3. Key Drivers
Growth of the 5G World Pervasive use of new technologies Post Covid19 recovery
4. Privacy and Security Threats
- new privacy-intrusive technologies and their use
Privacy legislation playing
catch up with
new technology
Privacy issues as a result
of monetization of
PII / Sensitive data
Non-savviness of
users leading to
scams / hacking
5. Recommendations
• Data protection office to focus on business objectives vs compliance
objectives in post-covid period
• Data Governance is key - increasing value of data besides decreasing the
risks to personal data
• Conduct DPIA - data protection impact assessments to address privacy /
security risks
• Conduct third-party due diligence for new projects as well as having
contracts which spells out data protection requirements
• Increase awareness of privacy risks and data protection requirements
thru regular training, reminders and competency assessments.
7. GDPR Enforcement Cases in EU
– 1374 Enforcements since 2018 (Tracked)
7
29
Articles CY18 CY19 CY20 CY21 CY22
ART 5 (GDPR principles) 13 71 198 223 288
ART 13 (Transparency / Notification) 4 18 34 90 114
ART 6 (Lawfulness of Processing) 8 62 130 113 108
ART 32 (Security of Processing) 8 41 83 103 93
ART 12 (Info to be provided - direct source) 1 9 23 37 65
ART 9 (Sensitive data) 6 10 26 34
Besides info security,
complying with other
privacy rules (e.g transparency,
lawfulness of processings,
sensitive data) are also key.
8. 8
FINES (>5m EUR)
Meta Platforms, Inc. $405,000,000
Meta Platforms Ireland $282,000,000
Clearview Al Inc. $69,000,000
Google LLC $10,000,000
REWE International AG $8,000,000
Cosmote Mobile
Telecommunications S.A.
$6,000,000
Interserve Group Limited $5,033,000
Total $785,033,000
Key enforcements on tech
giants continue with major
enforcements on AI software
companies (all involving social
networks)
GDPR Enforcements Cases in EU
9. PDPC Enforcement Cases in Singapore
S$98.5k
S$99k
S$141k
S$1.64m
S$425.5k
S$309k
COVID-19
Total No. of
Organisations
involved in PDPC
Enforcement Cases
S$467k
Total amount of fines
imposed (including
average fines)
increased in 2022
10. No Industry is spared
from enforcement
(including non profit
organisations)
PDPC Enforcement Cases in Singapore
11. Majority of
enforcements were
breach of the Protection
obligation. Others
include Accountability
(policies) and Transfer
Limitation obligation
PDPC Enforcement Cases in Singapore
12. Recommendations
• Continued management attention to support an integrated data
strategy for digitalization.
• Urgent need to review SOPs to comply with all PDPA obligations,
besides data security.
• With penalties for data breaches increasing (up to SGD 1 million or 10% of
a company’s annual turnover as of 1 October 2022)
• Identify common risks to personal data as threats are evolving at
an alarming rate with new technologies and projects.
14. Tracked Cases CY2018 CY2019 CY2020 CY2021 CY2022 Grand Total
CCTV/Surveillance 4 18 32 61 105 220
Social Media 5 7 14 16 42
Children / Schools 4 13 20 8 45
Others…
Total Cases EU 29 162 315 422 446 1374
GDPR Enforcement Trends
(Tracked cases)
Increasing trends
of cases involving
surveillance
Cases and huge
penalties involving
social media
Regulatory attention
on processing
children’s data
15. Instagram fined €405m by Irish Regulators (Sep 2022)
TikTok is facing a potential $29M fine from
U.K.'s ICO (Sep 2022)
FTC Announces $520 Million in Penalties for
Fortnite Game Maker (Dec 2022)
…reports that two of the four social
media and tech firms under
investigation are household names.
Breach of Children’s Privacy Rules…
17. Countries with Privacy Rules relating to Children
Children data
classified as
sensitive / Parental
Consent needed
Global
Regional
GDPR (ART 8)
Children’s
Online Privacy
Protection Act
Consumer
Privacy
Protection Act
20. Another lawsuit is taking on
Apple’s data collection practices
in the wake of a recent report by
independent researchers who
found Apple was continuing to
track consumers in its mobile
apps, even when they had
explicitly configured their iPhone
privacy settings to turn tracking
off.
