Story image

Survival kit for complying with GDPR and other regulations in APAC

03 Nov 2017

A recent article published by The Guardian brought the issue of selling and buying anonymized data to the fore. A team comprised of a journalist and a data scientist acquired supposedly anonymous personal user data and discovered that, by using simple sleuthing and reverse engineering methods, they could successfully de-anonymize these data, and in some cases, even piece together comprehensive profiles of the actual users.

While as alarming as it sounds, selling and buying anonymized data are legal in many countries. Anonymizing sensitive information used to be the best defense for companies brokering their customer data. However, this will change very soon, as the General Data Protection Regulation, or GDPR, comes into effect in May next year.

The GDPR arrives at the juncture where old data protection rules no longer yield relevance, and cyberattacks are happening at an increasing pace. The regulation is devised to correspond to users’ evolving internet needs, including the exploding use of social media and big data. GDPR also aims to unify the disparate regulations followed and enforced in different countries across the European Union (EU).

Asian countries are grappling with multiple regulations

However, the impact of GDPR will be far-reaching beyond the EU - it also applies to all companies and users conducting business or interacting with any EU members. This could potentially mean that a huge number of Asian companies now need to understand the nuts and bolts of the GDPR and quickly figure out a path to compliance. Noncompliance, on the other hand, will incur a hefty price - $21 million or 4% of the company’s annual turnover, whichever is higher.

Adding to the changing landscape are the new data protection laws imposed by many Asian governments. For instance, Hong Kong is one of Asia’s earliest adopters of comprehensive data privacy regulation. Instated in 1996, the Personal Data Privacy Ordinance (PDPO) outlined policies for businesses collecting, using, and disseminating personal data.

Similarly, the Philippines government passed the Data Privacy Act in 2012, and the final implementation came into force in late 2016. In China, the new Cybersecurity Law became enforceable on June 1 this year. In Singapore, the Personal Data Protection Act was introduced a few years ago, and new regulations are slated to be announced. 

Other bills in the region include the Notifiable Data Breaches Bill in Australia, Act on the Protection of Personal Information (APPI) in Japan, and the Information Technology Act in India.

Needless to say, the landscape is now compounded. Not only do Asian businesses have to abide by country-specific rules and regulations, if they’re dealing with the EU, they need to comply with GDPR too. Before the deadline hits, many companies are scrambling to enhance their data protection posture.

Here are three main steps businesses can take towards being fully compliant with these regulations.

Working on encryption

Gemalto has been building a data breach index since 2013. Our numbers show that since then, more than nine billion data records had been stolen or lost due to data breaches, translating to five million records compromised per day globally. Out of all these, only 4% are secure breaches, where encryption was used and the stolen data was rendered useless to the hackers.

Today, businesses are confronting the omnipresent threat of a deadly data breach – even big companies with sufficient security protection had fallen victim to malicious malware and deliberate attacks. In a time like this, we cannot emphasize enough the importance of encryption, which jumbles up users’ personal information, therefore making them unreadable to hackers. Even when they are stolen, these data could not be monetized or sold on the underground market.  

Ultimately, business must understand the type of data they are producing and which of the data is most valuable or sensitive for encryption to work effectively. Implementing encryption should be seen as a standard procedure and processes should also be implemented to enable fundamental control cover to who can access the data.

Secure encryption key management

On that note, businesses should also augment their security framework with an encryption key management strategy that grants them better accountability and assurance. As encryption keys are crucial to accessing large amounts of data, they are best stored in specially designed hardware that is disconnected from the network. Without effective key management, it is akin to fitting your house with the best security, only to leave the key under the doormat for the burglar to find.

Access management through strong authentication

Encryption itself is very effective, but the encryption keys need to be further safeguarded to prevent unauthorized individuals from cracking them. To do so, businesses should also focus on who is authorized to access valuable and sensitive data.

The best approach is to use two-factor authentication, which requires the employees to have something like a phone or access to an email address and to know a code or password that is constantly changing, rather than just a code or password that can be guessed. These types of security are readily available, but need to be more widely adopted by businesses.

Article by Rana Gupta, vice president, Enterprise & Cybersecurity, Asia Pacific, Gemalto.

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.
65% of manufacturers run outdated operating systems – Trend Micro
The report highlights the unique triple threat facing manufacturing, including the risks associated with IT, OT and IP.