As data protection laws proliferate across the Asian region, general counsel must be savvy when it comes to seeking out solutions, finds Haky Moon
The increasing prevalence of data protection legislation across Asia Pacific is upping the pressure on in-house counsel that often have to deal with disparate regimes across multiple jurisdictions.
One way to adapt to the myriad changes is to embrace innovative technology solutions that make information governance and compliance easier for both private practitioners and general counsel working on data protection issues.
A wider array of online platforms has made it possible for companies to check whether they are data compliant around the world. Technology-backed regulatory compliance solutions provide e-learning, certification, registers and templates. These solutions help organisations that require organisation-wide reach to manage regulatory processes, collect information and stay current.
In broad strokes, in-house and outside counsel have different areas of responsibility when it comes to compliance, particularly when effective systems are in place.
“It’s a generalisation, but law firms will be relied upon to provide technical advice about a local data protection regime and perhaps to draft contract language and amendments or client consent documents to ensure local legal compliance,” says Sharyn Ch’ang, global counsel at PricewaterhouseCoopers (PwC). “In contrast, in-house counsel are more likely to be tasked with developing a company’s data protection policy, devising or having input on employee education, testing for compliance, and working closely on a cross-functional basis with IT and security colleagues to put in place appropriate internal processes. For instance, on a proactive basis, we collaboratively developed a comprehensive data loss protocol.”
For law firms, it is harder collaborate this closely unless they are given the same level of access.
“If you are a multinational company and you’re operating in 20 jurisdictions, you’ve got to make sure you’re compliant with every data protection law. That’s where it becomes quite costly and that’s really where counsel are having headaches,” says Paul Haswell, a partner at Pinsent Masons. “As we do more work in data protection, and with the world becoming an increasingly small place, there will be more automation.”
Ch’ang says she was PwC’s first Asia regional data protection leader and recalls having to deal with the various jurisdictions as they introduced new data protection laws. “Driving internal consistency on data protection, which is particularly important where data flows cross-border, is not an easy task if you don’t have the imprimatur of senior management to implement the necessary changes,” she explains.
Although the use of technology for this purpose is still at an experimental phase, it could help by cutting down on the amount of legal work associated with regulatory compliance. And as technology advances, the number of solutions available should expand.
“We will, of course, build upon that kind of worldwide service delivery. In addition, we are seeking to use more AI (articifical intelligence) throughout our business,” says Pinsent Masons partner Bryan Tan. “We haven’t done this in a live project yet. But from our experience while dealing with compliance issues the old-school spreadsheet type of way, we noticed that maybe we can cut down 80 percent of the work. This will let lawyers concentrate on the analysis in the context,” added Tan.
However, there are still a number of areas that cannot be automated, and they present some challenges.
For legal departments across APAC, the challenges are multiplied by the number of jurisdictions. Many find themselves trying to put out fires here, there and everywhere as they try to keep up with changes to data protection laws or regulations in every APAC jurisdiction they operate in. Sometimes these changes are sudden, particularly in a region where sudden shifts towards draconian legislation are not uncommon.
And interestingly, technological advancement throughout the region is making these sudden shifts more common.
“Malaysia is a really good example. One minute, it doesn’t really matter where you keep your data relating to your Malaysian entities, but the next minute, suddenly it’s got to be located in Malaysia. You’ve got to make changes both legally and for your business to accommodate that, so it’s a massive headache not just for GCs but also for chief information officers,” said Haswell.
And while in-house counsel are increasingly keen to find innovative solutions to compliance challenges, sometimes firms and companies lack the necessary resources to do so, according to recent research by Pinsent Masons.
For in-house counsels, regulatory enforcement and compliance are areas where their work can add significant value, as long as they know the ins and outs of their business intimately. “We need to be close to the business to understand when and how personal data is collected and what the company is doing with it. It requires understanding of technology environments in terms of how data is stored, encrypted and secured,” says Gavin Ingram, Singapore-based general counsel at travel shopping service company Global Blue.
Data issues are increasingly complex, so counsel need to understand the requirements and regulatory guidance required for compliance as a matter of priority. Looking for ways to implement harmonised systems and controls across multiple jurisdictions can help.
Another useful strategy is to generate constant risk assessment in terms of what the business is actually doing with personal data.
“The risk is lower if the data is not being shared, and used for marketing purposes. We make sure that data protection policies are clear and regularly reviewed to ensure they remain up to date. We do this by conducting audits from time to time to ensure compliance with data protection policies,” says Ingram.
Still, breaches do occur and they are getting more expensive in APAC.
In April, Malaysia introduced a new mechanism for sanctioning data protection breaches. The new regulations allow for some data protection offences to be compounded instead of being formally prosecuted. In other words, instead of being prosecuted, some offences can be lifted by paying a certain amount of money.
The mechanism is similar to the one in Singapore’s data protection legislation, which has been in place since 2014. As of July 2014, Singapore implemented its comprehensive Personal Data Protection Act (PDPA) and has some of the stiffest penalties for data privacy offences in the APAC region. Fines can rise to up to S$1 million ($800,000), which suggests Singapore is taking the new law seriously.
Hong Kong, which has a more developed data protection infrastructure, is also revising its enforcement activities as it adapts legislation to new business environments.
“In Hong Kong alone, although the data protection law is robust, the penalties attached to misuse or loss of data are not particularly severe. So data protection is obviously an issue that companies don’t want to be in breach, but even if they are in a breach, it’s not going to be a massive cost to them in the grand scheme of things,” says Haswell. “However, it is rumoured that these are about to change in Hong Kong.”
These changes translate into large workloads for both outside and in-house firms, with the latter having to be much more meticulous and do majority of the heavy lifting in terms of compliance.
“Every organisation in Singapore needs a data protection law. In-house counsel get trained on what they need to do and what the responsibilities are. And if it’s outside of Singapore, they need to review. From the compliance point of view, there’s a lot more work for in-house counsels in relation to privacy,” says Ken Chia, principal at Baker & McKenzie.Wong & Leow.
Both in-house counsel and private practitioners agree that the key is to stay up to date in a region where legislations are becoming tighter.
“It’s a headache [because] it keeps changing,” says Haswell. He adds, however, that “provided you make the right steps in the beginning, it shouldn’t be that hard. It’s just a pain that you have to keep revisiting it. It’s not one of those areas where you can set up and never have to worry about it for 20 years.”