The proposed class action
lawsuit, filed by plaintiff Elliot
Libman on behalf of himself and
other impacted consumers,
alleges that Apple’s privacy
assurances are in violation of the
California Invasion of Privacy Act.
21. Google’s plan to phase out third-party cookies and replace them with a
bundle of new standards referred to as the “Privacy Sandbox” just
overcame a key regulatory hurdle. The UK’s competition regulator, the
Competition and Markets Authority (CMA), has formally accepted Google’s
commitments about how it’ll develop the new standards so they don’t harm
competition or unfairly benefit the search giant’s own advertising business,
the regulator announced today.
”We present our concerns with Privacy
Sandbox not only as a browser maker, but as
individuals worried that Privacy Sandbox
threatens what makes the Web special and
unique: that users can modify their Web
experience to best suit their needs and wants,
and that features in the Web are designed
first and foremost to benefit users.”
22. Recommendations
• Identify if online services/software offerings/apps include
processing of children’s data (any the relevant restrictions)
• Review SOPs and practices relating to use of social networks and
any in-house mobile apps (for excessive processing and tracking)
• Adopt Data protection by Design & by Default to ensure there are
sufficient protections in place especially for children’s data
• Recommended course: Mobile Apps - Privacy by Design and Design
Thinking)
• Conduct relevant due diligence/DPIA of outsourced of mobile and
to third-party developers
24. Data Protection Laws in the Region
Countries with Comprehensive Laws
covering the public sector
Thailand
PDPA
(2022)
Indonesia
PDPL
(end 2022*)
Singapore
PDPA
(2012)
Amendments
2021 Feb
Malaysia
PDPA
(2010)
Upcoming
amendments
Philippines
DPA
(2012)
India
DPDP Bill
(2023)
China
PIPL
(2021)
General Data Protection
Regulation (GDPR) in EU
Requirements for DPO
Before
GDPR
After
GDPR
Vietnam
PDP Draft
(2023/24)
Brunei
PDP
(2023/24)
American Data
Protection and
Privacy Act
(2023/24)
More data protection laws
being introduced…
25. 25
+125%
From 2021 to 2022, no. of positions increased by record 125%
Growth in Data Protection Jobs – 1 month job postings
Impact of first
PDPC
enforcements
Intensified
PDPC
enforcements
(Singhealth)
Momentum for demand for Data Protection expertise continues
59% CAGR over 6 years
Covid19 Pandemic
26. 26
From 2021 to 2022, no. of positions increased by 125%
There is also a significant increase of Data Governance
Specific Roles by 272% in 2022.
+259%
No. of Jobs
Growth in Data Protection Jobs – 1 month job postings
27. 27
Trend of Jobs in Sole DPO / DP Office
vs Jobs with DP Requirements
Record growth driven by job
roles with data protection
requirements
28. 28
Growth in “DATA GOVERNANCE”
Mentioned in “Data Protection Related Jobs
No. of Jobs
+608%
29. Recommendations
• Propose starting a data governance team within your organisation
(if applicable).
• Shortage of data protection expertise means increased job
opportunities and better career progression for individuals trained
in Data Protection and Data Governance.
• Consider advanced diplomas in data protection / governance from SMU
• Be familiar with the General Data Protection Regulation (GDPR)
and new regional laws.
• Get certified with the International Association of Privacy Professionals
• Get involved with Data Protection and Data Governance
practitioners’ communities
• Join our DPEX network community and social media groups
30. Increased Focus on AI
Governance and ethics as EU
passes new AI Governance Law
5
31. How Hackers Use AI and Machine Learning
Using Deep
Fakes
Social
Engineering
Faster Password
Guessing
More Sophisticated
Phishing Emails
32. 32
A high-profile tax fraud scheme has raised more concerns about China’s lax data
security practices, especially as it relates to the country’s widespread use of facial
recognition. In the scheme, a pair of fraudsters used facial images purchased on the
black market to create synthetic identities and set up a shell company that issued fake
tax invoices worth as much as 500 million yuan (approximately $76.2 million USD).
