850 industry participants, 52 workshop facilitators, 5 partner booths, and data protection authorities and policy makers from 11 countries. PDPC’s anchor event, also known as the PDP Seminar, is set to grow year on year.

What does it take to empower a data driven economy? This was the overarching theme that brought international regulators, policy makers, data protection professionals and other data ecosystem stakeholders together for the 7th Personal Data Protection (PDP) Seminar. The event was organised by the Personal Data Protection Commission of Singapore (PDPC) on 17 and 18 July 2019.

2019 marks the fifth year since the Personal Data Protection Act (PDPA) came into force. This is also the second year where we held the PDP Seminar back to back with another regional data privacy event, the two-day IAPP Asia Privacy Forum, making it a de facto Personal Data Protection Week.

Delivering the keynote speech at the Forum, PDPC Commissioner Mr Tan Kiat How highlighted the need for organisations to go beyond a compliance-based approach to that of accountability in the digital age. Mr Tan also nudged organisations to embrace three perspectives in their approach towards accountability - the organisation’s perspective, the systems perspective, and the global perspective.

The highlights of the Personal Data Protection Week were encapsulated in the remarks by Singapore’s Minister for Communications and Information, Mr S Iswaran, at opening of the PDP Seminar. Mr Iswaran articulated two key elements that were essential for Singapore to thrive in a data-driven economy - strengthening data protection capabilities and growing trusted data flows.

World’s first DPO Competency Framework and Training Roadmap

Elaborating on capability development, Mr Iswaran said the Data Protection Officer (DPO) is critical to the success of every enterprise in the digital age. To perform his or her job effectively, it is important that the DPO attains adequate competencies. To this end, Singapore has developed the world’s first DPO Competency Framework and Training Roadmap that outlines the set of skills and proficiency levels for a DPO through his or her career pathway, from an entry-level executive right up to those with regional responsibilities. 

The Competency Framework and Training Roadmap identifies nine data protection and data innovation competencies that will help to strengthen a DPO’s capabilities, and provides a non-exhaustive catalogue of courses that can help the DPO achieve the next level of proficiency. It not only aids a DPO in the advancement of his/her career, but also helps business owners and HR managers to structure their data protection functions and make hiring decisions.

Mr Iswaran shared that over time, Singapore hopes to attract DPOs from the region to attend high-quality training here. 

Transfer data with greater trust and confidence

To thrive in a data-driven economy, Singapore also needs mechanisms to provide assurance that personal data transferred overseas is handled with care and used for legitimate purposes.

“Data flows are essential to power innovation and new technologies as modern supply chains cross multiple countries and businesses expand to markets across the globe,” said Mr Iswaran. 

To help organisations compete globally by enabling them to transfer data with greater trust and confidence, Singapore will be certifying organisations under the APEC Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processor (PRP) Systems, administered by the Infocomm Media Development Authority (IMDA). 

The APEC CBPR and PRP certifications complement Singapore’s Data Protection Trustmark (DPTM) certification scheme, and steps have been taken to make it easier for organisations to apply for the various schemes.

Cross border data flows as a driver of the digital economy

As more organisations and individuals harness hyperconnectivity to serve their needs, the impact of digital trade on the movement of personal data across borders has also become an important topic of conversation amongst businesses and the civil society. It was also the focus of the first panel session at the PDP Seminar which was moderated by Professor Simon Chesterman, Dean, Faculty of Law, National University of Singapore.

Mr Koh See Khiang, Singapore Country Leader, International Association of Privacy Professionals (IAPP), got the discussion rolling by highlighting the difference between data and other traditional resources. For example, data is something that grows in value as more is being shared. Another difference is that data is easily replicated and if permitted, can flow instantaneously across borders.

Unfortunately, “regulatory friction” sometimes prevents organisations from sharing data as freely as they would like to, he noted. This can be a problem for organisations whose customers expect a seamless experience predicated on access to their personal data, regardless of their location.

Mr Damien Kieran, Global Data Protection Officer, Legal Director and Associate General Counsel at Twitter, likewise pointed out that customers have certain expectations of services that are delivered through their mobile phones as they travel overseas. For instance, they need to be informed if their flight is delayed, and a certain level of access to their personal data is necessary to enable this.

The key thing is to make sure that the data is protected, said Mr Kieran.

Fellow panellist Ms Kristie Chon, Vice President, Chief Privacy Officer, Head of Privacy, Data Governance, Resiliency and Technology Oversight, at PayPal, shared the approach that her company has undertaken to comply with varying data protection standards across different jurisdictions, which is to rationalise different regulatory requirements into a single programme framework.

