Covid-19 continues to disrupt daily life and the data protection and privacy landscape was brought into the spotlight throughout 2021 due to several high-profile data leaks. At the start of 2022, experts had made the following five predictions:
Ongoing data and privacy breaches, especially due to COVID-19
Expedited digitalisation caused primarily due to Covid-19 created numerous risks and vulnerabilities leading to an increase in breaches, and this trend is set to continue. In 2021, there were cases such as breaches in government contract tracing apps (in Malaysia and Indonesia) being reported in the news.
With more countries reopening their borders for travel in 2022, pandemic-related tracing activities, e.g. the verification and monitoring of vaccinated individuals and those with Covid-19, and the implementation of vaccinated travel lanes, pose risks to organisations if data is not handled and stored appropriately.
Hackers are getting increasingly sophisticated as evidenced by the multiple high-profile breaches in 2021 – and cyberattacks are not expected to slow down. Therefore, it is critical for companies to be vigilant and implement both data privacy and security measures to comply with the local data protection regulations.
On an individual level, the privacy policies of companies can provide the most insight into the purpose behind the collection of the individual’s data and how the companies process it. It is good practice to make it a habit to read the privacy policy before downloading an app, signing up for a membership, or otherwise getting into a business relationship.
Intrusive home surveillance due to work-from-home, or WFH, practices
With the effects of the pandemic not slowing down anytime soon, many organisations have opted for continued work-from-home (WFH) arrangements for the purpose of business continuity and also with their employees’ well-being in mind.
Organisations may have also implemented surveillance and monitoring software to ensure that their employees are working and not abusing this work arrangement. These surveillance and monitoring technologies can be considered intrusive and may breach data privacy requirements.
As such, Data Protection Officers (DPOs) will need to assess any relevant risks, conduct data protection impact assessments on new monitoring software and surveillance measures, as well as, review WFH policies to align with continued ways of remote working.
Continued interest in certification for both organisations, i.e. DPTM, and individuals
There is the continued adoption of Singapore’s Data Protection Trustmark (DPTM)as a seal of approval for local organisations to demonstrate data protection accountability. Furthermore, a new Credence Data Trust Rating System, which evaluates organisations based on the robustness of their data protection practices, has also been introduced.
Meanwhile, a new Philippines privacy certification, Philippine Privacy Trust Mark (PPTM), for organisations demonstrates the region’s desire to boost consumer confidence in organisations' management of personal data and to provide a competitive advantage for businesses that are certified.
On a personal front, more individuals are seeking formal privacy expertise and training to advance their careers and pursue job opportunities. The Singapore and the Philippines authorities continue to lead the way in the ASEAN region in encouraging local data protection officers and professionals to be certified.
For instance, the Practitioner Certificate in Personal Data Protection course by Singapore's Personal Data Protection Commission (PDPC), an exam-based certification for local DPOs, was extended to three days in 2021. In the Philippines, the National Privacy Commission (NPC) launched its Training the Trainers Program (T3) and expanded the DPO ACE (Accountability, Compliance, and Ethics) programme, aimed at establishing a skills benchmark for local privacy professionals.
More regulatory attention on big tech, including social media, internationally spilling over into ASEAN
In 2022, the is also an expectation of more enforcement against social media and online companies for intrusive privacy practices and illegal processing. Last year, China's government ordered Didi, a leading ride-hailing platform in the country, to be removed from app stores for issues relating to the firm’s collection and usage of customer data.
Data protection or privacy enforcement by authorities is also expected to increase in 2022 as regulatory attention on big tech companies will set the stage for more organisations to find themselves in violation of data protection laws such as PIPL, CPPA, GDPR, and PDPA.
That aside, the changes in the use of cookies and trackers by big tech companies to increase the data privacy of consumers in online advertising can also be considered a “data privacy-friendly” move. For organisations with websites and marketing functions, keeping an eye on updates and changes in this space is essential.
Strong demand for data protection officers (DPOs) to continue in the region
The above trends will reinforce the importance of the role of the DPO. In addition, by the end of this year, all of the ASEAN region’s founding members are expected to have put data protection laws in place. With China having enacted its Personal Information Protection Law in November 2021 and India expected to introduce its own data protection law after years of deliberation, the entire region seems to be pressing the reset button on data privacy.
Other countries in the region, such as Indonesia and Thailand, are also expected to introduce their own data protection laws too. With these new laws being implemented, the shortage of trained and experienced DPOs, professionals who are well-versed in data protection and privacy, will become apparent.
Even in 2021, countries that have existing data protection laws have updated and introduced amendments to the law. For instance, Singapore updated its Personal Data Protection Act with new amendments and requirements, i.e. data breach notification, and continued enforcements have also led to a growing number of job advertisements for DPOs. Malaysia and the Philippines are also proposing to amend their laws.
In light of these five forecasted regional data protection trends, there is a significant transformation underway in data privacy and protection, and individuals and organisations must remain aware and make appropriate decisions to stay up to date. Individuals should always remember to read the privacy policies before providing consent to any website or app they intend to use.
In organisations, the “tone at the top” is fundamentally important. Senior management and the board must make it clear that the organisation takes data protection seriously and must provide resources - financial budget and headcount - accordingly to put a data protection management programme (DPMP) in place. Training staff in the resulting policies and SOPs is crucial.
We often see data breaches being described as “human error”, which is unacceptable to regulators and should not happen where there is sufficient staff training and a strong “tone at the top”.
Initiating the DPMP is only the first step, maintaining the programme by keeping updated on new developments is also necessary. The organisation can sustain compliance efforts by educating stakeholders about the data protection policies, conducting regular data privacy audits and risk assessments.
