Author, Angela Sultana
Data privacy has been a key focus for companies, particularly following a number of high-profile breaches in the past few years. Authorities the world over have been responding by enacting various data privacy guidelines and regulations to protect consumers. However, this has led to a steep privacy learning curve for businesses in the Asia Pacific (APAC) region, especially those functioning across geographies.
Currently, with the exception of legal and compliance executives, there probably aren’t many employees at online businesses that could spell out the nuances of data privacy regulations. As the data privacy landscape becomes increasingly complex and regulated, this lack of understanding on the subject could be a pressing problem for organisations.
Breaking down data privacy in APAC
Marketers in APAC are tasked not only to comply with local data privacy guidelines but they may also have to comply with legislations such as the European Union’s General Data Protection Regulation (GDPR). This could include hotels in the region that operate websites that are accessible in European languages, with their room rates in Euros or EU currencies or organisations that receive personal data transferred from their European parent companies.
Now, let’s take the example of such companies in Singapore. These companies have to adhere to Singapore’s Personal Data Protection Act 2012 (PDPA). The PDPA takes into account the following concepts:
- Consent – Organisations may collect, use or disclose personal data only with the individual’s knowledge and consent (with some exceptions);
- Purpose – Organisations may collect, use or disclose personal data in an appropriate manner for the circumstances and only if they have informed the individual of the purpose for the collection, use or disclosure; and
- Reasonableness – Organisations may collect, use or disclose personal data only for purposes that would be considered appropriate to a reasonable person in the given circumstances.
While both the PDPA and the GDPR share a common goal of protecting data, they have different requirements. For instance, when it comes to gaining consent, the GDPR is stricter than PDPA. Under the GDPR, there is no notion of deemed consent, as there is in the PDPA, consent must be express, unambiguous and freely obtained by the organisation.
It is, therefore, important for marketers in APAC to have clear and simple instructions about how to adhere to these laws correctly in their own environment.
The path forward
The fact is, APAC marketers will have to deal with as many laws, as there are countries, and more. For instance, just earlier this year, Thailand put into effect a new Personal Data Protection Act and companies have been given 1-year period to bring their practices into compliance.
The act adopts a broad definition of personal data (any data that could identify that person directly or indirectly). In addition, the act has extraterritorial applicability, so organisations both within and outside Thailand are obliged to comply.
The differences in data privacy laws require different actions to remain compliant. These differences are not just for a company’s legal counsel to distil, yet many companies don’t have structures in place to quickly educate their marketers. Marketers need a better path to knowledge as they utilise customer data for their own insights and campaigns, work with partners or sell goods. While there are ways to use the practices of one law to get a head start with another, this requires marketers to have a clear understanding of what each law entails.
The data privacy landscape in APAC is still evolving and remains fairly heterogeneous, with markets across the region at different stages of maturity. By planning for and investing in data privacy compliance sooner rather than later, marketers can be better prepared for the future, where governments will enact stricter regulations and demand greater accountability.