To satisfy newer and tougher data laws being enacted across the region, what should organizations be concerned about, and what should they do?
While the COVID-19 has dramatically accelerated the world’s digital transformation, cybercrime and data breaches are rising in tandem, and Asia Pacific governments are ramping up their efforts to protect citizens’ data and privacy.
Nineteen jurisdictions in the region now have comprehensive privacy laws, with the latest being in Thailand. Laws in Japan, South Korea, Singapore and New Zealand have also been amended recently.
In the next couple of years, as many as eight new or updated laws may be enacted or introduced into national legislatures. China, India and Indonesia are the most likely to adopt laws in the short term, followed by Australia, Hong Kong, Malaysia, Sri Lanka and Vietnam in the longer term.
To satisfy these tough new regulations, companies may need to:
- Relook data governance and protection matters based on the existing structure of their organizations
- Properly classify data
- Put in place detection-related controls and incident management procedures to react swiftly to breaches
- Have prevention-related controls to react to evolving cybersecurity threats
CybersecAsia discussed with Nick Savvides, Senior Director of Strategic Business, Asia Pacific, Forcepoint, on what organizations in the region should be concerned about:
Nineteen jurisdictions in the region now have comprehensive privacy laws, with Thailand being the latest enactment. Laws in Japan, South Korea, Singapore and New Zealand have also been amended recently. How would these developments impact data governance and protection within Asia Pacific enterprises?
Savvides: Operating across jurisdictions has always been a challenge, and now in an increasingly borderless world this has become even more complex.
Asia Pacific has been at the forefront of digitization, digital innovation and digital governance. While this digital transformation has been driven by innovative new technologies and the seemingly endless new ways to collect, understand and analyze data, data protection regulations are now presenting new challenges to enterprises.
Across the Asia Pacific region, there is a proliferation of data protection and privacy regulations, all of which share many common concepts and core details, but with significant differences at the periphery. This means that companies continue to navigate a complex landscape of data protection regulations and standards, posing numerous operational and technological challenges.
This is also echoed in the conversations I’ve had with some of Forcepoint’s leading data protection partners in the region, with voices on the ground being relatively consistent − enterprises are struggling with legacy data management and data integration.
The pandemic, which caused businesses to race to adopt cloud and digital solutions, exacerbated the challenges of data ownership, management and governance.
Unfortunately, many organizations in the scramble to modernize and digitize, have treated data with pre-cloud thinking, treating data management as an IT rather than a business problem. Many of these businesses, especially the small and medium-sized ones, may not have the right resources and infrastructure to develop operating processes that mitigate data security controls.
Businesses need to be aware of both the new data protection regulations, and the differences between them, to avoid potentially costly consequences if regulations are breached. This may have an impact on firms seeking to expand into other markets.
In the next couple of years, as many as eight new or updated laws may be enacted or introduced into national legislatures. China, India and Indonesia are the most likely to adopt laws in the short term, followed by Australia, Hong Kong, Malaysia, Sri Lanka and Vietnam in the longer term. Why do you think these new and updated legislations are necessary?
Savvides: Data protection and privacy regulations were ripe for change. The digital technologies adopted by organizations over the last 10 years mean that data management today − collection, analysis and de-anonymization, for example − are so far removed from the way we did business ten years ago, that the regulations dating from then are not relevant.
Using advanced techniques such as data matching or data-mining using machine learning, was simply a fantasy a decade ago. I’d go as far as to say that regulators fell behind significantly in adapting to the changes, as the pace of change and depth of new functionalities was unexpected.
Industry, governments and citizens all understand the need to secure data, secure privacy and set up clear guidelines in order to effectively allow enterprises to thrive while protecting the privacy of individuals. Regulations must evolve, and become much more agile to accommodate for the reality of today’s digital economy.
Data privacy is now a matter of concern for everyday citizens, who have raised valid concerns around unauthorised use of or access to personally identifiable data. While data such as location-tracking or previous purchases can be a valuable asset for businesses to improve their products and services, citizens and their governments expect the custodians of the said data to protect it.
Many people are now well aware of numerous high profile breaches that have made headlines over the last few years, and the identity theft and other cybercrime that ensues as a result of breaches.
