The Personal Data Protection Act and its implications for mobile security in Singapore

This is a contributed post by Nader Henein, Regional Director, BlackBerry Product Security

Over the past three decades legislatures across the world have been trying to update their legal systems to address growing concerns around how our private information is being used once handed over to companies in both the public and private sectors.

Looking back, this first began with an article published in the Harvard Law Review by two men who later became pillars of the US legal system, Warren and Brandeis. They wrote “The Right to Privacy” in December 1890 protesting what was then “New Technology”; the printing press had birthed its first tabloid magazine and with it the lives and photographs of private citizens were laid bare for all to see.

Fast forward a century or so and the introduction of the Personal Data Protection Act (PDPA) is driven by the same motivation: the protection of personal customer information held by organizations.

Naturally this is prompting businesses across Singapore to re-evaluate how they store and process customer information and mobile data is by no means exempt. Today smartphones and tablets allow us to retrieve, store and process custodial information in our day to day jobs. This enables us to better serve our customers, to compete more effectively, while generating greater revenue; it also gives rise to the need to treat this information responsibly and protect it from loss or theft. In the same way that a bank is held accountable to its customers for the money it stores, the PDPA aims to hold organizations accountable for the mismanagement of custodial information.

Enterprise mobility tends to be considered solely at the device level – and for that reason, has grown to represent one of the weakest potential points in many large organisations’ information security infrastructures. Enterprises need to strengthen their mobile security posture if they are to align themselves with the PDPA requirements. This means they need to put strong processes in place to prevent accidental or deliberate data leakages as well as to prevent malware infections.

Mobile devices are today central to business processes. Most large organisations have sales and service staff as well as executives in the field carrying a wealth of personally identifiable information about customers on their devices. These mobile devices can also often be used to access a range of customer data stored on company servers. Yet this area has not received enough attention from CIOs and IT managers, as they rush to meet the strict guidelines laid down by the PDPC (Personal Data Protection Commission).

In practice, this means organisations should make sure they have security frameworks and solutions that allow for end-to-end control over how data on mobile devices is managed at rest and in transit. These security procedures ideally need to be auditable so that the organisation can demonstrate compliance while, critically, not detracting from the advantages that mobility brings. So in short, security and compliance should not come at the expense of the bottom line, or the user experience for that matter.

BlackBerry Enterprise Service (BES), an Enterprise Mobility Management (EMM) solution, ensures that data-in-transit and data-at-rest are both properly encrypted across all managed devices. Local encryption of all customer data (messages, address book entries, calendar entries, memos and tasks) is enforced via IT policy. Additionally, system administrators can create and send wireless commands to remotely delete information from lost or stolen devices.

For BlackBerry 10 devices, the integrated BlackBerry Balance technology keeps personal and work apps and information separate from work apps and content. The user can switch between their Personal Space and Work Space with a simple gesture. The Work Space is fully encrypted, managed and secured, so enterprises can protect critical content and applications, while allowing users to get the most out of their smartphone for their personal use through apps like Facebook and Twitter without ever impacting their regulatory compliance posture.

For iOS, Android and Windows Phone devices[i], Secure Work Space is a containerisation, application-wrapping and secure connectivity option that delivers a higher level of control and security, all managed through the single BES administration console. Work applications are secured and separated from personal apps and data, providing integrated email, calendar and contacts; an enterprise-level secure browser; plus secure attachment viewing and editing with Documents To Go.

Mobile security that complies with the PDPA is going to be especially challenging for organisations who have embraced the “Bring Your Own Device” (BYOD) philosophy. The mix of devices in use in their workforces – many of them consumer smartphones and tablets not designed to enterprise security standards – makes such organisations vulnerable to loss or theft of customer data. With this in mind, companies with BYOD policies need to start looking to implement multiplatform MDM as a matter of urgency.

BES allows IT administrators to manage all their smartphones and tablets through a single end-to-end platform and management console, maintaining absolute control over corporate data through a series of layered data segregation and management policies. This allows for flexible deployments of any mobile device, from BYOD for a contractor working with your organization for a few months, through to the more robust demands on highly regulated users.

Take time to develop and implement a formal EMM strategy for your organization; the PDPA has sharp teeth for enforcement, and companies that do not meet its requirements could face penalties including large fines and reputational damage. At a more fundamental level we all have an almost integral responsibility to protect individual privacy.  Indeed for many of us, it is not legislation so much as the Universal Declaration on Human Rights, which reinforces this, by treating individual privacy as key a pillar as freedom and equality.

[i] Coming later in 2014.