Wazzup Pilipinas!
In the wake of Europe’s GDPR implementation, Asia Pacific governments are likely to become tougher on data protection compliance
The data protection landscape in the Asia-Pacific region is rapidly maturing compared to just a few years ago, with implementation and enforcement of privacy and data security laws becoming more rigorous and stringent.
While the region has in the past been perceived as less litigious than the western countries, this is changing as digital adoption increases and governments become more sensitive to the need to protect personal data and confidential information.
Globally, South East Asia is one of the fastest growing regions for digital innovation, spurred by better internet connectivity and smartphone adoption.
Singapore has a Smart Nation vision; Malaysia the world’s first Digital Free Trade Zone; while Thailand has earmarked a ‘Thailand 4.0’ vision for all sectors of the economy to be digital. By 2025, digital commerce in the top 6 countries in ASEAN is expected to reach US$90 billion, up from US$5 billion in 2015[1].
The collection of personal data by countries in the Asia Pacific is also expected to grow exponentially as the processing and analysis of large amounts of personal data become possible with digital technologies.
As cross-border data transactions grow,cyber security and data protection laws are also converging to reflect the demands of the emerging digital economy.
Many Asia Pacific businesses, however, have yet to move towards compliance with current legislation, and are holding back implementation until they can understand what compliance standards would look like.
However, this is set to change as data protection rules become formalised. Europe’s GDPR implementation in May 2018 has set a precedent that is likely to motivate Asia Pacific governments to further tighten the screws on privacy protection, for instance, by setting punitive financial penalties when companies mishandle customer data, demandingstricter internal risk management controlsand putting into law compulsory requirements for data breach notification.
Data protection compliance regulation coming into force across Asia Pacific
China, Singapore, South Korea, Japan and Australia, Malaysia and the Philippines have recently updated their data protection compliance rules or will be introducing new privacy and cyber security laws.
China has introduced some of the most comprehensive data protection regulations. A new Cybersecurity Law was enforced in June 2017, placing the onus on companies that conduct business in China—regardless if they have a physical presence in the country—to review their data protection policies and ensure compliance.
From 2014 to September 2017, a total of 1,529 criminal cases of infringement of personal information were heard in courts across the country.
In the next few months, China will be introducing e-commerce legislation to cover areas such as data anonymisation, big data, overseas data transfers and information security. Companies that fail to comply with the law will face severe financial penalties, possibly including the loss of their rights to conduct business.
In Singapore, changes to the Personal Data Protection Act already include facets similar to Europe’s GDPR, particularly in mandatory breach notification and appointment of a data protection officer.
In the first five months of 2018, a number of financial and insurance organisations, including AIG, Aventis, Aviva and Actxa were fined for failing to provide adequate security arrangements to protect personal data, or for breaching rules on the use of personal data. A cyber security bill is widely expected to be passed later this year in Singapore.
The Philippines Data Privacy Act was updated in 2016, making tougher sanctions enforceable on personal data security, including a compulsory 72-hour personal data breach notification.
Data protection safeguards are similarly being put in place in Australia. A mandatory data breach notification scheme was launched in February this year requiring companies to notify data breaches where serious risk of harm to individuals is caused. Failure to comply can lead to fines up to US$2 million.
Elsewhere, Japan’s Personal Information Protection Act was amended in May 2017, the Malaysian Personal Data Protection Act was enacted in 2013 and South Korea’s Personal Information Protection Act, updated in 2016, contains some of thestrictest data protection rules relating to IT networks and the use of credit information.
Businesses must move to protect their data, and themselves
The need for compliance is profoundlyimpacting how businesses handle personal data and manage their business process.
Security and the need to protect sensitive and confidential information is becoming a critical part of business operations.
All businesses need to be aware of major regional data privacy legislation and how it will apply to them. They need to assess their environments and ensure that they can meet current or oncoming compliance guidelines.
Non-compliance can be costly and lead to serious damages to their corporate reputation.
If businesses have yet to consider the tougher data regulations, now is a good time to start with an information audit and to begin developing awareness.
Crucially, they need to ask if they have the infrastructure, data management processes, and IT and cybersecurity technologies in place to protect their business environment. Do they have a robust data protection framework that can detect and mitigate data breaches quickly and effectively? Do they have visibility deep into their infrastructure, and know where their data is, as well as who and what are accessing it?
Cybersecurity is central to compliance with data protection regulations. Organizations must ensure they have the capability to prevent network intrusion and minimize the risk of serious breach, by reducing the time taken to detect new threats. They must also have effective and tested post-intrusion responses.
Opportunity to win customer trust and loyalty
With the data protection compliance burden growing in the Asia-Pacific region, it’s likely that the effort of achieving compliance, and the risks associated with the failure to comply, will increase dramatically.
For many businesses, customer confidence is already being influenced by their perceived risk of conducting transactions online, or whether their personal data is at risk of being compromised or stolen. Meeting or exceeding regulatory requirements will go a long way towards assuaging those concerns.
New data compliance rules also offer an opportunity for businesses to re-evaluate their processes and improve data management and customer loyalty. Rather than seeing these new regulations as challenges or barriers, they would be better off viewing them as an opportunity to achieve competitive differentiation, and as a way to drive greater customer confidence and trust in their brands.
By Peerapong Jongvibool, regional director for Southeast Asia and Hong Kong, Fortinet