We cannot ignore the impact of the COVID-19 pandemic. It has impacted the data protection landscape significantly just like any other industries - companies have rushed to digitalise their businesses to put in place work-from-home (WFH) or remote work measures without necessarily ensuring proper security measures.
In fact, the pandemic of 2020 turbo charged the digital transformation of many organisations. Companies that have been waiting on the sidelines were given little choice but to adapt to the wave of change in delivering products and services. The digital transformation comes with digital risks and vulnerabilities - both from a security and a privacy perspective. Organisations need to ensure to implement data protection measures to address the digital risks.
Through our research and study, we see the following five challenges and trends for 2021 in ASEAN:
1. The accelerated digitalisation because of COVID-19 will increase the need for governance of personal data within organisations. There will inevitably be a shift from mainly a legal approach to data protection requirements such as the DPA towards a holistic GRC (Governance, Risk Management and Compliance) perspective of data.
As organisations cope with the impact of COVID-19 and put together safe measures as well as measures to ensure business survival, there will be continued security vulnerabilities and privacy issues (including increasing surveillance at the national and the workplace level).
We are already seeing stricter public and private sector data protection requirements in the region with new amendments being made not just in the Philippines but also in Singapore (e.g. new data breach notification). And there will soon be new laws in place in Thailand and Indonesia.
These requirements, many of which need to be implemented at the operational level, will create challenges for organisations to be able to sustain their data privacy management programs without any active focus and therefore, require stricter regular audits.
2. We also expect a renewed focus on the importance of third party management of PII due to resulting automation, digitalisation and WFH initiatives.
The complexity involved in processing of PII, especially from a third party management perspective, will create many challenges for both organisations and their data processors as we see continued disintermediation and diversification of supply chain. There will also be requirements for cross-border data transfer and extra-territorial application to take into account.
Governments too will be concerned about how citizens' data are handled and therefore expected to do more due diligence and impose stricter requirements and audits to third party vendors.
Therefore, both organisations and their data processors / intermediaries will need to be clear with their respective roles under data protection laws.
(Case studies of breaches arising from third party, mentioned in the webinar, 5 Trends Predicted for 2021 can be found here:
3. While 2021 will see continued sophisticated cyber threats and data breaches, we also expect more cases of privacy breaches involving Intrusive mobile apps as a result of COVID-19 and ongoing automation.
From an enforcement angle, cases involving breaches of the EU's General Data Protection Regulation (GDPR) almost doubled in 2020 where there were 309 cases that were tracked compared to 2019 (a growth of about 88% compared to previous years). Despite the COVID-19 situation in Singapore, the number of organisations that got into trouble with the law continued to increase from 51 to 54 (despite four months of enforcement inactivity).
Organisations need to continue to reinforce what we call the “4Ds” in 2021 - Data Protection Officer, Data Protection Impact Assessments (PIAs), Data Protection by Design in their Data Privacy Management Program.
4. 2021 will also see GDPR and ISO 27701 firmly established as de facto standards used for operational compliance and data privacy management.
Many of the new upcoming laws and amendments in the region especially in Thailand, Indonesia, India and even China use GDPR as a reference standard. Even the upcoming changes in the Philippines Data Privacy Act is intended to keep the local legislation up-to-date with the GDPR.
Organisations operating in the region are therefore expected to use GDPR to ensure regional compliance. And we also expect the ISO 27701, which is the international standard for privacy management systems, to gain greater adoption in 2021 and the years ahead as it is jurisdiction neutral.
5. Finally, as public awareness of privacy grows, the importance of certification both at the corporate and individual level will continue to gain momentum driven by the local data protection authorities.
The Singapore and the Philippines authorities lead the way in this region in encouraging local data protection officers and professionals to be certified. More companies and individuals are expected to acquire data protection competencies and qualifications 2021.
For example, Singapore's PDPC's (Personal Data Protection Protection Commission) successful Practitioner Certificate in Personal Data Protection which is an exam-based preparation and certification for local DPOs, is being extended from two days to three days and will roll out in 2021.
In the Philippines, the NPC (National Privacy Commission) is expected to also roll out its own certification program by accrediting organisations to conduct the DPO ACE i(Accountability, Compliance and Ethics) program, aimed at establishing a skills benchmark for local privacy professionals.
As more cases involving privacy arise, more many individuals will increasingly embark on their own initiatives to acquire formal privacy expertise and training - whether it is to enhance their own career or pursue separate business opportunities.
In short, organisations therefore need to implement a comprehensive yet practical business oriented data privacy and protection management program that supports its business goals and minimises digital privacy risks.
Organisations need to adopt an effective, easy to administer privacy management program where it can assess the various risks in its digital transformation journey by:
Companies need to adapt a framework that allows them to methodically execute a privacy program, at the same time providing room for further improvements to optimise the program's tangible contribution to the company's business objectives.
Based on Manila Bulletin's interview with Kevin Shepherdson - Fellow of Information Privacy, CIPM, CIPP/A, CIPP/E, CIPT, Exin (GDPR, Infosec), GRCP
For forum discussion on the 5 Data Protection Trends webinar, please click on https://www.dpexnetwork.org/discussions/forum/regulators-decisions-and-enforcements/JLiAAhmM6T/topic/post-webinar-forum-26-jan-five-data-protection-trend-predictions-for-2021/hApjkMzfMV5cTvWbyLX2Zg/
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region
Well, this was going to happen at some point in time in the world - with the ex…
Now that we are starting a new year, we can reflect on a few compliance trends …
The initial years of computerisation and digitisation has enabled businesses to…