THE continuing digital revolution has changed how consumers share information and how organisations communicate, build relationships and gather data for analysis or sale.

Organisations which collect and process such information into a database do so to gain better understanding of customer behaviour to deliver better service and increase the likelihood of sales. However, this collection and sharing of information carries risks if not properly managed.

From July 2 this year, the Personal Data Protection Act (PDPA) governs the collection, use and disclosure of personal data. Those found lacking in compliance face consequences under the Act.

The PDPA does not seek to limit an organisation's business or ability to collect and use customers' information. However, organisations that do not manage their customers' data properly risk over-collection, over-sharing and misuse of data.

Further, employees with little awareness of data protection or IT security controls may fall prey to threats such as social engineering initiatives or other security weaknesses of the organisation's technology systems, exposing corporate or customer data to disreputable parties.

The implications of a data breach range from a hit in brand and reputation and share price to litigation and regulatory action and penalties. Thus, organisations should review their business processes, consider threats from current and emerging technologies in their environment, and assess the need to better mitigate privacy risks.

With the increasingly popular BYOD (bring your own device), company information may be stored on devices outside of the organisation's immediate control. Some organisations install monitoring tools on employee smartphones to prevent misuse but in doing so, they should be careful that they are only monitoring the company's data and not collecting personal information about their employees and those who use the device.

One solution is to partition the devices, allowing employees to operate two different desktops - one for work and one for personal use. Another option is to use a guest network that is separate from the main network. Moving in the same trajectory as BYOD is BYOC or bring your own cloud, which extends the risk that organisations have faced for years where employees can send material through free services such as Yahoo! Mail, Gmail and Hotmail accounts.

These services also provide storage services as an extension to the e-mail service, allowing users to share the access with others via storage services such as Dropbox, SkyDrive and consumer storage and network devices that are easily accessed and shared.

This area is hard to police and organisations need to establish clear protocols that outline the security and privacy standards to be met.

Previously, organisations focused their advertising budgets on traditional media, websites and sometimes blogs. Today, more organisations have learnt to use data gathered from social media to target individual customers; they devote more advertisement buys in this direction, and collect even more customer information.

While many see opportunities to mine the data collected through social media, not all may be thinking about over-collection of this data and how privacy can be protected. Increasingly, regulations are introduced to protect individual privacy in the online space, such as the European Union's "right to be forgotten" rule.

When collecting data from social media, organisations should be vigilant and respect consumer privacy by anonymising the data before use since it is possible to glean deep insights into trends and opportunities and yet preserve privacy.

Big data and data analytics are double-edged swords. Big data represents the unstructured data that organisations collect internally, externally and through technology tools such as social media.

The massive amount of data that is collected in this way today poses a risk, particularly for those with little idea of how to leverage or store it safely.

Data analytics leverage all this data to understand and interpret past and present behaviours to anticipate future trends. Again, organisations should anonymise this data before use, and verify that the sources have appropriate permissions from users to perform any additional analytics. Even where permissions exist, it is critical to minimise the exposure of identifiable elements.

Cost savings and other benefits of using cloud service providers to store an organisation's data will continue to attract users. As organisations use multiple cloud services providers, the appeal of a broker who can consolidate, coordinate and customise these providers, providing a one-stop service, becomes stronger.


Before turning to a cloud service broker, organisations must verify that the use does not derogate the level of information protection. Cloud service brokers should assume responsibility for managing cloud solutions, service level agreements, platforms, scalability and cost; and understand, apply, monitor and maintain the organisation's privacy and data protection policies across multiple cloud service providers.

Also, the increase in devices connected online, ranging from security cameras to routers, webcams, home automation devices, coupled with product sensors, sensor-driven analytics and sophisticated tracking capabilities, provides opportunities for organisations to approach the delivery of services or products through new business models, generating efficiencies and lowering costs.

Permission from the consumer to collect such information, whether implicit or explicit, may not have been sought. This may erode the trust between organisations and their customers.

The objective of privacy and data protection has not changed. What has changed is the introduction of new technology, concepts and applications.

Privacy cannot be an "either/or" proposition. To prevent data protection lapses, organisations need to move beyond compliance. They should review their threat and control measures; invest in policies, practices and tools protection; and create a culture that respects customer data - one that is fully supported by leaders at the top.

The author is Partner, Advisory Services, at Ernst & Young Advisory Pte Ltd