Taking Steps Towards PDPA Compliance
It was common for individuals to use their Singapore National Registration Identity Card (NRIC) number to enroll in lucky draws, sign up for retail membership, or redeem free parking in a mall. However, as of 1 September 2019, these practices are no longer acceptable, allowing individuals to be less generous in sharing their NRIC data to organizations. This change was brought about by the enforcement of the updated Singapore Personal Data Protection Act (PDPA) NRIC Advisory Guidelines, which has tightened the rules surrounding the use, collection and disclosure of Singapore NRIC numbers.
In a recent blog, we discussed the types of organizations that are generally not allowed to collect an individual’s NRIC number, and recommended four initial steps companies can take towards their PDPA compliance journey. Two-and-a-half months into the enforcement deadline, we want to share intelligence received from clients and partners about businesses and where they are at.
Changes made but real problem largely ignored
One of the areas that needed to change was for organizations to stop using NRIC numbers as login IDs or user IDs. In response to this, organizations have made front-end changes at the entry point of data collection, where systems are modified so NRIC numbers are no longer required as the primary identifier for individuals. For example, a major consumer electronics chain started using email addresses for membership registration purposes, while an investment holding company made it mandatory for users to create a unique username to login to the online platform. So far, so good; but this alone is not enough.
However, Ground Labs has identified a ticking time bomb in the form of legacy data stored from previously non-compliant data capture processes. Despite there being no new data captured, the existing data has largely been ignored and continue to be stored within the organization across various locations. The stark reality is that organizations typically store legacy data for 10 or more years in past-dated folders on file servers, archives and backups. In many cases, legacy data can also remain in old emails, particularly where an organization provides unrestricted or unlimited storage quotas to its employees.
Where is all this existing Singapore NRIC data hiding?
The saying, “What you don’t know won’t hurt you” is no longer applicable in this highly digital world where an average of 22 (reported) data breaches occur in a day. With organizations storing terabytes or petabytes of data, it is easy to overlook storage locations where your existing applications and processes were storing Singapore NRIC data.
Desktops or laptops
Most organizations today allow employees access to either a desktop or laptop and these devices often contain a wealth of personal customer or employee information that businesses are not aware of. For example, an employee scans a copy of the customer’s NRIC and stores the image file in a local folder or network share. Regardless of whether this data was saved locally or on the network, the nature of modern applications often result in multiple versions of a data file being stored locally for auto-recovery or cache / performance reasons, and this data often resides in locations not easily visible to a user. However, when inspecting desktop systems using a forensic approach, a treasure trove of data is often found which makes desktops a ripe target for attack.
File servers are commonly used when there is a need for multiple departments across the organization to access shared information, such as a membership registration form that contains the full name, NRIC, mailing address and phone number of a customer. When a department no longer requires that information, often there is no accountability or process to identify and securely discard of such information, which can result in 10, 15 or even 20+ years of data remaining on the file servers and their associated archives.
Email traditionally represented the fastest way to get a message or a simple to a colleague. However, email is often viewed as a secure channel by employees to communicate with one another as they perceive that when an email system is used internally, it cannot be accessed by external parties. Worse still, some organizations today are still requesting customers to send sensitive information via email, including real estate agents, credit card companies, educational institutions and more. This leads to transmission and exchange of personal customer or employee data, including Singapore NRIC information. Once the data has served its purpose, will those emails ever be deleted from our inbox? With an average office employee receiving 121 emails a day, it is easy for these emails to fade out of sight and out of mind.
Customer Relationship Management (CRM) systems
Businesses of all sizes adopt CRM systems to manage the organization’s relationships with customers and prospective customers. CRM systems typically store contact information, email addresses and full names of customers gathered from contact forms, social media and other touchpoints. One common area where data security violations occur in CRM systems is the use of free text comments and notes fields. These fields are often used to store other information about a client, which might include Singapore NRIC, passport, driver’s license or even the customer’s credit card number! Again, CRM systems are often thought of as secure due to their internal use. However, when multiple employees have access to this information, and with the majority of CRM systems being cloud-based, the security of such personal information cannot be easily assured if the organization is completely unaware of its existence.
Organizations across all industries use application databases for various reasons, such as storing customer details, or handling payment-related information. A wealth of highly sensitive data resides in databases, but is it all 100% secure? In May 2019, a security researcher discovered an unsecured, public-facing MongoDB database containing more than 275 million records of personal identifiable information (PII) on Indian citizens. In countless other public compromises, databases of varying vendor types were involved, and the cause was usually attributed to poor security on the database platform itself, or poor application and security lockdown of the front-end applications collecting personal information. Having data stored across so many different platforms may cause organizations to inadvertently overlook securing certain locations, leaving them vulnerable to exploitation.
Instant access to data and scalability at an incremental cost is an important requirement in today’s business landscape, prompting many organizations to adopt cloud services including Amazon, Azure, Office 365, Google and Dropbox to serve content or store data. As cloud providers sometimes offer unlimited storage for users, there is no urgency to free up storage space, resulting in sensitive data remaining hidden in the cloud long after the data is obsolete. With that in mind, how do organizations validate of the data in the cloud, what is sensitive, and what is not sensitive?
Big data platforms
Big data platforms such as Teradata and Hadoop have been driven by the need for companies to systematically analyze and process complex and voluminous data sets. In practical terms, what this often results in is all possible data sources that exist within the company being ingested into these big data platforms for data scientists to analyze and discover new customer insights. However, most organizations embarking on this journey did not fully consider what of this data was personal and sensitive, which can result in large volumes of Singapore personal data finding its way into big data sets.
Archive and backup systems
Archives typically contain data that is no longer active but necessary for retention, while a data backup is a complete copy of your organization’s data for disaster recovery purposes. This essentially means that data archives and backups contain duplications of sensitive data from all of your data sources combined, and must be afforded the same level of security and protection.
To be PDPA compliant, you must know where all Singapore personal data resides
At Ground Labs, we understand that data security should be a “business-as-usual” activity. With our flagship product Enterprise Recon, data discovery is neither complex nor difficult, but the first step is to take action. The best way to create awareness is to run a proof-of-concept (POC) for your organization on a sample dataset which can yield real results in a short amount of time. To understand how straightforward it can be to mitigate compliance risks, check out the Enterprise Recon solution, or book a free demo at a time that suits you.