Privacy experts from Malaysia, Singapore, Australia and Japan offer valuable insight into data protection matters, addressing Privacy Impact Assessment, consent and disclosure, cross-border data flow, privacy governance, data breach management, Big Data and cloud computing.

The Asia-Pacific region is stepping up its legal and enforcement regimes for data protection: The past five years have seen Singapore, Malaysia, the Philippines, South Korea and Taiwan ratifying their respective data privacy laws, while Thailand is currently drafting legislation and Japan is discussing reforms to its data privacy provisions. Legal and compliance teams have been grappling with developing appropriate measures to ensure compliance with these stringent regulations, aiming to reconcile often conflicting business and legal strategy.

In this context, senior-level privacy and information security experts, Katsumi Kojima of Sanofi K. K., Annelies Moens of Information Integrity Solutions,  May-Ann Lim of the Asia Cloud Computing Association and Victor Tan Hock Kim of Universiti Tunku Abdul Rahman offered valuable insights into matters related to data protection, including Privacy Impact Assessment, consent and disclosure, cross-border data flow, privacy governance, data breach management, Big Data and cloud computing.

Q: It’s been over a year now since the Personal Data Protection Act (PDPA) entered into force in Malaysia and a little over six months since its enforcement in Singapore. How do new, more stringent privacy laws in the region shape your compliance and information management processes?

Kim: I  feel that companies will have to closely examine their information management processes to clearly determine what kind of existing information falls under the ambit of the PDPA. This may require a significant reworking of the data life cycle management process, which now needs to incorporate the ability to track and archive user consent to specific data processing purposes, and to link this consent to the related data items. Another key aspect of the PDPA is that is does not permit a data user to transfer any personal data outside Malaysia except to specific countries. This has significant implications for companies that rely on cloud computing providers for the archival of their non-critical data.
Kojima: Our company formed a due diligence committee to approve internal policy and procedure and manage data privacy issues.

Lim: After speaking to a lot of SMEs and organisations regarding information management I believe, though a lot of work has been generated, the cost of compliance has gone up.

Another area of anxiety for them is the role of the Data Protection Officer (DPO) in Singapore, because it seems as if the DPO is the person who will be held liable for any infringement of the PDPA – this causes organisational stress when it comes to assigning information management ownership policies, as nobody would want such a risky  role.

Q: How do you set up an effective Privacy Impact Assessment and Privacy Management Programme?

Kim: I believe there are quite a few  comprehensive guidelines in this area available for review from government departments in the US, UK and Australia. Most of the practices outlined here would probably be based on the 7 foundational principles of Privacy by Design initially proposed by the Information & Privacy Commissioner of Ontario.
Kojima: We assess the types of data used (employees, physicians, patients), their risk level and develop frameworks accordingly.

Q: What do you consider the top 3 challenges in aligning and balancing data protection obligations with business strategy?

Kim: Business strategy is increasingly driven now by insights gleaned from big data analytics performed on a large variety and volume of data, some of which may have personally identifiable information (PII). The intention is usually some form of personalised marketing. The main challenge I would see as being able to continue to leverage on these data sources while cleansing them of PII.

Another challenge might be how to persuade customers or users to consent to their personal data being used in specific ways or situations that may be mutually beneficial to all parties involved.

Kojima: Obtaining written consent for disclosure from physicians.

Lim: Alignment is the tricky thing – (1) increasing awareness across the business that data regulatory compliance is now something they have to take into consideration, (2) changing workstreams to adhere to the new compliance/regulations after getting legal advice – changing behaviour is always difficult, and (3) evolving new business strategies ethically – some companies have tried to displace their obligations onto vendors, or other dodgy practices.

Moens: For those organisations that understand that data and the way it is managed is core business strategy, there is no question about alignment and balancing between business strategy and data protection. The value in new and modern organisations increasingly lies in the intangible rather than the tangible assets. The intangibles are the goodwill, the intellectual property and the data to name a few. Business strategy is often about making decisions about what to do with customer data and how to innovate with it. So, the top challenge is getting organisations to see that data and the way it is managed is fundamental to business strategy, particularly in organisations where the intangibles matter.

Q: What do you recommend as strategies to move your business from mere compliance towards a culture of information accountability and privacy governance?

