Data Protection Trends

The impact of the COVID-19 pandemic on the privacy and data protection landscape is hard to ignore. Just like other industries, the data protection and privacy industries have been severely affected as companies rush to digitise their businesses to make way for work-from-home (WFH) setups. Unfortunately, many were not able to ensure proper security measures were in place.

The pandemic also turbocharged the digital transformation of most organisations. Companies that have chosen to wait on the sidelines were left with no choice but to adapt to the changes required when delivering products and services. The digital transformation also came with vulnerabilities and digital risks both from a privacy and security perspective.

2021 Data Protection Trends

In the ASEAN, the following are the data protection and privacy trends.

Data Protection Trend #01: Accelerated digitalisation will increase the need for personal data governance within organisations. This can lead to an inevitable shift from a legal approach to data protection towards a holistic GRC (Governance, Risk Management, and Compliance) perspective.

As organisations cope with the impact of the pandemic and put in place measures that ensure business survival, there will be continued privacy issues and security vulnerabilities such as increasing surveillance at the workplace and at the national level.

Data protection requirements for the public and private sectors are becoming stricter, with new amendments being introduced not just in the Philippines but also in Singapore. Soon enough, there will also be new privacy and data protection laws in place in both Indonesia and Thailand.

The requirements, many of which need to be implemented at the operational level, can create challenges for organisations to sustain their privacy management programs without any active focus. This will also require stricter, regular audits.

Data Protection Trend #02: There will be a renewed focus on the importance of third party management of personally identifiable information (PII) due to digitalisation, WFH initiatives and automation.

The complexity of processing PII especially from the perspective of third-party management can create challenges for both the data processors and organisations as they continue the diversification and disintermediation of the supply chain. There are also requirements for extra-territorial application and cross-border data transfer to consider.

Governments are also becoming more concerned about how the data of citizens are handled and are therefore expected to do more due diligence so they can impose stricter audits and requirements to third-party vendors. Investing in a data privacy course can be beneficial in this scenario.

Data Protection Trend #03: While 2021 will continue to see sophisticated data breaches and cyber threats, more privacy breaches involving intrusive mobile apps will also be seen as a result of the pandemic and continued automation.

From the enforcement perspective, cases involving data breaches of the GDPR almost doubled in 2020. A growth of around 88% was also seen compared to the previous year, with 309 cases tracked.

Despite the COVID-19 situation in Singapore, the number of organisations was seen to increase from 51 to 54 percent. This is despite four months of enforcement inactivity.

That said, the need to reinforce the 4Ds has never been more important—Data Protection Officer, Data Protection by Design, Data Privacy Management Program and Data Protection Impact Assessments (DPIAs). Investing in data privacy certifications can also help.

Data Protection Trend #04: This 2021, ISO 27701 and GDPR will be firmly established as de facto standards for data privacy management and operational compliance.

Many of the upcoming amendments and laws in Indonesia, India, Thailand and even China now use GDPR as a reference standard. Even the changes in the Philippines Data Privacy Act is designed to keep local legislations up-to-date with the GDPR.

Organisations operating in the region are also expected to use GDPR to ensure regional compliance. The ISO 27701, which is considered the international standard for privacy management systems, is also expected to gain greater adoption as it is jurisdiction neutral.