Large gaps still need to be bridged to effectively ensure data privacy and security.
There were many defining moments for data privacy in 2018, from Mark Zuckerberg’s highly publicised testimony before the US Congress to the impactful launch of the European Union’s General Data Protection Regulation.
Many nations in Asia Pacific have also updated their data protection and privacy regulations. In Singapore, for instance, updates to the Personal Data Protection Act (PDPA) marked the regulatory body’s heightened focus on how organizations are dealing with corporate and consumer data.
According to a recent report, the number of organizations breaching Singapore’s PDPA has jumped to a new annual high, with a total of S$1.28 million in fines having been issued so far in 2019.
After more than a year, for many organizations in the region, understanding their responsibilities regarding managing data resources and enforcing the necessary processes still prove to be a challenge.
One particular area where organizations are struggling with – also the first step of any data privacy management programme – is understanding and identifying data assets, many of which are redundant or hidden within the network.
There is therefore a very strong case for rectifying this problem, from building trust to ensuring compliance to paving the way for more advanced threat intelligence. But how can organizations achieve this goal? CybersecAsia spoke to Reuben Sinclair, Director, Cybersecurity, Asia Pacific & Japan, Micro Focus, for some answers.
How important is it for organizations to get the terminology right – for instance “data privacy” versus “security” – to be able to fight ongoing threats?
Sinclair: In short, data privacy is all about the way data is treated in accordance with an individual’s right to data privacy – it’s basically a legal issue. This concerns who has the right to store, process and analyze personal information and how these actions are authorized – we describe this as a defensible disposition of the data.
On the other hand, data security, in a cybersecurity context, is about the technical measures organizations take to enable and assure data privacy. In other words, data security is about the technical and procedural implementation of what data privacy law requires us to do.
While these terms are currently being fuzzed – it is important to understand that data privacy requirements are not discretionary as they are mandated by law and it is critical for organizations to properly protect their data assets.
What are the common gaps in data management processes within organizations in Asia Pacific?
Sinclair: Currently, there are multiple gaps in data maturity across Asia Pacific.
Firstly, considering how diverse our region is, the understanding of personal information protection requirements and privacy laws varies in each country. Recently, many countries have drawn inspiration from the European Union’s General Data Protection Regulation (GDPR) laws, which came into effect last year. However, the legal frameworks in several markets are not mature or well established yet. For instance, while Singapore, Australia, Philippines and Japan have already implemented similar or stricter regulations, other countries such as Indonesia, Taiwan and Thailand are still in the planning and approval stage of strengthening their data privacy laws.
Secondly, even as the region’s spending on security-related services is expected to reach USD16 billion this year, there is still a general lack of awareness about the risks to personal data. This includes the measures that organizations must take to protect not only the citizen/consumer, but also to safeguard their own brands and reputation should data be compromised by a breach.
Thirdly, many organizations are not updated or well-informed on regulatory requirements. Although almost 50 percent of organizations in Asia-Pacific demonstrate data and analytics maturity, the increasing complexity of data means that many organizations are still lacking the capabilities needed to put together a comprehensive data strategy.
When it comes to data privacy awareness, how do Asia Pacific organizations fare?
Sinclair: There is definitely raised awareness and progression, especially propelled by governing data privacy laws in some countries. We’ve noted customers understanding that data privacy is not just an IT responsibility, but a combined effort led by the Governance & Compliance or Data Privacy Office. Organizations in certain countries, such as the Philippines and Singapore are appointing data privacy/data protection officers. But despite existing data privacy policies and manuals, significant work remains to help organizations achieve data privacy maturity.
With a majority of companies in the region ramping up their digital transformation initiatives, many are still struggling to understand their responsibilities when it comes to collecting, storing and applying data sets. Business and IT leaders have yet to achieve a comprehensive view of all their data assets, many of which are redundant or hidden within the network. Considering that digital data created will increase to 180 zettabytes by 2025 globally, it’s concerning that many companies have yet to equip themselves with the right tools to cope with the ongoing data explosion.
Q4) What could be done to plug these gaps and to increase awareness?
A: It’s imperative that companies put in place a structured and comprehensive data management program that provides a full view of data inventories, allowing businesses to discover their data assets and map data flows within the organization and to/from third parties throughout the information lifecycle. This program needs to have five key elements:
1. Establish privacy leadership – Businesses should formally appoint a data privacy officer whose responsibilities include ensuring the distinction between the IT and cybersecurity offices and budgets. The privacy officer should essentially be an internal customer of the IT and cybersecurity functions.
2. Formalize data privacy program – Since businesses cannot entirely protect all data that is conveyed to/from the organization, they must develop a data privacy program to help them selectively and intelligently leverage data for business value. By launching a program with a privacy policy and customer data privacy charter, businesses can save time, money and effort by overcoming data security challenges.
3. Discover data – If businesses start by implementing a data discovery process and assessing data assets’ impact based on the daily business operations, it makes it easier to define and protect the personal data flow and storage ecosystem across the organization.
4. Minimize data risk with cleaning – Every day, employees transfer huge amounts of information across platforms, rearrange, manipulate and compile databases and datasets. This significantly increases organizations’ vulnerability to cyberattacks through negligence or the presence simply of unknown, unquantified data risks.
5. Implement repeatable data risk management controls – On the remaining data, organizations can implement, manage, monitor, and maintain technical and procedural cybersecurity measures focusing on access control. This starts with identifying and dispensing Redundant, Obsolete or Trivial (ROT) data, reducing both data breach risk and operational costs. Alternatively, organizations can also rely on Robotic Process Automation, which helps organizations to automate business processes using ‘robo workers’ capable of minimizing errors and securing the IT environment.
How could the issue of data privacy serve as an opportunity for businesses to differentiate themselves?
Sinclair: We observe that some customers in Asia Pacific are starting to understand the monetization element of data privacy – they are realizing that in their efforts to achieve or maintain regulatory compliance, there is an opportunity to enhance performances of IT systems and reduce cost. This was evident mainly in our Data Privacy Manager (DPM) conversations. For example, customers will observe benefits and ROI from proper management of ROT data, optimizing the performance of central systems and making them more resilient.
In terms of business insights and improvement of customer experience data, analysis is increasingly important. Organizing customer data in ways which satisfy the privacy laws can also help to make it easier to search, analyze and optimize data for business reasons.
This data-driven approach is quickly gaining traction across the business world as digital tools designed to extract value from data become more advanced. Organizations are amassing unprecedented volumes of data with the aim to unlock critical market and consumer insights that will inform their decision making, through predictive analytics. And when data is shared among trusted partners within an ecosystem – across the different functional groups within an organization or between business partners – the possibility of new insights that benefit the involved parties increases exponentially.