive to adopt technology solutions in the legal industry is a new phenomenon. In 2017 and 2019 respectively, the Ministry of Law launched the Tech Start and Tech-celerate for Law programmes, with the aim of encouraging and helping law firms to harness and leverage on technology solutions to improve their productivity and enhance their legal offering. A further step in this direction was recently taken with the Legal Industry Digital Plan (IDP)1A joint initiative by the Ministry of Law and the Infocomm Media Development Authority (IMDA): https://www.imda.gov.sg/resources/press-releases-factsheets-and-speeches/press-releases/2023/new-legal-industry-digital-plan, being the first IDP to discuss Artificial Intelligence (AI) and Generative AI solutions and their potential uses by Singapore law firms.
However, with the push towards digitalisation comes the increased risk of data privacy and data governance infractions. In 2021 and 2022, a total of 49 enforcement decisions were issued by the Personal Data Protection Commission (PDPC) of Singapore against companies who had fallen short of the requirements under the Personal Data Protection Act 2012 (PDPA) and its associated regulations. The legal sector has not been left unscathed either, with enforcement action being taken against a law firm in recent years.2https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision—Matthew-Chiong-Partnership-030619.pdf
Against this backdrop, the need for well-trained Data Protection Officers (DPO) and data governance professionals has never been more apparent. Aside from having to navigate the laws and regulations surrounding the proper handling of personal data, companies now have to contend with increasingly sophisticated cyberattacks carried out by dedicated threat actors. The meteoric rise of Generative AI in the last year or so has further compounded this issue, where the tools to create malware code, phishing emails, and convincing deepfakes have now been placed at the fingertips of the lay person. Companies, let alone law firms, must now seriously consider formulating a strategy to protect their data assets, with a DPO or data governance professional being at the core of their efforts.
Still a Sunrise Industry for Data Protection
As personal data protection laws continue to evolve, so do the prospects for a career in data protection. A quick scan of the ASEAN member states shows that more than half have now implemented their own data protection laws, with Singapore, Malaysia, Indonesia, Thailand, the Philippines, and Vietnam leading the charge. Brunei, another ASEAN country, is in the midst of developing its own laws.
With this increased emphasis on data protection comes a resultant rise in the demand for certified and experienced data protection and data governance professionals. In a recent report released by SkillsFuture Singapore3https://www.skillsfuture.gov.sg/skillsreport/changes-to-skills-compositions/skills-composition-of-singapore-economy, skills in Data Protection Management were described as one of the most in-demand in the Data Management sector. Moreover, in countries where the appointment of a DPO is mandatory4As in the case of Singapore, Indonesia, Thailand, the Philippines, and Vietnam within the ASEAN countries., it is expected that the demand would naturally be even greater. As a case in point, in Singapore, a job search study5Conducted by the Data Protection Excellence (DPEX) Center: https://dpexnetwork.org/media-releases/demand-for-data-protection-expertise-reaches-record-levels-against-the-backdrop-of-growing-regulatory-requirements-in-asean conducted in 2022 found a 125% year-on-year increase in data protection-related job postings. Further, 37% of the job positions available either advertised for a data governance role or included data governance in the job description. Professionals within the data protection sector may also expect to fetch higher salaries, as shown in a salary survey conducted by the International Association of Privacy Professionals (IAPP)6https://iapp.org/resources/article/salary-survey-summary/ in 2023. It found that the overall average base salary for internal privacy professionals has continued to rise since 2019, with these professionals earning about USD146,200 in annual compensation on average (a 10% increase from 2019).
A Unique Opportunity for Legal Professionals
The strong demand for data protection and data governance professionals presents a unique opportunity for legal professionals. With their firm understanding of legislation and regulatory frameworks, legal professionals are well-positioned to navigate the complexities of data privacy laws7Such as the PDPA in Singapore, or the General Data Protection Regulations (GDPR) in the European Union.. Their expertise in crafting and reviewing legal documents also come to bear; a critical component of a company’s data protection strategy are tightly-worded agreements that impose the relevant obligations on third-party organisations that personal data is disclosed to. All these skills provide an advantage to the legal professional who is either looking to make a career transition into data protection, or to broaden his or her professional horizons by taking on the additional role of a DPO.