18 Oct 2021
An unprecedented cybercriminal incident was
detected in the United Arab Emirates (UAE),
where the manager of a bank was deceived by
hackers who used a complex technique to
bypass security systems and steal a millionaire
figure. According to the report, the threat actors
employed an artificial intelligence tool to clone
the voice of a business owner, whose accounts
were at the attacked bank, allowing them to trick
the manager into authorizing $35 million USD of
bank transfers.
By Catherine Stupp
Updated Aug. 30, 2019 12:52 pm ET
Previous incidents involving AI / Deep Fakes
33. Binance Chief Communications Officer Patrick
Hillmann wrote in a blog post last week that internet
scammers had been using deepfake technology to copy
his image during video meetings. He started to catch
on to this trend when he received messages from the
leadership of various crypto projects thanking him for
meetings he never attended.
2022 Incident involving AI / Deep Fakes
Simon Cowell “Singing” on AGT
34. Governing the Use of AI
AI Ethical Principles
•Respect for human values
•Professional responsibility
•Fairness and non-discrimination,
•Privacy, accountability
•Transparency and explainability
•Human control of technology
Common Ethical Principles
• Respect for persons
• Beneficence
• Nonmaleficence
• Justice
36. National
AI Strategy (Sep
2021)
EU AI Act
(*2023)
Digital Charter
Implementation Act
(Nov 2022)
AI Bill of
Rights
(Oct 2022)
AI Ethical
Guidelines
(2021)
Legal
Framework
for AI (2021)
Global AI Initiatives by Governments
First AI Law in EU
and its global
implications
37. Recommendations
• For organisations to reap the benefits of AI and Machine Learning
technology - learn to use AI and Machine learning ethically while
giving due regard to legal and privacy considerations
• Refer to IMDA’s Model AI Governance Framework
• For individuals to increase their value to the organisation - utilise
opportunities created by the advent of AI and Machine Learning by
taking on Data Governance competencies.
• Recommended course: Data Ethics and AI Governance Frameworks with
SMU
38. Summary: 5 Data Protection Trends
1) Ongoing digital transformation will create increased privacy and security
threats
2) Continued increase in privacy breaches and enforcements beyond data
security
3) Transition from data protection to data governance as demand for data
protection related expertise grows
4) More regulatory actions expected against improper/unfair use of social
media, surveillance and children’s data
5) Increased Focus on AI Governance and ethics as EU passes new AI
Governance Law
40. Look for Straits Interactive and click “LIKE”
JOIN our chat
groups (tips,
guidance,
updates, job
opportunities)
Indicate in
interest form
41. www.dpexnetwork.org
We run the region’s largest
Data Protection Excellence
Network (dpexnetwork.org)
(join as a Free member)
Free Webinars
• CXO Roundtable
• DPO Roundtable
• DPOinBOX Academy
(CPE points applicable)
Resources
• 5 minutes videos (enforcements)
• Real-time news on Data Protection
42. Data
Protection
Principles –
SG, HK, India
Data
Protection
Principles –
PH, MY
Data
Protection
Principles –
Indonesia,
Thailand, Rest
of the World
Data
Protection
Principles –
Taiwan, China
GDPR &
Application
on Asia
Data
Protection
Framework
and
Standards
Advanced Certificate in
Data Protection Operational Excellence
Advanced Certificate in Data Protection Principles
1 2 3 4 6
5
A Practical
Approach
to Data Protection
for DPOs
1
Information &
Cyber Security
for Managers
2
Data Protection
Management
Programme
(DPMP)
4
Advanced
Data Protection
Techniques:
Data Protection
by Design,
DPIA & DPTM
3
Data Protection
Trends & the
Roles of the DPO
5
Data Protection Route
43. Mobile
Applications -
Privacy by
Design and
Design
Thinking
Concepts and
Principles of
Records
Management
in Today’s
Digital
Environment
Implementing
a Compliance
Management
System
ISO37301
Implementing
the Privacy
Information
Management
Standard
ISO27701
Data
Protection
Risks and
Audit
Management
Digital Data
Governance
Frameworks
and Standards
Crisis
Communications
and Data Breach
Response
for DPOs
1 2 3 4 6
5
Adv Cert in Governance, Risk Mgmt, Data Compliance
Adv Cert in Data Governance Systems (Launched 2022)
Data Governance Route
GRCP
–
GRC
Certifications
Managing
Performance,
Stakeholders,
Team Strengths
for Data
Governance
Data Ethics and
AI Governance
Frameworks
Policy and
Third Party
Management
of Data
Governance,
Risk,
Compliance:
A Hands-on
Approach
Business
Continuity
Management
for Managers
1 2 3 4 6
5
45. DGO
GRC and Data Governance Professionals
Awarded by Open Compliance Ethics Group (OCEG)
Governance Professional Certification Route
45
Validates that you understand and can apply
GRC in your organization. It ensures that you
have the versatile skill set to integrate and
advise on governance, strategy, performance,
risk, compliance, ethics, internal control,
security, privacy, and audit activities.
