SBphotos - stock.adobe.com
With less than three months before the General Data Protection Regulation (GDPR) kicks in, just 10% of organisations in Singapore are ready to comply with the new European Union (EU) law.
This was according to the third biennial EY Global forensic data analytics survey, which examined the responses of 745 executives from 19 countries and analysed the legal, compliance and fraud risks that companies face and the use of forensic data analytics (FDA) to manage them.
European companies fared better in their compliance efforts, with 60% indicating that they have a compliance plan in place. There is still much more work to be done in other markets, including Africa and the Middle East (27%) and the Americas (13%). Globally, only 33% have a plan in place to comply with the new legislation.
In Singapore, a major business and financial hub for the APAC region, the low GDPR compliance readiness stands in stark contrast to the fact that 70% in the city-state have expressed concerns about data protection and data privacy compliance.
Reuben Khoo, fraud investigation and dispute services leader at EY ASEAN, said Singapore organisations may not be aware of the immense extraterritorial reach of GDPR, its requirements and implications for data breach.
Kevin Shepherdson, CEO and founder of data protection consultancy Straits Interactive, agreed that overall awareness of the new law in Singapore remains low, noting that the business culture of ensuring data protection in everyday business functions that process personal data is missing.
“Companies are just looking at it from a legal rather than an operational compliance perspective,” he said.
Increased adoption of FDA
Singapore respondents also expressed a strong belief in the value of FDA – a scientific method of identifying patterns and correlations in data to predict future events and detect fraud – and its benefits for an organisation’s governance programme, as reflected by a 67% increase in average annual spend per respondent compared with 2016.
According to EY, companies have gone beyond using basic FDA tools of the past decade, with 13% of Singapore respondents already using robotic process automation to manage legal, compliance and fraud risks.
But when it comes to achieving GDPR compliance, just 11% of Singapore respondents (13% globally) indicated that they use FDA to do so, with a third of them currently analysing exactly which FDA tools they would use to assist them with achieving compliance.
Read more about data protection in APAC
- A large proportion of businesses in ASEAN will be affected by the GDPR, but awareness of the new rules remains low, even in countries with existing data protection laws.
- Faced with the double whammy of complying with Australia’s upcoming data breach notification requirement and Europe’s new data protection regime, Australian firms are behind where they need to be in their compliance efforts.
- Singapore organisations are among the least prepared in the world for GDPR, which will impose restrictions on any organisation that deals with the personal data of EU residents.
- Australia has introduced a communications data retention law along the same lines proposed for UK legislation, despite opposition from citizens.
“Businesses that adopt FDA technologies can achieve significant advantages, benefiting from more effective risk management and increased business transparency across all of their operations. With better adoption of advanced FDA technologies, companies are also using more structured and unstructured data sources compared to a couple of years ago,” Khoo said.
Investments in FDA tools, however, need to be matched with greater investment in skilled resources, EY noted. Out of the respondents surveyed, only 8% of Singapore respondents said their organisations have the right technical and data science skills.
Companies that run afoul of the GDPR could face fines of up to 4% of their annual global turnover. Security experts are already warning that cyber criminals will try to extort money from enterprises by first determining the GDPR penalty that could result from a ransomware attack, and then demanding a ransom of slightly less than that fine.