Kim: Generally as I understand it, most successful strategies (on any particular issue, not just privacy) require initial buy-in and strong endorsement from senior management. This can take the form of the appointment of a privacy officer or privacy department. Privacy is recognised as a fundamental human right in the UN Declaration of Human Rights, and the general public view in many countries tends to concur.  Establishment of privacy governance can be seen as a desire on a company’s part to evolve towards more ethical standards of behaviour; which may be viewed in a positive light by employees. Adoption of privacy governance also usually ensures some limitation on how employees can be monitored or tracked by employers (at least this has been the case in the US or UK): indirectly resulting in a higher level of autonomy, independence and trust that may subsequently increase job satisfaction.

Kojima: In our company, concept of privacy is already adopted in our company culture because we operate globally and quite many countries have already introduced data privacy laws.

Lim: For me, this is a question of ethics – accountability and governance are values, so the buy-in has to be from the top-down. So far it’s the approach of “treat others’ data the way you’d like to be treated” which seems to be the best way of working, but this won’t work for everyone. Smaller companies can effect values changes, but it’s likely that larger companies are simply putting in processes which will have the same impact as buy-in.

Moens: Seeking compliance is a bare minimum approach, as the law is generally about minimum and not best practice standards. The gap between what customers expect and compliance is growing. Organisations need to focus on understanding customer expectations to stay ahead in business. Organisations wanting to innovate with data need to build trusted relationships with their customers. Responsible organisations view their use of their customers' data with a stewardship and custodian mindset. In order to move to a more accountable and governed privacy framework, organisations needs to know their data holdings and value those holdings. Risk management structures need to be built around them, like with any other core asset. If not built, those assets, quickly turn into liabilities through mismanagement resulting in loss of customer trust.

Q: What are some of the industry-specific challenges your business faces in terms of consent and disclosure?

Kim: Most universities have some form of academic advisory system to help monitor and keep track of graduates’ performance: sometimes academic advisors find themselves in a dilemma on whether they are able to pass on specific information pertaining to a student advisee to a more relevant party (such as counselors or the health services). However, this is probably more related to the issue of privacy of a client-counselor relationship, rather than something new arising as a result of the PDPA.

Kojima: There is an increasing trend in the healthcare sector to disclose the financial relationship between healthcare professionals and companies. Consent is optional, if there is a local law obligation to disclose, and is compulsory if that is only local industry code level requirement.

Q: How do you think the APEC Cross Border Privacy Rules System can help standardise and streamline cross-border data transfer and data protection across jurisdictions?

Lim: It’s a first step in ensuring that there is some sort of standard for cross-border data transfers and data protection – the trouble is that it’s only for APEC countries at the moment, and I believe it is voluntary. I think it would be good if we continued to build this message of enabling data transfers, moving a step beyond clarifying where prohibitions on data transfers exist. The next step should be “here is data that you can transfer without any problems,” and having that as a positive message for businesses.

I think we could do with an industry standard on data transfers which governments and companies can work with – this is why one of the major projects that the ACCA is working on for 2015 is a data classification project, exploring how we can classify and tag data types, to enable the smooth flow of information.

Q: In your business, how do you manage the privacy implications of Big Data, the Internet of Things and/or cloud computing?

Kim: The way I see it: the main privacy implications of Big Data and IOT is the difficulty of ascertaining user or customer consent prior to data collection, and discerning what constitutes personally identifiable information. These questions have to be adequately answered before data collection can proceed in a valid manner. With cloud computing, the key question would be the legality of hosting data pertaining to local subjects in information infrastructure hosted in a remote country; a common occurrence given the global nature of cloud computing providers.

Q: Do you have processes in place to prevent and/or deal with data breach and leakage?

Moens: Fundamentally there are four key questions that should be asked to determine whether or not your organisation is ready to deal with an eventual data breach. If your organisation is able to answer the following questions you are well on the way to being prepared. The questions are:

1) How will you know if there is a data breach?
2) What happens where there is a data breach? - Are customers, regulators, media advised?
3) What resources and insurance exist to handle the data breach?
4) What data breach response plans and drills are in place?

* * *

Meet these experts and learn more about these topics at ALB’s Data Protection Conference, taking place on May 7 at the JW Marriott Kuala Lumpur!