7 impending Data Protection Trends in the region for 2020 (Part 2)

This is a continuation of the post An overview of the 7 impending Trends in Personal Data Protection for 2020 (Part 1).

4. Shift from Local to Regional compliance with multiple regional presence

By end of 2020, at least five countries in the ASEAN region are on schedule to have data protection laws (Singapore, Malaysia, Philippines, Thailand and Indonesia). Thailand will fully enforce its law by 28 May 2020 and Indonesia, the most populous Muslim country, has said that it will be including its draft bill in the national legislation program (Prolegnas) of 2020.

Since data protection laws are based typically on common OECD principles the next natural step is for regulators to agree on mutual co-operation. MOUs have been signed between Singapore's PDPC and Hong Kong's Privacy Commissioner for Personal Data (PCPD), and between Singapore's PDPC and Philippines' NPC. At the 52nd Asia Pacific Privacy Authorities (APPA) Forum in December 2019, the Philippines NPC announced the effectiveness of their enforcements in the online money lending sector and was willing to share its learnings with the other Data Protection regulators.

ASEAN's northern neighbour, China, the biggest economic powerhouse announced that it will start drafting its own laws for personal data protection next 2 years. It being featured in the first-category (high-priority) of legislative projects in March 2020 is a strong signal that the PRC government is resolved to provide legal certainty and do away with the existing fragmented landscape of data protection regulations.

Neighbouring country, India, the second most populous economy in the world, introduced a data protection bill into its legislature in late 2019 and has referred it to a joint select committee. It is expected to get legislative approval after dealing with any recommendations arising out of that review, hopefully in early 2020.

In grappling with the new data protection regulations in the region, organisations with multiple regional presence will see the need to apply the requirements to all their business. RHQ (Regional Headquarters) operating in the region will have to make a management decision if they need to:

1. impose the most stringent standards to base their operations upon which will meet the requirements of all jurisdictions or
2. having variations of “lite versions”. Even if they are using variations of “lite versions”, there will be a need then to seal their transactions with legally binding tools to facilitate cross-border transfers of personal data.

5. Significant rise in demand for data protection expertise and professional certification

The International Association of Privacy Professionals, the IAPP, estimated there would be 75,000 DPO jobs worldwide because of GDPR requirements. However, it did not forsee that the GDPR would also significantly increase DPOs in countries outside Europe as a result of many countries using the GDPR as a yardstick for their data protection laws . Some jurisdictions (e.g. Singapore, Philippines) are even making it mandatory to have DPOs. By end of 2020, all ASEAN countries with data protection laws will likely have at least some DPO requirements (for example, in selected sectors where a large quantity of personal data is involved ). They all require new DPOs to be trained, much in line with the GDPR.

Data protection requirements such as DPO, DPMP, DPIA, Data Flow, DPbD all require specialised expertise therefore creating more demand for DPOs and DP expertise. It is expected there will be an acute shortage of DPOs in ASEAN with Singapore anticipated to need about 10,000 by end of 2020. To meet the growing demand, countries will roll-out national education curriculums for DPOs and with them will emerge a multi-disciplinary approach to data protection. To address bandwidth for the tsunami of demand for DPO skills, traditional classroom training will have to be augmented with e-learning.

In Singapore the number of individuals attending data protection certification courses offered by Straits Interactive increased 10-fold in the 3 years from 2016 to 2019.

In a globalised world, many business processes and principles of data protection share similarities. To this end internationally recognised certification (e.g. CIPM, CIPT, CIPP) will also become increasingly important as more trans-border work and transfer of data takes place.

6. Emphasis on data protection audits as well as increased adoption of data protection certification frameworks and trustmarks amid certification challenges

Frameworks such as the APEC Cross border privacy rules (CBPR) and Privacy Recognition for Processors (PRP); ASEAN Privacy Framework is set to get greater prominence in the next few years. The APEC Cross border Privacy Rules (CBPR 2011) were set up for the Controllers (organisations), followed by Privacy Recognition of Processors (PRP 2015) for Processors (data intermediaries). To support these initiatives, the Privacy Enforcement Authorities (Cross Border Privacy Enforcement Arrangement (CPEA) were established with the ability to take enforcement actions under applicable domestic laws and regulations consistent with the CBPR program requirements. Presently, there are only 9 participating members in CBPR – USA, Canada, Mexico, Australia, Japan, South Korea, Taiwan, Singapore, and the Philippines. With the laws being passed or upgraded, active membership of these various schemes is set to grow.

Within ASEAN, member-countries adopted an ASEAN Privacy Framework to facilitate cooperation in the field of Information and Communications Technology (ICT), for a digitally-enabled economy that is secure, sustainable and transformative. With each country already embarking on laws and standards, it was envisaged that an ASEAN Economic Community (AEC) Blueprint could be adopted by 2025 in which a framework for personal data protection could be deployed.

As the number of enforcements increased regionally and globally, organisations would be motivated to have a recognised data protection programme, have it recognised or certified and through the recognition from the certifications, gain a form of ROI. 

Certification however requires audit which itself is meticulous. To comply with the certification criterions many organisations will face operational challenges and restrictions when they face the certification audit and the prescribed changes required.

In Singapore, the audit for data protection trust mark is so stringent that only 19 organisations have been certified (as of January 2020) since its launch in July 2018. However, the reward is great, given the trade volume with EU is in excess of €240billion and ASEAN’s trade surplus with the EU is about €40 billion, as a headline summarised, the opportunities outweigh the challenges.

7. Emergence of established and new players in the ASEAN region offering data protection services and solutions

As data protection is still relatively new to ASEAN, there is a lot of learning and adaptation taking place. New players will be drawn by the opportunity required to provide consultancy and solutions to the many organisations within the region. As the profession develops, there will be specialisation: specific expertise and software automation will evolve from the development from the trends. Broadly these are: more intensive enforcements, the use of certification/trustmark frameworks and the extension of data protection to regional and international compliance (hence the relevance of GDPR as a benchmark).

Established international players such as OneTrust and TrustArc are creating their own eco-systems. OneTrust acquired data guidance/e-learning platform from IAPP in November 2019 and almost simultaneously, Trust Arc acquired Nymity. More consolidations are expected

Recognising the need for data protection expertise in ASEAN, Straits Interactive has created and is growing the Data Protection Excellence Network, partnering renowned Universities in the region to develop a skill / knowledge development programme in data protection. Concurrently. necessary tools are being developed to enable DPOs to effectively implement a Data Protection Management Programme (DPMP) for organisations. These include eLearning and dash-boards for DPOs to track the DPMP. It is necessary to deploy such means to ease the demand once laws are enacted; there is an insufficient supply of data protection expertise to provide consultancy through the traditional approach.

As the data protection eco system develops, specialists are required: legal firms (KPMG, Deloitte, PWC, R&T, B&M, etc), cyber insurance, cyber forensics, PR firms will have to learn how to manage data incidents or breaches.

These trends will be an impetus to changes to organisational behaviour and business processes. In ASEAN and many of the less developed economies in Asia, the development in data protection is largely driven from the legislation and long-term business interests rather than from individuals and lobby-groups at least for 2020 and the medium term. With increasing awareness, customers are also beginning to expect a higher level of care for their personal data. This will surely propel changes in the longer term.

Article contributed by

Kevin Shepherdson (FIP, CIPM, CIPP/A, CIPP/E, CIPT, GRCP), Lyn Boxall (FIP, CIPM, CIPP/A, CIPP/E, GRCP) ,  William Hioe (FIP, CIPM, CIPP/A, CIPP/E, CIPT, GRCP)