7 impending Data Protection Trends in the region for 2020 (Part 2)

This is a continuation of the post An overview of the 7 impending Trends in Personal Data Protection for 2020 (Part 1).

4. Shift from Local to Regional compliance with multiple regional presence

By end of 2020, at least five countries in the ASEAN region are on schedule to have data protection laws (Singapore, Malaysia, Philippines, Thailand and Indonesia). Thailand will fully enforce its law by 28 May 2020 and Indonesia, the most populous Muslim country, has said that it will be including its draft bill in the national legislation program (Prolegnas) of 2020.

Since data protection laws are based typically on common OECD principles the next natural step is for regulators to agree on mutual co-operation. MOUs have been signed between Singapore's PDPC and Hong Kong's Privacy Commissioner for Personal Data (PCPD), and between Singapore's PDPC and Philippines' NPC. At the 52nd Asia Pacific Privacy Authorities (APPA) Forum in December 2019, the Philippines NPC announced the effectiveness of their enforcements in the online money lending sector and was willing to share its learnings with the other Data Protection regulators.

ASEAN's northern neighbour, China, the biggest economic powerhouse announced that it will start drafting its own laws for personal data protection next 2 years. It being featured in the first-category (high-priority) of legislative projects in March 2020 is a strong signal that the PRC government is resolved to provide legal certainty and do away with the existing fragmented landscape of data protection regulations.

Neighbouring country, India, the second most populous economy in the world, introduced a data protection bill into its legislature in late 2019 and has referred it to a joint select committee. It is expected to get legislative approval after dealing with any recommendations arising out of that review, hopefully in early 2020.

In grappling with the new data protection regulations in the region, organisations with multiple regional presence will see the need to apply the requirements to all their business. RHQ (Regional Headquarters) operating in the region will have to make a management decision if they need to:

1. impose the most stringent standards to base their operations upon which will meet the requirements of all jurisdictions or
2. having variations of “lite versions”. Even if they are using variations of “lite versions”, there will be a need then to seal their transactions with legally binding tools to facilitate cross-border transfers of personal data.

5. Significant rise in demand for data protection expertise and professional certification

The International Association of Privacy Professionals, the IAPP, estimated there would be 75,000 DPO jobs worldwide because of GDPR requirements. However, it did not forsee that the GDPR would also significantly increase DPOs in countries outside Europe as a result of many countries using the GDPR as a yardstick for their data protection laws . Some jurisdictions (e.g. Singapore, Philippines) are even making it mandatory to have DPOs. By end of 2020, all ASEAN countries with data