Recently the government of Singapore passed a bill (or “Gazetted” as they call it, which sounds a lot fancier) about protecting personal data of consumers:
“Protection of personal data
26. An organisation shall protect personal data in its custody or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or disposal or similar risks.
The PDPA also permits an organisation to transfer personal data outside Singapore provided that it ensures a comparable standard of protection for the personal data as provided under the PDPA (Section 26(1)). This can be achieved through contractual arrangements.”
So what they are suggesting is that gone are the days that if a business loses its customers’ data, they tell the consumers, “Oops, sorry, we lost your data…………” and that is about it. Now, the governments are taking initiatives that can hold the companies responsible for being careless with consumer data and not protecting it with their life, if not face consequences.
This means, as a corporation, you need to protect not only the data in storage and in transit, but also given the cross-border restrictions (this is especially strictly enforced in Europe; read about them on above URL links) you need to figure out a way to keep the data and the risk to yourself instead of passing this on to third parties. The easiest way to achieve that would be to tokenize the sensitive data, keep the sensitive data in your secure vault and send only the tokens to the other end. Even if the other end is compromised, your sensitive data and your integrity will be intact, and it will be easy to prove in case of an audit that you went above and beyond not only to comply with requests/ laws such as this, but also you genuinely care for your customers’ sensitive personal data. Brand reputation is a lot more important than you think.