Data breaches occur ever more frequently. As a consequence, laws and regulations governing data privacy, data protection, and cybersecurity have been multiplying.
The need could not be more urgent. In the last three months alone, at least three hacking incidents have affected citizens and consumers in a big way. The breach at Singapore’s Ministry of Defense (MINDEF) resulted in the loss of personal data of 850 national servicemen and employees. A reported hack on Samsung smart TVs was said to have been orchestrated to enable consumer spying. Meanwhile, a security vulnerability in connected stuffed toys leaked millions of voice recordings from parents and kids.
“We talk a lot about breaches, but almost all of us use personal data for multiple reasons — for employment, for identifying talent (in our organizations), for research, or for aggregating data from customers. And all of the new technologies — cloud storage, Internet of things, among others – is impacting how data is processed, used, and stored.”
Complex Regulatory Landscape
In Asia Pacific, Cole said every country struggles to introduce regulations that would mitigate the impact of cyber risks. However, country regulations today are varied and at different stages of implementation.
“South Korea is one of the most aggressive in enforcing regulations. It has both national and sector-specific laws, as well as detailed data security obligations and data breach notification requirements,” she said.
Australia and Japan also have comprehensive privacy and cyber security laws. In February 2017, Australia introduced the data breach notification law, which specifies a set of principles for compliance for cross-border disclosure of personal information.
South Korea is one of the most aggressive in enforcing data security regulations, while China still does not have a national data protection law
Meanwhile, Japan approved new changes in its laws that will expand the scope of its rules in processing big data, restrict more cross-border transfers, and guide organizational response to a data breach, effective May 1, 2017.
In Cole’s view, Singapore and Hong Kong tend to be more conciliatory and are constantly looking at ways to help organizations develop their systems. Though Hong Kong has a Data Privacy Ordinance that restricts cross-border data transfers, it has not implemented the law and merely issued voluntary guidelines.
China also does not yet have a national data protection law. It has only sector-specific laws on data protection obligations dealing with consumer, employment, and finance. It, however, passed a cybersecurity law, which takes effect June 1, 2017.
“There are some jurisdictions that still don’t have comprehensive laws — Indonesia and Thailand are the two big ones here in Asia,” Cole noted, adding that many see the need to keep their jurisdictions a safe place to do business by allowing easy transfer against the need to protect data.
What Is Data Transfer?
A number of roundtable participants raised the issue of standardization and were interested to know if there is an accepted definition of what really constitutes data transfer.
“There is no consistency in the definition of what constitutes data transfer across the region at the moment. Some jurisdictions consider even access to information as data transfer, while others would consider it if data is transferred to another subject or to a processor or facility outside the jurisdiction,” Cole said. “Almost every jurisdiction in Asia, however, restricts cross-border data transfer to some degree.”
In the absence of a uniform framework for handling data and dealing with breaches, Cole shared some key takeaways. “The first is to know the data you collect and process and understand the purpose for which you are collecting,” she said.
“Make sure that you are only using data for the purpose for which it was collected and never disclose data to unknown third parties. Ensure that all data transfers have legal justifications and data privacy policies and consents are reviewed regularly,” Cole added.
She emphasized that it is important to regularly review agreements with processors and maintain adequate supervision of vendor processing. “Periodically review security policies to ensure that personal data is protected and data retention policies are enforced,” she added.
Why You Need an Incident Response Plan
Cole also suggests creating a sound incident-response plan. “Make sure you understand legal’s role in such a plan. The data regulators expect that you are ready for a data breach,” she emphasized.
“Do you have a data protection officer? My view is that an organization should have a data protection officer whether or not it is required because, if an issue occurs, it has someone with an understanding of what the regulations are,” Cole explained.
“One size does not fit all in Asia” — Elizabeth Cole, Partner at Jones Day
Data protection is also a key element for in-house counsels and private practice law firms when choosing a language and translation service provider. Typically, only large international players have an infrastructure that allows for a complete audit trail and ensures confidential data or documents are not farmed out to freelance linguists based in particular jurisdictions.
“One size does not fit all in Asia,” she concluded. “We need to look at who is impacted by the sort of data we collect: consumers, employees, vendors. And what is the attitude of the regulators?”
The roundtable was sponsored by Lionbridge, one of the largest global providers of language translation and localization services.
Participants included senior in-house counsels and compliance officers from Accenture, ChemChina, Chubb Insurance, DBS, Dentsu Aegis, Deutsche Bank, Equis FG, Great Eastern Life, HOOQ Digital, Louis Dreyfus Commodities, Surbana Jurong, Takeda, Tata Communications, and Heidrick & Struggles.
Download our media kit and learn more about Slator’s Executive Roundtables.