APAC Regulations: Understanding Data Protection

In the wake of Europe’s GDPR implementation, Asia-Pacific governments are likely to become tougher on data protection compliance. The data protection landscape in the Asia-Pacific region is rapidly maturing compared to just a few years ago, with the implementation and enforcement of privacy and data security laws becoming more rigorous and stringent.

While the region has in the past been perceived as less litigious than western countries, this is changing as digital adoption increases and governments become more sensitive to the need to protect personal data and confidential information.

Even With Stricter APAC Regulations, New Technology Use Continues to Increase

Globally, South East Asia is one of the fastest-growing regions for digital innovation, spurred by better internet connectivity and smartphone adoption.

Singapore has a Smart Nation vision; Malaysia, the world’s first Digital Free Trade Zone; while Thailand has outlined a ‘Thailand 4.0’ vision that sees all sectors of the economy becoming digital. By 2025, digital commerce in the top 6 countries in ASEAN is expected to reach US$90 billion, up from US$5 billion in 2015[1].

The collection of personal data by countries in the Asia-Pacific region is also expected to grow exponentially as the processing and analysis of large amounts of personal data become possible with digital technologies.

As cross-border data transactions grow, cyber security and data protection laws are also converging to reflect the demands of the emerging digital economy.

Many Asia-Pacific businesses, however, have yet to move towards full compliance with current legislation and are holding back implementation until they can understand what compliance standards would look like.

However, this is set to change as data protection rules become formalized. Europe’s GDPR implementation in May 2018, for example, has set a precedent that is likely to motivate Asia-Pacific governments to further tighten the screws on privacy protection by, for instance, setting punitive financial penalties when companies mishandle customer data, demanding stricter internal risk management controls, and establishing laws that codify compulsory requirements for data breach notification.

APAC Regulations Coming Into Force

China, Singapore, South Korea, Japan, Australia, Malaysia, and the Philippines have recently updated their data protection compliance rules or will soon be introducing new privacy and cyber security laws.

China has introduced some of the most comprehensive data protection regulations. A new Cybersecurity Law was enacted in June 2017, placing the onus on companies that conduct business in China—regardless of whether they have a physical presence in the country—to review their data protection policies and ensure compliance.

In addition, from 2014 to September 2017, a total of 1,529 criminal cases of infringement of personal information were heard in courts across the country.

Over the next few months, China will also be introducing e-commerce legislation to cover areas such as data anonymization, big data, overseas data transfers, and information security. Companies that fail to comply with the law will face severe financial penalties, possibly including the loss of their rights to conduct business.

In Singapore, changes to the Personal Data Protection Act already include facets similar to Europe’s GDPR, particularly in terms of mandatory breach notification and the appointment of a data protection officer.

In the first five months of 2018, several financial and insurance organizations were fined for failing to provide adequate security arrangements to protect personal data, or for breaching rules on the use of personal data. Singapore is also widely expected to pass a cyber security bill later this year.

The Philippines Data Privacy Act was updated in 2016, making tougher sanctions enforceable on personal data security, including a compulsory 72-hour personal data breach notification.

Data protection safeguards are similarly being put in place in Australia. A mandatory data breach notification scheme was launched in February of this year requiring companies to provide notification of data breaches where a serious risk of harm to individuals is caused. Failure to comply can lead to fines of up to US$2 million.

Elsewhere, Japan’s Personal Information Protection Act was amended in May 2017, and the Malaysian 

Personal Data Protection Act was enacted in 2013, and South Korea’s Personal Information Protection Act, updated in 2016, contains some of the strictest data protection rules yet relating to IT networks and the use of credit information.

Businesses Must Move to Protect Their Data and Themselves

The need for compliance is profoundly impacting how businesses handle personal data and manage their business process. As a result, security and the need to protect sensitive and confidential information is becoming a critical part of business operations.

All businesses need to be aware of major regional data privacy legislation and how it applies to them. They then need to assess their environments to ensure that they can meet current or oncoming compliance guidelines.

Non-compliance can be costly and lead to serious damages to their corporate reputation. If businesses have yet to mull over the tougher data regulations already in place or are being considered, now is a good time to start with an information audit to begin developing awareness and formulating a plan to come into compliance.

Crucially, organizations need to ask if they have the infrastructure, data management processes, and IT and cybersecurity technologies in place to protect their business environment. Do they have a robust data protection framework that can detect and mitigate data breaches quickly and effectively? Do they have visibility deep into their infrastructure, and know where their data is, as well as whom and what is accessing it?

Cybersecurity is central to compliance with data protection regulations. Organizations must ensure they can prevent network intrusion and minimize the risk or impact of a serious breach by reducing the time taken to detect new threats. They must also have effective and tested post-intrusion responses.

Opportunity To Win Customer Trust and Loyalty

With the data protection compliance burden growing in the Asia-Pacific region, it’s likely that the efforts to achieve compliance, and the risks associated with the failure to comply, will increase dramatically. 

For many businesses, customer confidence is already being influenced by their perceived risk of conducting transactions online, or whether their personal data is at risk of being compromised or stolen. Meeting or exceeding regulatory requirements will go a long way toward assuaging those concerns.

New data compliance rules also offer an opportunity for businesses to re-evaluate their processes in place and improve data management and customer loyalty. Rather than seeing these new regulations as challenges or barriers, it is better to view them as an opportunity to achieve competitive differentiation, as well as a way to drive greater customer confidence and trust in their brands.

[1] The Monetary Authority of Singapore’s 2018 special report on the digital economy, published in the Straits Times, 7 May, 2018

Check out the eBook from Fortinet to learn the three key points to keep in mind and how to address them for data security under the GDPR.