That said, focusing only on the legal aspects of data protection may potentially blindside a legal professional assuming the role of a DPO. A DPO is also required to understand how the obligations under the data protection laws apply to his or her organisation at an operational level. This requires the DPO to first have a keen understanding of the business processes within the organisation that handle personal data, which involves a period of observation and close communication with relevant stakeholders on the ground. The DPO must thereafter construct a Data Protection Management Programme (DPMP) that accounts for the entire lifecycle (collection, use, disclosure/transfer, storage/disposal) of the personal data in each business process. The data privacy programme model developed by the IAPP8https://iapp.org/resources/article/privacy-operational-life-cycle-2/ is widely accepted as being practical and effective, and is broken down into the following stages:
- Assess: Conduct an assessment of the current state of the organisation’s data protection policies, processes and practices. This includes preparing data inventory maps for processes that handle personal data, identifying and prioritising data protection risks, and conducting Data Protection Impact Assessments (DPIA) to determine the risks presented by the introduction of new processes or services involving personal data.
- Protect: Facilitate the implementation of appropriate measures to protect personal data from unauthorised access, use, disclosure, modification, disposal, or similar risks. This includes the adoption of technical (e.g. firewalls and anti-malware software), administrative (e.g. data protection policies, processes and third party agreements) and physical (e.g. locked drawers and cabinets) measures.
- Sustain: Introduce measures and metrics to sustain the organisation’s data protection efforts. This includes the regular review and updating of the organisation’s data protection policies and processes, conducting regular training and communication campaigns to educate and reinforce data protection principles and practices amongst employees, and carrying out periodic audits and spot checks to evaluate the effectiveness of the DPMP.
- Respond: Create a plan to respond to data protection incidents, such as data breaches or unauthorised access to personal data. This includes having processes for notifying the relevant authorities and the affected individuals (where such breaches are notifiable), as well as taking steps to mitigate the impact of the incident. Processes should also be implemented to deal with complaints, and requests by individuals for access to and correction of their personal data held by the organisation.
By integrating both the legal and operational aspects of data protection, the legal professional who transitions into a DPO role will be able to ensure that he or she is able to effectively assist the organisation to develop a well-rounded DPMP.
Looking ahead to 2024, the data protection sector appears set to continue its steady growth as digital transformation efforts accelerate amongst organisations in the region. In particular, with the scramble by organisations to adopt new Generative AI tools so as to gain a competitive advantage, it is anticipated that the data protection risks it brings may be overlooked or sidelined. To that end, the PDPC has recently issued a consultation paper, which when finalised will guide organisations on how the PDPA applies across the different stages of the implementation of AI systems9https://www.pdpc.gov.sg/news-and-events/announcements/2023/07/public-consultation-for-the-proposed-advisory-guidelines-on-use-of-personal-data-in-ai-recommendation-and-decision-systems.
Another area that is coming under greater scrutiny is the processing of children’s personal data. In the EU, large technology, and social media companies (such as TikTok, Instagram and Epic Games) have already come under fire for the alleged mishandling of children’s personal data. The huge fines that have been levied (up to the tune of about €400 million) are testament to the recognition that children are a highly vulnerable demographic and that the processing of their personal data warrants special attention and protection. In Singapore, the PDPC is now in the midst of developing guidelines that are intended to apply to organisations that offer products or services that are accessed or likely to be accessed by children10https://www.pdpc.gov.sg/news-and-events/announcements/2023/07/public-consultation-on-the-proposed-advisory-guidelines-on-the-pdpa-for-childrens-personal-data.
And finally, with the increased recognition of data protection excellence as a market distinguisher, many companies have become increasingly keen to explore the Data Protection Trustmark (DPTM) certification. The DPTM is presently the gold standard in data protection certification in Singapore and is awarded by the IMDA to organisations who have demonstrated sound and accountable data protection practices. The certification process itself is stringent, consisting of several stages of assessments, interviews, and remedial efforts to close the gaps that are identified. The organisations who successfully run the gauntlet stand to open more doors of opportunity for themselves; quite aside from enjoying a boost in customer confidence, they also gain a competitive advantage in tender bids which increasingly prefer vendors with DPTM certification.
In closing, the data protection industry presents an exciting opportunity for legal professionals to venture into. The skillsets they have honed over their years of legal practice or as in-house counsel will continue to remain highly relevant. A successful transition will however also require the legal professional to augment his or her skills with operational knowledge and experience. To facilitate this, a slew of professional certifications and courses from recognised institutes are available, many of which are eligible for SkillsFuture funding. Other resources are also freely available for the aspiring data protection professional, such as those offered by the Data Protection Excellence Network (DPEX)11https://dpexnetwork.org/. For the in-house counsel looking to expand his or her scope, the role of a DPO offers the prospect of career progression and increased remuneration.