About Data Protectors

Data protection is hard to do. Security, privacy and data protection functions must work closely together to avoid failure.

The required skillsets for effective data protection are multiple. Deep information security experience, coupled with privacy knowledge and data expertise must align. Data regulations must be known and complied with.

Data protection is not a principle specialism of most companies. By outsourcing this work to Data Protectors, you can focus on building your business while we:

  • Optimize your Information Security Program
  • Build a world class data protection and governance system
  • Protect you from breaches
  • Ensure you are compliant with laws and regulations
  • Act as an intermediary between you and regulators

In-depth Privacy expertise is a requirement

Privacy regulations are being created and enforced globally. Safe Harbor, relied on by US companies toprotect Europe-derived personal data, has been replaced by Privacy Shield, which in turn will be replaced by EU GDPR in May 2018.

In depth knowledge of myriad privacy regulations is useless unless closely coupled with strong data security knowledge and best practices: Our key strength.

Singapore enacted the Personal Data Protection Act in 2012 (PDPA). The PDPA is designed to govern the collection, use and disclosure of personal data in Singapore by any private organization, including those that are not physically located in Singapore. All organizations that collect, use or disclose personal data in Singapore must comply with the PDPA, regardless of their place of incorporation.

The US Federal Trade Commission (FTC) has been aggressively pursuing US companies that are anticompetitive, unfair or deceptive to consumers. FTC enforcements result in major monetary penalties, brand damage and senior management distractions.

The FTC's recommended approach involves:

1. Starting with security first (compliance later)

2. Control access to data sensibly

3. Require secure authentication

4. Segment your network appropriately

The new General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR contains new protections for EU data subjects and threatens significant fines and penalties (up to 2% of the total worldwide annual turnover) for non-compliant data controllers and processors once it comes into force.

The appointment of a DPO is required for US companies having activities in Europe and processing European’s data on a “large scale”, which includes most SaaS and cloud companies.
The FTC has successfully sued over 50 companies (including Google, Anthem, Microsoft and Facebook) for unfair and deceptive practices under Section 5 of the FTC Act.

Since the Third Circuit decision of 2015, in the case of FTC v Wyndham, the FTC is much more likely to bring an enforcement action against a company that suffers a data breach.

Enforcement actions freqently end in a 'Consent Decree or Settelment', (essentially a 20 year agreement by the company to enforce appropriate privacy policies, approximating a $100m USD fine).

The FTC will focus on “prevent(ing) business practices that are anticompetitive, deceptive or unfair to consumers; enhance informed consumer choice and public understanding of the competitive process; and accomplish this without unduly burdening legitimate business activity.” But, Since Wyndham the FTC has been given the mantle to protect online security. The FTC is likely to interpret this widely and step up enforcement in the future.
The Privacy Shield framework makes it easier for businesses moving personal data across the Atlantic to do so without falling foul of tough EU data transferral rules. Privacy Shield requirements govern participating organizations’ use and treatment of personal data received from the EU. By joining the Privacy Shield, participants make a commitment to comply with these Principles that is enforceable under U.S. law.

Privacy Shield regularly faces legal challenges to its validity, whit the common thread of complaints being that it does not adequately protect data. It should be considered an intermediary step to EU GDPR compliance.
The Singapore PDPA aims to regulate the flow of personal data, whereby consent of the individual is required before data relating to such individual may be collected, used or disclosed. The PDPA revolves around certain key obligations:
Consent, Purpose Limitation, Notification, Access and Correction, Openness, Retention Limitation, Transfer Limitation, and Protection.

Companies operating or collecting personal data in Singapore need to review their information handling practices to ensure that they comply with their obligations under the PDPA, even if the data is transmitted to another country and stored in the cloud.

Data Protection Officer Requirements

Privacy Regulation Expertise

The DPO must advise on the implications of data protection laws. The DPO must know the customers data collection and protection practices and business requirements to advise on the best course of action.

Developing Privacy Policies and Practices

Policies formally guide sensitive data usage by the company and its agents. Practices reflect actual data usage and access. Controls must be developed and impemented to ensure alignment between policies and practices.

Interface to Regulators

The DPO is an intermediary between the company and supervisory authorities. According to the GDPR, the DPO has to report directly “to the highest management level” of the company and his contact details have to be communicated to the supervisory authority.

Handling Data Subject Inquiries

The DPO must be available for inquiries from data subjects on issues relating to data protection practices, access to records, withdrawal of consent, the right to be forgotten, and related rights.

Monitoring and Reporting on Compliance

The DPO must serve as a mini-regulator ensuring the practices of the enterprise comply with regulations and taking corrective actions when an issue is found.

Training Employees on Requirements

The DPO must train staff on privacy requirements. Competent DPOs negotiate workable practices and procedures with operations staff.

Lead Data Processing Audits

The DPO must conduct an audit of the data processing carried out by the company. For each processing, the DPO has to identify scope and purpose, the origin and sensitivity of data, estimate the number of persons concerned, and whether data is transferred outside the EU.

Independence

The EU GDPR requires the DPO be independent of the hiring company, to be resourced appropriately and act ethically. As a result the DPO commonly reports to the CEO and/or board.

Let's Work Together!

Portfolio

Data Protectors offers a number of services to solve your privacy and regulatory needs.
We are globally distributed and technically competent.


Experience

Ride Share Company

Compiled global data compliance requirements and built a legal and engineering strategy for compliance with these standards for the worlds largest ride share company.

Top Security Company

Led Information Security and Privacy globally for the worlds largest security company. Implemented information security and data protection policies. Interacted regularly with Regulators.

Top Registrar

Led Privacy globally for a top Internet Registrar. Assisted with EU GDPR preparation.

High Tech Company

Designed and implemented Information Security and data protection policies for corporate and cloud business units, for a recognized leaded in Agile and DevOps.

Online Travel Company

Assessed risk and implemented appropriate policies for global data protection for a top 3 online travel booking platform.

Top 5 US Bank

Assisted antifraud team to rapidly comply with recent case law and regulations. Designed and implemented third party risk assessment program.

Protecting >100m records