A holistic approach to governance, risk,
and compliance, with a specific focus on
the data privacy/ protection domain.
Perfect for anyone who works directly or
indirectly in any aspect of data privacy,
protection, or governance.
IDPP helps to integrate what you do with
the other departments and disciplines,
including mainline business operations.
46. Integrated Data Privacy Capability Model
• The Integrated Data Privacy
Capability Model includes
standards for management
actions and controls upon
which an organization may
build an integrated approach to
data privacy that addresses
compliance and risk concerns
47. • Sign up as an OCEG member at
OCEG.org
• Download the beta version of
IDPM
• Get the All Access Pass (US$399)
• Prepare for the IDPP exam
• Take the hybrid course with Straits
Interactive (recommended,
optional) to get the detailed
training and hands-on experience
• Pass the exam and maintain the
certification!
How to get Certified…
48. Hands-on Training to Become an IDPP
Existing OCEG members with
the All Access Pass (AAP):
Special Promotional Price*
US$600 (RRP US$999)
New to IDPP (includes All Access Pass)
Special Promotional Price*
- With a Coupon Code
US$999 (RRP US$1,299)
Start date: 14 Mar 2023
What is included:
• All Access Pass US$399
• Access to IDPM eLearning portal
• Enforcement video clips
• 3 weekly “live” training sessions
over 3 weeks (1 hr each)
• Hands-on training with data
privacy management software
• Capstone project with instructor
feedback
49. “The course has a definitive guide for Data Protection Officers who are looking towards being
operationally ready. What I learned the most would be the specific steps in preparing a robust
data protection management programme.”
“Relevant to my consulting practice going forward [the Model] provides a more detailed
framework to advise clients on how to set up their privacy management plan.”
“The ‘learn and align’ [component structure] provides a good way to frame the settings for our
consulting with the management to align with their business objectives and enrol support.”
“The training provides in detail the steps required to set up a data privacy programme (right
from the start).”
“The training is very useful, how we combine data privacy knowledge and GRC perspective.”
“Found it useful to have understood the privacy framework in the larger context of GRC.”
Testimonials
50. Corporate staff
Awarded by DPEX Network
Elearning for Corporates and Individuals
50
Certified Data Protection Practitioner
Certified Data Governance Practitioner
This certification programme is designed for DPOs, DGOs,
Compliance officers and professionals who are looking to get
recognition as a preferred and certified practitioner in data
governance management.
This programme aims to provide participants with the
knowledge and tools to implement data governance systems or
Data Protection in the organisation. It is also an opportunity for
participants to gain hands-on experience through project work.
Corporate eLearning for staff
● Flexible Staff Training
● Trackable by the Organisation
This interactive e-learning module traverse through Information
Life Cycle, and data protection obligations and principles most
applicable at each stage. Includes:
• Case studies of actual enforcement
• Importance of policies and the actions to mitigate risks
• Accountability tools to protect personal data in Organisation
Individuals
51. Keeping your staff
abreast of data
protection obligations
and operational risks,
from existing staff to
new staff is a
challenge.
Every person in an organisation plays a part in data protection. The
simplest of mistakes could well lead to a data breach.
52. SPEED
Interested in using e-Learning to enhance your staff training?
Contact us at sales @straitsinteractive.com