Strong data protection regulations should ensure the security and privacy of personally identifiable information for citizens, but in addition give rise to a safe and trusted environment. Within a safe environment, people will continue to benefit from digital innovation, and enterprises will be supported to continuously develop new products and services to benefit both economies and their citizens.
What must organizations do – and what steps would you advise them to take – with regards to their data infrastructure, considering the need to comply with new and evolving data privacy, governance and protection regulations?
Savvides: International regulations are evolving rapidly in the Asia-Pacific region, and enterprises must stay engaged with local regulations so that they don’t find themselves out-of-step, or in breach of new rules.
The first step is to create an organizational culture where data privacy and cybersecurity are fundamental to the smooth running of the organisation. After all, regulation or not, it makes sense to protect data − the most valuable of assets − and the privacy of end customers. Business leaders should drive a top-down culture where all employees recognise and understand data privacy and cybersecurity, and share the responsibility for data protection.
Just as how in the last 30 years we have been through a workplace safety revolution, where the safety of fellow employees is not just the responsibility of the safety officer but of everybody, we need to adopt that same mindset when it comes to data privacy and cybersecurity, and empower our employees to feel responsible.
The next big part is a little more formal, and that is the establishment of enterprise-wide data privacy practice, that not only sets the internal standards but takes a proactive approach to ensuring that data privacy principles are upheld. It is wise to regularly engage with local regulators to understand changes before they happen.
It’s important to move to a model of constant assessment, where privacy principles are applied at every decision point, in every project, rather than having one-off or annual reviews – these can date quickly. And avoid making individuals or teams responsible.
In this model, there is constant input from regulatory requirements, constant engagement with employees and constant engagement with the business.
Of course, traditional elements shouldn’t be overlooked and a comprehensive privacy programme will include a number of elements key to data management. These include governance structure, risk assessments, policies and procedures, training, audits and transparency.
But by adopting a proactive, all-inclusive approach, businesses can ensure they are compliant with the legalities of personal data and privacy while still being able to leverage the benefits of data.
How do these measures tie in with existing cybersecurity strategies within the organization?
Savvides: Data privacy is much bigger than cybersecurity and data protection alone. Yes, data protection products and policies will go a long way in solving data privacy issues, but they are not the same. Data privacy is driven by business decisions and must be cross-functional, with cybersecurity departments working hand in hand with business leaders to ensure the cybersecurity products and services serve the data privacy need.
However, the two disciplines are closely linked. As cybersecurity programmes mature, providing effective data protection to businesses, innovation in data usage can grow. The better protected data is, the more a business can use that personal data to better understand customers and enable new uses of data.
Data Loss Prevention (DLP) technologies have been a big part of organisations’ data protection strategies, as they are able to protect data in use, data in motion on their network, and data at rest in their data storage area or endpoint devices. However, traditional DLP does still leave significant gaps in protection. Traditional DLP is focused on policy violations, where everything must be pre-defined as either allowed or denied.
While this is valuable, it creates a gap when we don’t truly understand which data is valuable, can’t predict how it may be misused, or simply don’t craft policies to protect it. Traditional DLP can also be clunky with its black/white, allow/deny policies. It can get in the way of business, with protections not being rolled out as they can be intrusive or work against user productivity. Over time, policy creep can lead to complex policies that are difficult to manage, incidents that are difficult to investigate, and lots of manual rework.
Modern DLP tools have evolved to not just be data and policy aware, but also risk aware. These tools can act automatically to stop data loss before it happens, by increasing a risk score over time and putting incremental blockers in place. More nuanced than allow/deny, these systems understand the user’s behaviour and the data usage thoroughly, allowing DLP to become predictive in nature, to the extent that controls for most user can be made less intrusive, with rapid automatic scaling of protections for the riskiest of users.
Combining this with deep content inspection, contextual security analysis of transactions and real-time responses, such risk adaptive data protection takes DLP systems much further than just being enforcers of data security policies, to actually deliver data protection outcomes.
By adopting risk adaptive data protection, organisations can effectively detect, predict and prevent the unauthorised use and transmission of confidential information. It can protect against mistakes that lead to data leaks and intentional misuse by insiders, as well as external attacks on organisations’ information infrastructure.
All of this goes a long way in helping organisations meet regulatory requirements in the jurisdictions they operate, and protects them into the future as the technology and regulatory landscape continue to change.