Story image

Survival kit for complying with GDPR and other regulations in APAC

03 Nov 17

A recent article published by The Guardian brought the issue of selling and buying anonymized data to the fore. A team comprised of a journalist and a data scientist acquired supposedly anonymous personal user data and discovered that, by using simple sleuthing and reverse engineering methods, they could successfully de-anonymize these data, and in some cases, even piece together comprehensive profiles of the actual users.

While as alarming as it sounds, selling and buying anonymized data are legal in many countries. Anonymizing sensitive information used to be the best defense for companies brokering their customer data. However, this will change very soon, as the General Data Protection Regulation, or GDPR, comes into effect in May next year.

The GDPR arrives at the juncture where old data protection rules no longer yield relevance, and cyberattacks are happening at an increasing pace. The regulation is devised to correspond to users’ evolving internet needs, including the exploding use of social media and big data. GDPR also aims to unify the disparate regulations followed and enforced in different countries across the European Union (EU).

Asian countries are grappling with multiple regulations

However, the impact of GDPR will be far-reaching beyond the EU - it also applies to all companies and users conducting business or interacting with any EU members. This could potentially mean that a huge number of Asian companies now need to understand the nuts and bolts of the GDPR and quickly figure out a path to compliance. Noncompliance, on the other hand, will incur a hefty price - $21 million or 4% of the company’s annual turnover, whichever is higher.

Adding to the changing landscape are the new data protection laws imposed by many Asian governments. For instance, Hong Kong is one of Asia’s earliest adopters of comprehensive data privacy regulation. Instated in 1996, the Personal Data Privacy Ordinance (PDPO) outlined policies for businesses collecting, using, and disseminating personal data.

Similarly, the Philippines government passed the Data Privacy Act in 2012, and the final implementation came into force in late 2016. In China, the new Cybersecurity Law became enforceable on June 1 this year. In Singapore, the Personal Data Protection Act was introduced a few years ago, and new regulations are slated to be announced. 

Other bills in the region include the Notifiable Data Breaches Bill in Australia, Act on the Protection of Personal Information (APPI) in Japan, and the Information Technology Act in India.

Needless to say, the landscape is now compounded. Not only do Asian businesses have to abide by country-specific rules and regulations, if they’re dealing with the EU, they need to comply with GDPR too. Before the deadline hits, many companies are scrambling to enhance their data protection posture.

Here are three main steps businesses can take towards being fully compliant with these regulations.

Working on encryption

Gemalto has been building a data breach index since 2013. Our numbers show that since then, more than nine billion data records had been stolen or lost due to data breaches, translating to five million records compromised per day globally. Out of all these, only 4% are secure breaches, where encryption was used and the stolen data was rendered useless to the hackers.

Today, businesses are confronting the omnipresent threat of a deadly data breach – even big companies with sufficient security protection had fallen victim to malicious malware and deliberate attacks. In a time like this, we cannot emphasize enough the importance of encryption, which jumbles up users’ personal information, therefore making them unreadable to hackers. Even when they are stolen, these data could not be monetized or sold on the underground market.  

Ultimately, business must understand the type of data they are producing and which of the data is most valuable or sensitive for encryption to work effectively. Implementing encryption should be seen as a standard procedure and processes should also be implemented to enable fundamental control cover to who can access the data.

Secure encryption key management

On that note, businesses should also augment their security framework with an encryption key management strategy that grants them better accountability and assurance. As encryption keys are crucial to accessing large amounts of data, they are best stored in specially designed hardware that is disconnected from the network. Without effective key management, it is akin to fitting your house with the best security, only to leave the key under the doormat for the burglar to find.

Access management through strong authentication

Encryption itself is very effective, but the encryption keys need to be further safeguarded to prevent unauthorized individuals from cracking them. To do so, businesses should also focus on who is authorized to access valuable and sensitive data.

The best approach is to use two-factor authentication, which requires the employees to have something like a phone or access to an email address and to know a code or password that is constantly changing, rather than just a code or password that can be guessed. These types of security are readily available, but need to be more widely adopted by businesses.

Article by Rana Gupta, vice president, Enterprise & Cybersecurity, Asia Pacific, Gemalto.

Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.