In part one of a two part series, we examine some of the challenges that companies face in terms of the evolving privacy and data protection landscape. Data protection and privacy issues are now bedrock strategic issues for companies across the world and Information Security professionals are now under even more pressure to ensure that data remains secure. The value of data as an intangible asset continues to grow and legislation and regulation is becoming ever more stringent. The onus is on companies to comply or suffer the consequences. This is going to require a whole new breed of information security professional. In part two of this series (in next month’s newsletter) we’ll look at the argument for and against a new role combining Chief Security and Privacy Officer in this rapidly evolving regulatory environment.
Data Protection
Certain types of personal data are very valuable to criminals, and can be very damaging to an individual or business if it falls into the wrong hands. As the world becomes more digital and more connected, more of this sort of data is generated and passed between various sources on a regular basis.
Government regulations and supervisory authorities aren’t just about keeping irresponsible parties in line. They also provide vital security guidance to every type of organization that handles sensitive personal, business or government information.
Data protection regulations also ensure that the end user has a transparent view of and a say in the processing of personal data. These safeguards play a significant role in everything from the preservation of civil rights to ensuring that democratic institutions function properly.
Some types of personal data are clear candidates for regulation: medical records, banking information, national ID numbers and so on. But some of these regulations also cover items that might seem relatively innocuous at first glance: home addresses, email addresses, website profile information and so on. For example, the European Union General Data Protection Regulation (GDPR) has stipulations about anything that is unique to an individual to include phone numbers and social media accounts. People have varying levels of privacy preference with these items, but they are often protected by regulation because they can be used for targeted scams and attempts at identity theft.
Given that regulations often take the size and customer count of businesses into consideration in terms of penalties and the scope of protection of personal data, compliance is particularly important for enterprise-scale organizations. You do not necessarily have to have an active business presence in a country or region; simply storing data on or moving it through servers there may subject you to their data protection rules.
The exit of the United Kingdom from the EU has caused turmoil in world markets and has far reaching consequences for those companies in the European Union doing business with the country – and vice versa. There has also been some uncertainty about how the authorities based in London will be treating data security and privacy issues. The consensus seems to be that companies doing business with the second largest economy in Europe (after Germany) should be adopting a ‘business as usual’ approach. However, will this necessarily be the case in the future? Will global companies with a British connection (including those in Asia) be forced to revisit how they treat data security and privacy issues when dealing with the United Kingdom – and will British companies move away from the rules that have been set in place by Brussels? We take a closer look.
In our first article on the European Union General Data Protection Regulation (Regulation (EU) 2016/679 or ‘GDPR’) we focused on the global territorial scope of the new rules and how they could affect businesses based in Asia. In particular, we highlighted how the enhanced rights of data subjects in the EU and the expanded obligations on data controllers and data processors — even if they are located outside the EU — provide much for businesses to consider as they become compliant with the new rules. In this second article, we will focus on the new regulatory-enforcement regime and international data transfers, and then draw comparisons with the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system.
As personal data protection continue to challenge companies it is becoming apparent that the commissions and other structures that police these issues have become impatient with organisations that are not complying with recommendations. For the first time those companies which have suffered a data breach and been found not in compliance are feeling the wrath of governing bodies.
The General Data Protection Regulation is the first comprehensive overhaul of European Union data protection rules in 20 years. This two-part article will examine the GDPR’s impact on businesses in Asia, with a focus on territorial scope, controller and processor obligations, and international data transfers.
Following the Malaysia Personal Data Protection Act (PDPA), the Personal Data Protection Standards 2015 sets out the "minimum" standards to be observed.
Like Superman draws his power from the sun, the cloud imbues organisations with remarkable power and flexibility. But how should organisations wield such power effectively to protect their users and data, especially in light of data protection regulations? Matthias Yeo, APAC CTO of Blue Coat, shares the top 3 tenets of adopting a cloud strategy so you can be the hero, not the villain.
Indonesia boasts one of the fastest growing economies in South East Asia. However, rapid growth has not been followed by robust development on the regulatory side, particularly in the case of specific rules regarding personal data protection. Authors Zacky Zainal Husein and Andin Aditya Rahman argue that clear definitions are paramount in setting the tone of any regulations, including Indonesia’s upcoming personal data protection rules. The article discusses how “personal data” is defined in the draft rules and the potential implications of sectoral regulation.
In this article, we examine how regulators in Asia are mandating the appointment of Data Protection Officers and how these appointees form only one part of a team that must be tasked with not only ensuring the integrity of data, but also in responding to breaches of security. We also touch on the consequences of team members not familiarising themselves with their individual roles and responsibilities.
The question of data privacy has become one that is shaping the business world of the 21st century. With many technologies advancing in leaps and bounds – as well as the increasing importance of ‘The Internet of Things’ the appointment of a professional Data Protection Officer to ensure legal and mandatory compliance has become a business imperative. We look at how failure to appoint such professionals who can operate at all levels of an organisation can be a costly mistake – not only in terms of revenue – but also in terms of customer trust.