Author, Charles Mi
Despite 2019 seeing continued growth and change in data protection and cybersecurity across the region, incidents in Asia Pacific are becoming increasingly frequent and damaging, targeting large organisations with sophisticated attacks.
Toyota, for instance, has experienced large-scale data breaches that affected the personal information of many of its customers in Asia Pacific, including in Japan, Thailand, Vietnam and Australia. The largest of these attacks occurred in Japan and affected up to 3.1 million customers. Shortly thereafter, it was reported that a cyberattack occurred in Thailand and Vietnam, where Toyota’s servers were accessed without authorisation.
Data privacy and security regulators are also being more active and tougher on businesses with poor data protection practices. In 2019, 26 Singapore companies were fined a record S$1.28 million for breaching the Personal Data Protection Act (PDPA), with the most number of breaches occurring in the finance and retail sectors. Most of those data leaks were due to companies failing to do their due diligence with managing consumers’ personal information.
According to an IBM Security study, the average organisational cost of a data breach in ASEAN is S$3.6 million (US$2.62 million), and the average number of records per breach is 22,500. Another study reported that 96% of Singaporean businesses suffered a data breach between September 2018 and September 2019.
Moreover, in the age of COVID-19 and contact tracing, data privacy regulators and authorities around the region are likely reviewing, developing and strengthening their data privacy and cybersecurity directives.
Ultimately, data compliance is not a nice to have; it’s a need to have. It is crucial for brands to carefully consider their approach to data management and privacy, and having a good communications plan on data compliance is essential to maintaining consumer, regulator and partner trust.
Global Compliance Is The Way To Go
More countries and jurisdictions are stepping up their data privacy and protection legislation – one of the most recent being the California Consumer Privacy Act (CCPA), which went into effect in January this year. Similar to the EU’s General Data Protection Regulation (GDPR), CCPA extends beyond the state’s geographical border, and includes any company holding the data of a California resident.
At the same time, regulators around the world are starting to collaborate with their counterparts across borders to align and support each other. In January this year, Singapore, Chile and New Zealand concluded negotiations on the Digital Economy Partnership Agreement (DEPA). Designed to align standards and promote interoperability between different regimes, the agreement includes modules that address data privacy and online consumer protection issues.
The implications of these developments are that companies can no longer be complacent about data governance laws in other jurisdictions and need to reevaluate how they are doing business online.
In a recent survey from PWC, 52% of tech, media and telecom companies rank data privacy as a top issue in 2020. PWC offers a “Risk Atlas,” which tracks all of the varied privacy regulations around the globe and helps companies stay ahead of changing and emerging requirements. Notably, companies that are upfront about data privacy for any new initiative tend to be significantly more profitable than companies that neglect privacy compliance early on.
Build In Best Practices, Not Workarounds
By having privacy professionals in the room early, brands make sure they ask the hard questions first, so they can build compliance right in. Patrick Hounsell, Google’s head of Consumer Insights, Data & Measurement, notes that the company is turning away from workarounds like fingerprinting, and instead recommends that company partners collect data directly using transparent practices. Google also recommends working only with partners (agencies, data companies, publishers and vendors) that follow similar transparent best practices.
Proactive monitoring and proactive communication can help brands as they face regulators in different regions. Working with partners who have demonstrated best practices in their region and globally is a good start, but it’s also important to work with those partners to create an action and a communications plan in the instance that a data issue does occur.
Savvy brands are also focusing on finding higher quality partners, and are asking up front for very transparent information, such as the origin of data that they will be sharing. If a company is truly following best practices, they should be more than happy to provide detailed information about how they collect, store and manage all of their data at a granular level.
Data segments are a good example. In the past, many data companies have named data segments based on an internal naming structure and included data from a broad variety of third-party partners that may or may not be privacy compliant. A brand could expect a high-level description of the segment as well as a complete list of the companies that originated the data. Today, lists are not nearly enough. Brands should not only expect a full list of data origination, but also written assurance that every data partner follows data privacy best practices.
New Best Practices Require Innovation
As companies become more accustomed to increased regulation, it’s likely that new systems will come into place to help ensure compliance. New laws and regulations – such as stricter rules by Singapore’s Personal Data Protection Commission governing the use of, collection and disclosure of national identification numbers – will add complexity, and data privacy compliance does not have an expiration date. Not only does data need to be obtained and used correctly, brands must track how long data can be processed for, how to manage opt-out and deletion requests, and have a policy for how the delivery of the intelligence from data can be audited.
Data rights management, which is still in its infancy, should follow the same rigour as the more mature digital rights management systems and as a growing industry, new tools will emerge for brands to stay ahead of shifting regulation. New innovations like SECURITI.ai’s new privacy platform automates privacy compliance with patent-pending “people data graphs” and robotic automation. Companies like LiveRamp can help brands centralise data flow for more manageable compliance as well as confidentiality at scale. And, if companies collaborate on standard tagging, it can help with compliant and consistent data sharing.
It’s likely that these types of tools become more common and ultimately become another layer in the martech stack. These innovations can help brands vet data quality from partners and make sure that they keep up with evolving regulation. The important takeaway is that data is a necessary part of doing business, but there is a liability associated with it that requires a new level of scrutiny, investment and diligence.
This liability should be assessed professionally by executives, the legal and the financial team for an overall approach, as well as for every new data use case or partnership. For example, they should address the data liability between a brand and their agency, determine the need for data liability insurance in case of a breach, and finally, calculate added costs for data audits and other quality assurance measures.
The privacy regulations are also creating new workflows for a wide variety of executives and tacticians from CFOs to DPOs to CMOs and their teams. In fact, privacy and data rights management is now the liability and responsibility of the entire organisation. For example, companies will need to maintain up-to-date data processing records for all customer information. They also need to preserve inventories of all customer data, including associated metadata and licensing information. What’s more, new opt-out rules in different regions will require different compliant workflows that need to be kept up to date and accurate.
Ultimately, privacy regulation will help brands have a higher quality, more stable data strategy. However, having internal best practices is only half the battle. It’s important that brands are also proactive about requiring their ecosystem to have the same high standards to ensure compliance to data privacy regulations.