sdecoret - stock.adobe.com

APAC firms still coming to grips with data protection

More governments in Asia are implementing data protection regimes, but challenges such as checkbox compliance and the lack of effective staff training remain

This article can also be found in the Premium Editorial Download: CW Asia-Pacific: CW APAC: Trend Watch – data protection

Asia-Pacific organisations see the importance of having good data protection practices, even as they are still grappling with a slew of organisational and operational challenges, according to industry experts.

Kevin Shepherdson, CEO and co-founder of Straits Interactive, a Singapore-based data protection consultancy, said many organisations, especially those in regulated sectors such as financial services or healthcare have put together sound data protection practices to keep up with compliance requirements.

“But whether it is specifically for business growth and innovation is still up in the air,” he said.

For those in unregulated industries, Shepherdson said data protection is seen as way to mitigate the risks of processing personal data, along with workplace safety, health and fair employment practices, which are all part of running a business well for the benefit of all stakeholders.

Others may also do so because previous data or privacy breaches had opened their eyes to the risks of processing personal data. Having experienced the disruption that an investigation causes, including the management time and financial resources that are soaked up, they want to avoid any further issues in the future, Shepherdson noted.

In ASEAN, data protection as a business culture is still nascent, where data protection and privacy laws are relatively new compared with countries in the European Union.

For a start, many countries such as Singapore and the Philippines have mandated organisations to appoint a data protection officer (DPO) in their data protection regimes. Other countries with new laws such as Thailand also require a DPO when certain criteria are met by a company.

Proper training

However, DPOs are often the first to say that they are not formally or even properly trained to perform their roles and responsibilities. 

Small and medium-sized (SMEs) enterprises, in particular, may not have the financial muscle to hire a dedicated DPO to safeguard personal data. This is aggravated by the shortage of skilled DPOs in the region, which pushes up the cost of attracting them.

“As such, many SMEs appoint someone who double-hats as a DPO. It could a be HR, marketing or IT head who may know very little about data protection/privacy practices,” said Shepherdson. “Sometimes, it is the legal or compliance head and they tend to be more generalist and not know a lot about data protection and privacy.

Shepherdson said even if a DPO is appointed, an organisation’s management priorities are often elsewhere, including ensuring profitability, or in today’s pandemic, the survival of the company.

So, a common gap is in the governance of personal data where there is either little or no management buy-in or data protection is not seen as a business priority, he added.

Checkbox compliance

Shepherdson also pointed out the issue of checkbox compliance, where organisations approach data protection laws from a purely legal perspective.

He said these organisations and their lawyers see the law as a laundry list of complex requirements that they can tick off and satisfy by having various ‘paper policies’ to show regulators, with little or no impact on what the organisation does – or does not do – in relation to data protection. 

“It is operationalising the policies and practices into everyday processes that are necessary,” he added, noting that compliance efforts should be proactive, which is what regulators demand. 

“What regulators expect is that organisations can demonstrate accountability – ownership, responsibility and evidence – in the event of a complaint or incident that they had thought forward to identify the risks and implemented measures intended to prevent problems from occurring,” Shepherdson said.

Other gaps involve poor risk management. Shepherdson said some organisations are not aware of the common risks when processing personal data, such as attaching unsecured documents with personal data to emails and having poor access controls.

People still the weakest link

However, the weakest link in data protection is still people, with many surveys over the last decade or so attributing at least half of all data breaches to human factors.

“So, the lack of effective staff training – sometimes the lack of any training – is another gap that needs to be addressed to sustain compliance efforts,” said Shepherdson.

“There needs to be continuous training of the staff instead of one-off training covering not just the requirements of data protection laws, but also specific data protection policies and procedures of the organisation.

“And it is certainly not enough to simply tell new recruits to be sure to read the organisation’s privacy policy on its website, even if the individual is required to sign something to confirm that they have done so.”

Simon Piff, vice-president of security practice at IDC Asia-Pacific, said many data protection challenges stem from how IT teams have captured, created and curated data, versus where IT security had focused on in the past.

Read more about data protection in APAC

He noted that IT security teams were focused on systems and networks to protect a virtual perimeter that is being eroded, while data management and storage teams were focused on maintaining availability and reliability of systems.

“Neither group had expressly looked at data security as an issue,” Piff told Computer Weekly. “In many cases, security teams saw it as a data management challenge and the storage team, who were never named the “data management team”, had been considering it a security issue. It has fallen between the gaps.”

Saravanan Krishnan, director for data protection solutions in South Asia at Dell Technologies, said companies are also struggling with having the right solutions in place to meet future challenges in data protection.

Citing Dell’s research, Krishnan noted that at least seven in 10 respondents in Asia-Pacific believe that their organisations’ existing data protection solutions will not be able to meet all future business challenges surrounding data protection. He said the lack of confidence is especially stark when it comes to data recovery from cyber attacks (70%) and data loss incidents (66%).

Read more on Privacy and data protection