The cost of data protection: making a worthwhile investment or paying for an expensive mistake

Data hacks, security breaches, vulnerable IT systems – these are all hot topics in Hong Kong at the moment. With high-profile data security stories dominating headlines, the importance and fragility of personal data are very much in the public eye and have turned everyone’s attention to what businesses are doing ­– or not doing – to safeguard this data.

Security breaches can be devastating to both companies and society. They have massive, long-lasting impacts: take the hack of up to 90 million Facebook user accounts that took place this September. Unknown hackers exploited a security flaw in Facebook’s code, allowing them to take over almost 50 million profiles, with 40 million more being partially compromised. Amongst the affected were Facebook's CEO Mark Zuckerberg and COO Sheryl Sandberg – proving that when it comes to online security, everyone is potentially vulnerable.

These days, sharing personal data is vital to businesses and customers. In the MICE industry, collecting data from prospects and event attendees leads to important benefits – gaining better knowledge of attendee needs and preferences, providing valuable market insights which will help refine event offerings, and gathering all-important feedback after an event. Likewise, for delegates, sharing data can make the event experience more personal, more efficient and more productive.

Whilst data is rapidly becoming one of the most important assets of any business, infrastructure and strategies to protect that data often do not keep up with the pace of change. There are many reasons – a lack of understanding of the risks of a data leak or a lack of investment in the appropriate technology are just two examples. But this is late 2018: the digital economy is taking off and personal data is becoming ever-more fluid and ‘shareable’. The risks and costs of a data breach are now too great to ignore.

In Europe, the penalties for businesses that do not protect personal data are the strictest in the world. The General Data Protection Regulation (GDPR), new rules governing data protection which came into force across the EU in early 2018, set a new global standard. Organisations are now much more accountable than before – if they do not sufficiently protect their customers’ information, they can be fined up to 4% of their annual turnover. Under the terms of GDPR, organisations must ensure that personal data is gathered legally and then respected and protected from misuse and exploitation – or face the consequences.

Different countries penalise data breaches in different ways. In the US, last year, ride-sharing giant Uber was recently ordered to pay $1.16b (US$148m) to settle federal litigation over a 2016 cyber attack that saw data from 57 million customers and drivers accessed. Meanwhile in the UK, Facebook was fined $5.11m (£500,000) by the UK’s Information Commissioner’s Office (ICO) for its role in the Cambridge Analytica scandal.

Here in Hong Kong, the consequences for businesses are less severe, for now. The government’s Personal Data (Privacy) Ordinance, enacted in 1996, was based on the EU’s Data Protection Directive – legislation which the GDPR replaced. In a recent interview, the city’s Privacy Commissioner, Mr Stephen Wong Kai-yi, admitted that his office’s enforcement power needs to be increased and that it was time to review the Ordinance. At the moment, companies can only be prosecuted if it refuses to take corrective measures to protect data – they cannot be prosecuted for allowing a breach to occur.

Whilst data breaches can be enormously costly, so can finding ways to securely protect data. Traditional data storage systems, consisting of disk drives and early-model hardware and software systems are still in widespread use today, despite their unreliability. But, according to Forbes, these old-school systems are “simply not designed to deliver on compliance challenges in this new age of policy-driven user rights and regulations”, since companies cannot legally retain data for longer than a certain time limit. Cloud-based data protection solutions and centralised data centres can be the right choice for many businesses, but it is important to discuss with experts the right strategy for your business and your budget.

Clearly, protecting data in Hong Kong involves a certain amount of expenditure. Companies can either preventatively invest in the right protections for this precious and important resource, or pay the price for not protecting it properly in the form of lost trust, potential fines and a permanently damaged reputation.