SINGAPORE (June 4): The European Union’s much-discussed General Data Protection Regulation (GDPR) kicked in on May 25. Companies now need to get consent to process personal data from all EU citizens they serve and make it easy for them to withdraw that consent. Companies also have to design systems that protect customer data, and inform customers promptly when a breach occurs.
These new rules could have implications on locally listed companies and, by extension, their shareholders. The GDPR applies not just to EU-based companies but to anyone serving EU citizens, which means local companies have to take data security much more seriously.
Organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million ($31 million), whichever is greater. This is much more than the $100,000 maximum fine imposed in Singapore for breaches of the Personal Data Protection Act. The Cybersecurity Act — which was passed in February and requires critical information infrastructure owners in the energy, water, banking and finance, healthcare, transport, government, infocomm, media, and security and emergency services industries to report breaches — also has a maximum penalty of $100,000.
With the knowledge that potential penalties for breaches are higher now, will companies begin spending more on boosting their cyber defences? And will investors react more dramatically to security troubles? What implications will data concerns have for business models?
On Feb 20, Singapore Press Holdings announced that its online forum HardwareZone had been breached and 685,000 users’ email addresses and data stolen. The stock fell 1.1% that day — more than the 0.3% fall in the Straits Times Index. But local investors seem less concerned than foreign investors about security breaches. Shares in online portal Yahoo (now Altaba) declined more than 7% after news of a breach in 2016. Equifax, the US-based consumer credit reporting agency, suffered a loss of 31% after a data breach last year.
Cybersecurity breaches are expensive even without fines. A recent study by market research firm Frost and Sullivan, conducted for Microsoft, found that the average cost of a security incident in Singapore last year was US$447,000 ($600,181). Breaches at large organisations, with more than 200 employees, would tend to result in greater economic losses. Frost and Sullivan estimates that these companies incur an average of US$2.7 million in direct losses and a further US$3.4 million in indirect losses, such as a loss of reputation and customers.
There is also an induced cost of US$7.7 million from the impact on the broader economy such as the loss of jobs. According to the study, more than six in 10 organisations experienced job losses due to security incidents.
With GDPR, the losses are likely to increase significantly. Complaints of non-compliance were filed against Facebook and Google on the first day the law took effect. These complaints could see Facebook fined up to €3.9 billion and Google up to €3.7 billion. Smaller companies, including many of the locally listed small- and medium-sized enterprises, may not have to fork out as much. However, they will feel the pinch just as badly — or perhaps even harder.
Facebook and Google have faced such complaints even after taking measures to comply with the regulation. Facebook has updated its data policy and made its privacy controls easier to find in line with GDPR, and introduced these changes to its users.
“After updating our data policy and making our privacy controls easier to find, we’re now showing people an alert as they visit the news feed so that they can review details about advertising, face recognition and information they’ve chosen to share in their profile. We introduced a similar experience in the EU as part of our preparation for the GDPR, and now we’re making it available everywhere,” says Facebook in a statement.
Google too has been committed to getting in line with GDPR regulations and keeping its customers in line as well. The search giant has provided its cloud customers with guidelines and resources to understand what GDPR means for them.
“Finally, we recognise that the GDPR and privacy legislation will evolve. Our team of lawyers, regulatory compliance experts and public policy specialists are committed to working with regulators to understand and address any new requirements or implementation guidance,” says Google in a statement.
“Compliance is central to Google Cloud’s mission of protecting the privacy and security of our customers’ information. We’ll continue our work in this space, and are committed to helping you meet your GDPR compliance needs,” it adds.
Besides the potential fines, there will be other new costs for companies to consider. According to a Citi report published in May, many companies are already rethinking how they use consumer data because the use of such data carries higher compliance costs. Advertising-funded business models, in particular, may be at risk. Citi also highlights that the regulatory changes will favour large companies with strong consumer relationships. “It could lead to a shakeout of some industries, and those operating as non-essential third-party suppliers in an overcrowded industry will be most vulnerable,” Citi adds.
Shareholders should therefore start to pay more attention to the data use and protection policies of their portfolio companies. And they should more closely question directors and management at these companies on their data strategies.
This article appeared in Issue 833 (June 4) of The Edge Singapore.
News Source: Link