2021 Data Protection Round-Up

As with the year before, COVID-19 continued to bring ups and downs throughout 2021, the Omicron variant was the latest addition to the challenges. As we turn the page to 2022, here is a look back on the five data protection trends uncovered by the Data Protection Excellence (DPEX) Centre earlier this year.

Join us at our webinar, “Five Data Protection Trend Predictions for 2022”, where our panel of speakers will provide insights on where they think the data protection and privacy landscape is headed in the new year.

The DPEX Centre’s data protection and privacy trends forecast for 2021 in ASEAN included:

1. The accelerated digitalisation because of COVID-19 will increase the need for governance of personal data within organisations. There will inevitably be a shift from mainly a legal approach to data protection requirements such as the DPA towards a holistic GRC (Governance, Risk Management and Compliance) perspective of data.

We have seen stricter data protection requirements in the region with new amendments being made not just in the Philippines but also in Singapore (e.g., new data breach notification). China’s Personal Information Protection Law (PIPL) has also come into effect in November 2021.

Many of the regulatory requirements need to be implemented at the operational level and this has created some challenges for organisations to be able to comply with the laws and sustain their data privacy management programmes (DPMP).

2. We also expect a renewed focus on the importance of third-party management of personally identifiable information (PII) due to resulting automation, digitalisation and WFH initiatives.

We see continued disintermediation and diversification of the supply chain, as well as, the complexity involved in the processing PII, especially from a third-party management perspective. There are also requirements for cross-border data transfers and extraterritorial applications. Organisations and their data processors/intermediaries need to be clear with their respective roles under data protection laws. Some notable breaches arising from third parties include the recent Fullerton Health vendor breach, Volkswagen and Audi vendor breach and Singtel’s third-party vendor breach.

3. While 2021 will see continued sophisticated cyber threats and data breaches, we also expect more cases of privacy breaches involving intrusive mobile apps as a result of COVID-19 and ongoing automation.

One example in 2021 of such issues was WhatsApp's privacy policy update controversy, and numerous breaches related to mobile apps included Babylon Health, Flo, LINE and Indonesia’s Contact Tracing App.

Organisations should continue to implement what we call the "4Ds" – the Data Protection Officer, Data Protection Impact Assessments (PIAs), and Data Protection by Design in their Data Privacy Management Programme.

4. 2021 will also see GDPR and ISO 27701 firmly established as de facto standards used for operational compliance and data privacy management.

Many of the amendments to existing laws and new upcoming laws in the region, especially in Thailand, Indonesia, India and even China, use GDPR as a reference standard. The planned changes in the Philippines Data Privacy Act are intended to keep the local legislation up-to-date with the GDPR. Hence, organisations in the region are very mindful of the GDPR as a means of ensuring regional compliance to privacy standards.

5. Finally, as public awareness of privacy grows, the importance of certification both at the corporate and individual level will continue to gain momentum driven by the local data protection authorities.

The Singapore and the Philippines authorities continue to lead the way in this region in encouraging local data protection officers and professionals to be certified. For example, the Practitioner Certificate in Personal Data Protection course by Singapore's Personal Data Protection Protection Commission (PDPC), an exam-based certification for local DPOs was extended to three days in 2021.

In the Philippines, the National Privacy Commission (NPC) launched its Training the Trainers Program (T3) and expanded the DPO ACE (Accountability, Compliance and Ethics) programme, aimed at establishing a skills benchmark for local privacy professionals.

There is a growing trend of individuals seeking formal privacy expertise and training – whether to advance their careers or pursue separate business opportunities – as more data breaches arise. Click here to find out more about a learning roadmap to start your data protection journey.

Find out more about the future of data protection in the region and how it affects your organisation in our Five Data Protection Trend Predictions for 2022 webinar with the authors of the “99 Privacy Breaches to Beware of”.