Asia’s data privacy landscape is ‘coming of age’ – how can businesses cope?
"Congratulations on your new convertible!"… reads the email from a car dealer confirming your purchase of a brand-new car, with your personal details and credit card information.
The only catch is you never purchased the car to begin with.
Identity theft and online fraud are becoming more prevalent than ever. A recent IBM study revealed that stolen or compromised credentials were responsible for 19% of data breaches this year. In Singapore alone, over SG $200 million was lost to scams, primarily online, in the first half of 2022.
Not to mention the reputational and financial impact of such breaches on businesses, from lost customers to lost revenue. In fact, the average cost of a data breach has climbed more than 12% from US $3.86 to US $4.35 million since 2020.
The good news is that the laws designed to protect and preserve our data are evolving.
In Asia, many jurisdictions have substantially updated their data protection regimes, creating an environment where data is protected with even greater care.
Singapore recently made amendments to its Personal Data Protection Act (PDPA), including mandatory notifications to the Personal Data Protection Commission and higher financial penalties for data breaches. In Japan, similar amendments, and more, have been made to the Act on the Protection of Personal Information (APPI). It is safe to say that Asia's data privacy landscape is 'coming of age'.
However, this also means a more complex and challenging regulatory landscape to navigate. How can businesses keep up and address data privacy thoroughly?
To start, here are three key steps to consider:
1. Know your data
Believe it or not, most enterprises do not know where their sensitive data is or if they have sensitive data at all.
Risky and sensitive data may not simply be present in emails, documents, and business applications but also in rich media files like audio recordings, images, and videos. Furthermore, not all data that an organisation stores is in the scope of regulations such as the PDPA or APPI, risking accidental non-compliance if unidentified. With data coming in from multiple sources and in multiple formats, identifying sensitive and compliant information can seem like an insurmountable task.
This is where data discovery solutions can prove effective. Data discovery tools can identify sensitive information from unstructured or structured data of up to 1,000 formats and subsequently profile the risk of this data. Many such solutions today are also fitted with compliance capabilities to identify what portion of the information stored, including personally identifiable information, is subject to local regulations and laws. This ultimately reduces the compliance burden on enterprises.
2. Make your data useless to hackers
Sensitive data is bait for hackers, and while we cannot guarantee that data will not be breached, businesses can contain the damage by ensuring hackers do not derive value from stolen information.
This is done by leveraging technology that prevents data from being linked to an identity, a process known as encryption and tokenisation. Sensitive data is encrypted and linked to unique tokens, such that authorised users can still see it in its original format, but malicious actors are unable to view or use the data. This way, the information is rendered useless to hackers.
3. Enforce policies and security controls
An end-to-end data privacy strategy should also be accompanied by identity and access management policies and threat detection for added protection.
For example, it is important to define who has access to sensitive data, how they may use it, and the associated risks. At the same time, having the capability to identify early signs of potential breaches with technology can enable security operations to take control and prevent breaches from the get-go.
In the long run, this helps to not only secure data but also avoid financial penalties of being breached, as mandated under regulations such as the PDPA or APPI, among others.
For businesses looking to operate in Asia, these three steps are essential to remaining competitive amid a varied, complex, and evolving regulatory landscape.