In order to do this, it was necessary to bring together people from across the organisation, said Ms Chon. “For a programme to be operationalised, we need to take into account the product team, technology team, programme team, management, and all employees who touch data on a daily basis,” she said.

Agreeing on the need for multidisciplinary teams, Mr Kieran said, “We cannot underestimate the synergies that we can obtain by bringing different people into the team, because the role of data protection is not just compliance; it is also about creating opportunities.”

Mr Larry Liu, International Compliance Lead for Alibaba Cloud, extended the discussion to the important role that cybersecurity professionals play in the personal data protection space.

These are the people who knew where the data lies, can help determine the best technology to use to design a solution to protect it, and ensure that privacy by design covers all the processes and all the systems in the organisation, he explained.

Data in the era of AI

The second panel discussion was geared towards accountability and transparency in the face of artificial intelligence (AI).

Moderator Mr Kartik Seshan, Director, Quantitative Strategies, Temasek, framed the discourse on the need to set up the right framework, governance and policies to deal with AI.

“The primary ingredient in AI algorithms is data. We need to think about issues such as underlying bias, and the impact of biased data on society. We also need to think about issues of accountability, transparency, data collection and storage, and how do we obtain consent from customers for the use of their personal data.”

Sharing the perspective of a financial institution, Mr Shameek Kundu, Chief Data Officer of Standard Chartered Bank (SCB), said traditional ‘Know Your Customer’ processes used to suffice in ensuring that issues surrounding data collection and consent were well governed, because banks did not use data from external sources.

However, many banks are now starting to partner and share data with other financial and non-financial institutions. Open banking, i.e. the use of open application programming interfaces (APIs) that enable third-party developers to build applications and services around a financial institution, is forcing them to open up the data that they have collected.

As such practices emerge, one area of focus would be to develop a framework for third-party data sharing, in order to assess the rights that each party has on the data.

Mr Yoon Jaewon, General Counsel of Jungle Ventures, shared his observations of startups whose services may involve the use of personal data that they receive from their clients. With their limited resources, it is often very difficult for them to conduct full due diligence on the data, he pointed out. As personal data gets put through AI models to generate derived data, other issues such as transparency and potential bias also start to emerge.

Mr Neal Liu, Founder and Chief Technology Officer of UCare.AI, highlighted the importance of understanding the business problem that AI is being used to tackle, the specific model that is applied, the processes involved, and the people who would be impacted. “Because it is disruptive, we need to be even more careful about it,” he said.

On the topic of dealing with biased data and biased outcomes, Mr Jason Tamara-Widjaja, Associate Director, Data Science (AI Products) at MSD International, pointed out that bias is normal and that fairness is not a technical problem. When it comes to what data to use and what not to use, it boils down to what fairness means to the individual, he said.

Picking up on this point, Mr Kundu shared that SCB uses AI in its recommendation engines, and constantly grapples with the need to treat customers fairly. The important thing is to be able to defend a decision, whether it is made by humans or a machine learning model or is rule-based. “At the end of the day, using AI to drive a decision is no different from other ways of driving decisions. We still need to be accountable as before.”

The biggest seminar to date

Besides the panel sessions, the PDP Seminar also hosted four industry workshops run by AsiaDPO, AIG, SGTech and the Law Society of Singapore Cybersecurity & Data Protection Committee. The topics covered ranged from managing data quality to responding to data breaches, understanding the data lifecycle, and data protection by design.

Four closed-door sessions were also held at the PDP Seminar. Data protection regulators and policy makers from 11 countries convened in one session to discuss cross-border data flows while in another, Senior Minister of State for Communications and Information Dr Janil Puthucheary engaged data protection practitioners in a dialogue on accelerating the digital transformation of Singapore. Renowned think-tank Centre for Information Policy Leadership (CIPL) facilitated an APEC CBPR/PRP session while the fourth was an AI governance workshop.

Annex:

Workshops:

AsiaDPO - GIGO (Garbage In, Garbage Out): How Data Affects Quality	AIG - How to Manage and Respond to a Data Breach
SGTech - Understanding the Data Lifecycle: Risk Management and Data Security	Cybersecurity & Data Protection Committee, Law Society of Singapore - Introduction to Data Protection by Design

 

Closed-door sessions: 

Data Protection Policy Roundtable	In Conversation with SMS Janil: Accelerating the Digital Transformation of Singapore
CIPL – Industry Session on APEC CBPR and PRP	CIPL – Personal Data Protection Challenges and Solutions in AI