Carolyn Bigg, head of privacy for Asia at DLA Piper, says the handing out of big fines will mark the next front in the war to protect data.
“So there’s there’s been certain places around Asia that have had new laws in the past few years, that maybe have provided for this high level of fine, but actually, in reality, there hasn’t been enforcement action, or they haven’t had the resources within the regulator to actually start enforcing them,” Bigg says.
Across the region, there are some laws that “look more like GDPR than others,” she notes. “Places like Thailand and the Philippines, they’re at too early a stage to really be near implementing these sorts of levels of fine. But we see more experienced regulators, like New Zealand and Singapore and Australia, with these levels of fines.”
Still, authorities are moving quite slowly when it comes to implementing the fines. While Singapore has pressed forward with new data privacy regulations, the “higher level of fines” will not come into force until 2022 “at the earliest,” Bigg says, adding that the reasoning behind this was somewhat unclear.
While the pandemic and the potential impact on businesses may make up part of the reason, she suggests that this may be by design.
“When the Singapore regulator first introduced the PDPA back in 2014, they were very good at taking a measured approach to education first and then over a period a time-shifted the focus from education to more active enforcement. I wonder if that’s what they’re doing now,” she muses.
A consistent market trend is the move to introduce mandatory breach notification laws. “So if you have a big data incident, it becomes mandatory to report this incident, and places like New Zealand, Singapore, China, and others have that,” Bigg says, adding these laws “are definitely coming”.
While the pandemic may be in part to blame, given wielding such large fines and harsh penalties around data privacy management is relatively new territory in Asia, regulators are likely operating from a place of caution.
“I think probably the pandemic is holding it up slightly, I do think it’s also the regulators finding their feet as well,” she says.
Generally, the prioritisation of data privacy has moved rather quickly in Asia, with pandemic placing something of a magnifying glass over the handling and managing of data by businesses.
Last year there was the initial question of “how do you deal with data related to the pandemic, whether that’s employee travel histories and whether it's remote working,” says Bigg. This subsequently evolved with the pandemic, which prompted uncharted territory around disclosing employee data, and whether business can ask employees about matters such as travel history, health data, close contact “and now vaccinations,” she says.
“That’s really required businesses to have a multidisciplinary focus on data, so its been everybody from operational [staff], to HR, compliance, and all the way up to the board as well,” she notes, adding this has been a localised effort, with every different country having different rules around this.
More broadly, as businesses increasingly work online, data privacy has sailed up the priorities list, demanding the attention of more senior staff.
“I have seen an increased focus up to board level on these issues. I think in Asia five years ago, you’d have had very few minutes of a board’s time spent discussing cyber and data,” says Bigg, adding, “Nowadays, my understanding is for most boards its a regular agenda item. We’ve had a lot of the industry regulators have really been pushing for this to become a board-level responsibility”.
To contact the editorial team, please email ALBEditor@thomsonreuters.com.