Not sure your data’s being protected?

Companies say they handle customer data responsibly. But should these claims be given credence? 

Philip Heah wants to answer that question in a measurable way. In September, his company, Singapore-based Credence Lab, launched a rating system that grades companies on how well they protect the data with which they are entrusted.

Credence Lab is a start-up, but its Data Trust Rating System (DTRS) was developed in consultation with some big names in technology and business strategy including Alibaba, IBM, and KPMG.

“The topic has been discussed for a long time but has not been fully addressed,” says Heah, a former telecoms regulator turned entrepreneur.

Stiff penalties

Given that companies are legally required to comply with local laws such as Singapore’s Personal Data Protection Act (PDPA), some might ask whether such a certification is even necessary.

Heah explains that existing certification programs are about basic legal compliance. The Credence system, by contrast, looks at a range of factors including communications, accountability, user rights, and even corporate culture.

Passed in 2012, the PDPA law originally hit violators with a fine of 1 million Singapore dollars (US$737,229). But in December 2020, the maximum penalty was stiffened to 10% of a company’s local revenue – potentially as draconian as the 4% maximum fine on global revenue levied by Europe’s GDPR law.

“Many companies don’t have 10% profit margin,” Heah notes. “Your risk exposure is extremely high.”

That risk can be mitigated if companies demonstrate that they understand the importance of protecting customers’ data and are taking concrete steps to protect it.

Before Credence Lab certifies any customer, the company’s practices are audited in several areas:

• Corporate governance. “Does management really understand the value of data – its potential benefits and risks?” Heah asks. “You can’t treat data as someone else’s job. It requires the attention of top management.”
• Data governance. Do companies understand how data comes into their organization? Have they obtained users’ consent? Are they using the data for its intended purpose? Are they storing it properly, and for an appropriate length of time?
• Technology of Data. When kind of data protection is put in place for data, at rest and in transit? What are the security measures to protect the system, for mobile devices and media assets?

The company’s data-privacy practices are then audited by third party assessors such as TUV SUD, a German company that tests and certifies technical systems. Following that evaluation, Credence Lab confers the actual rating.

“As time passes, we can expand on the rating system to make it more comprehensive,” Heah says. “Then you’re not just legally complaint, but you have all the necessary controls in place – and so do your data ecosystem partners.”

The weakest link

For many companies, those partners – suppliers and intermediaries – could actually constitute the weakest link in the data protection chain. 

In the argot of data privacy, controllers receive user data and interact with users, while intermediaries get data from controllers. Intermediaries have fewer legal obligations than controllers, so they may be less inclined to protect data carefully.

For that reason, a company may want to contractually stipulate that any supplier it uses must meet the same data-protection standards that it meets itself.

This can be a win-win. Suppliers may not want to jump through the hoops necessary to comply with the law of a single country. A more widely recognized certification like DTRS, on the other hand, could be more beneficial.

Right now, it’s early days for Credence Lab. The rating is not yet commercially available, although “five companies are piloting with us,” Heah notes. One them, Experian, is a global provider of information and credit reporting services.

The pilot program tests companies by subjecting them to various controls and getting initial feedback. Pilots will conclude by mid-2022, at which point the commercial version of the service will be launched.

Singapore has about 7,000 multinational companies that Heah believes will want DTRS certification to manage their suppliers and other partners across the region.

“Singapore is a starting point,” he says. “We want expand to regionally and eventually worldwide.”

If it succeeds, DTRS could serve as a model for other rating systems that encourage companies to become more accountable and help build consumers’ trust.

Philip Heah was the former Assistant CEO of Singapore’s IMDA, where he was telecommunications sector regulator in charge of cybersecurity requirements. He was also project director for the Singapore Nationwide Broadband Network that put in place a full fiber network to all households and businesses.

More information is available here and here.