PDPC Fines K Box $50,000: What business owners need to know about personal data protection
Recently in April 2016, the Personal Data Protection Commission (PDPC) fined 4 companies and warned 7 others for mishandling consumer data. Among those fined was K Box, which was fined $50,000 for mishandling the personal data of 317,000 customers.
Why was K Box fined?
K Box obtained customer data such as the name, NRIC number, and nationality through its membership program. Yet, K Box failed to put necessary security measures in place to protect customers’ data in its “CMS” (Content Management System) system. This resulted in the personal data of around 317000 customers being disclosed in a list that was published online.
As an example of the lack of security, the administrative account with access to personal data had a username of “admin” and a weak password of “admin”. This was a breach of the Protection Obligation under section 24 of the PDPA, which states that an organization has to make “reasonable security arrangements” to protect its customer data.
To make matters worse, K Box did not appoint a Data Protection Officer (DPO) for almost 2 years, breaching the Openness Obligation under section 11(3), which states that an organization “shall designate one or more individuals” to comply with the PDPA.
Complying with the Personal Data Protection Act (PDPA)
It is critical that business owners have the knowledge to comply with PDPA guidelines, and being ignorant is no excuse.
Below are some measures that are highly recommended and fundamental to a company’s compliance with the PDPA.
- Appoint a Data Protection Officer (DPO)
The PDPC encourages all organizations to appoint a DPO to manage consumer data. He/she can be an existing employee and will be in charge of developing a well-rounded data management system for the company, and also communicate this to fellow employees. K Box’s lack of a DPO was a glaring issue pointed out by PDPC.
- Implement a proper data protection process
One of the main reasons for K Box’s failure to comply with PDPA was that they had weak measures in place to protect consumer data. Even its IT vendor, Finantech, did not receive any instructions from K Box to protect the data in its system. Companies can avoid making the same mistake by having a comprehensive data protection process in place.
- Run a detailed inventory of consumer data
Once a DPO has been appointed and data protection measures are in place, businesses should also be aware of the details involving consumer data. Information such as who has access to the data, where the data is distributed etc should be thoroughly recorded and updated.
- Actively be updated of PDPC-recommended industry guidelines
The landscape of consumer data varies greatly amongst different industries. The PDPC has guidelines for companies in various industries such as real estate, education and healthcare. It is important that companies in different industries actively keep abreast of these guidelines.
- Seek legal advice if necessary
Companies that are still unsure of whether their actions are PDPA-compliant can always seek legal advice. Contact your corporate lawyer to ensure that your company’s operations are in line with the PDPA.
Personal data protection is here to stay
The fines and warnings set out by the PDPC may have been the first of its kind, but it certainly won’t be the last. Given the technology era and the large amount of consumer data collected by different companies, it is critical to avoid complacency and actively seek to comply with the PDPA.