In recent years, including the year that is soon ending, data breaches and data incidents have been on the rise. Millions of personal data records have been stolen or leaked.
In 2022, three particular data incidents have stood out for me. In July, the Chinese ride-sharing operator Didi was slapped with an 8 billion yuan fine (US$1.18 billion) over 16 illegal practices, including the collection of the personal data of more than 107 million passengers. The data collected included biometric details and messaging information.
In September, British authorities announced that they could fine TikTok, a social media service popular for short-form videos, £27 million (US$28.91 million) following an investigation that found its application software might have breached data protection law by failing to safeguard the privacy of children.
And finally, if we look back a little further to August 2021, Indonesia’s Covid-19 test-and-trace app for travellers was found to have leaked passport information and healthcare data for about 1.3 million users.
With regards to these cases, what caught my attention from a data privacy perspective were two trends: the monetisation of personally identifiable information (PII), and the impact of the Covid-19 pandemic with regards to overlooking the protection of personal data.
My key takeaway from studying these cases is that there are numerous new privacy threats that concern the rights and well-being of millions of individuals. In addition, data breaches by organisations can harm their reputation, as well as damage the trust that individuals place in them.
These threats have arisen from an accelerated digital transformation around the world that was prompted by Covid-19 and lockdown restrictions, and the increasing monetisation of PII. In particular, there have been more data breaches attributable to the use of mobile apps that have been rushed out quickly as part of the accelerated global digital transformation.
The impact of accelerated digital transformation
In the midst of Covid-19, many organisations rushed to embrace digital technologies both to ensure business continuity as well as to leverage new opportunities. In their haste to digitalise, there was a lack of consideration for data security and regulatory requirements.
In the case of the Indonesia test-and-trace app, it was found that there had been “zero obstacles” to keep unauthorised parties from accessing its data “due to the lack of protocols in place by the app's developers”.
In the other two cases, with Didi and Tiktok, you can see that many innovative new start-ups have business models that involve the monetisation of PII through means such as behavioural advertising. Enforcements against other tech giants, such as Facebook, Google, and Twitter, imply that such companies may have questionable security and privacy practices.
The common thread in all of these cases is that they all involve mobile apps. Whether apps are developed in-house or outsourced to third parties there are at least two things that need to be done. Firstly, the apps must be developed with security – and, by extension, data protection laws – in mind. And secondly, there needs to be user acceptance testing that the app works to deliver the outcomes intended, and that these outcomes are delivered in line with data protection laws.
As more data incidents occur, as breaches and leaks are uncovered, authorities mete out sanctions through enforcement orders and administrative fines. In addition, organisations risk reputational damage and the loss of trust in them from their stakeholders.
Globally, data privacy regulators expect organisations to be accountable for personal data governance and, consequently, to govern personal data in their possession or under their control from an operational risk-based perspective. In fact, some regulators are also giving organisations the opportunity to demonstrate accountability and operational compliance by achieving national “trust marks”.
Despite the fact that we are now living in a data-driven world, there are still many companies that are ignorant about data privacy and protection requirements, think that the laws do not apply to them, or think that putting some legal documents in place is sufficient.
When they are investigated by regulators – and it is a question of “when”, not “if” – they will be hard-pressed to demonstrate accountability and not able to position themselves as trustworthy stewards of personal data, if they do not step up to meet regulatory and governance requirements.
When it comes to data breaches, we often see headlines about a “sophisticated cyber attack” that is said to have led to the breach. The typical reaction from small and medium enterprises is one of horror in the belief that they may need to spend a lot of money to engage high-priced cybersecurity professionals to prevent such attacks from happening to them.
In reality, very few data breaches result from such cyber attacks: about half of data breaches are, in fact, caused by employees who are careless or negligent or by employees who are disgruntled and exploit weaknesses in their company’s data protection programme.
They could be prevented simply by proper data protection training, including training in avoiding scams that let hackers into the company’s IT system, and the company identifying data protection risks and weaknesses, and adopting policies and standard operating procedures to prevent them from being exploited.
New data privacy laws coming onstream
After China enacted its data security and data privacy laws last year, this year, we have seen ASEAN members take proactive steps to establish regulatory frameworks.
In June, Thailand’s Personal Data Protection Act came fully into force, while in October Indonesia passed a new personal data protection law. In 2023, I expect to see Vietnam and Brunei codify their own laws. This would mean that, in ASEAN, all the major members have data protection laws.
From a socio-cultural perspective, protecting personal information and the privacy of individuals will firmly become a business culture in ASEAN. Companies need to respect the rights of individuals in terms of how their personal information is collected, used, disclosed, and stored.
Most data protection regulations require a data protection officer (DPO) to be appointed to take responsibility for the organisation complying with the data protection law. Even where the law does not make such an appointment mandatory, of course, it is necessary for organisations to appoint someone to take such responsibility: if no one is responsible specifically for data protection programme implementation, it won’t get done.
It follows that the role of DPO, mandatory or not, will continue to be in hot demand, which bodes well for this relatively new profession. I was recently in Indonesia, where regulators are forecasting a shortage of 100,000 DPOs, and in Thailand, where I received the same feedback about the growing demand for DPOs.
However, simply appointing a DPO is not a cure-all.
DPOs should be seen as data protection champions within their company, supported by strongly supportive statements and actions by senior management. They should coordinate the data protection actions of heads of departments in the company that collect, use, or disclose personal data and support them by providing expert data protection knowledge.
They will also serve as the main liaison between the company and regulators, and may also coordinate data protection training for staff and the development and implementation of standard operating procedures for staff. In other words, safeguarding personal data within an organisation is the responsibility of everyone, not just the DPO.
Recover, then govern data better
That being said, I understand that the priority of many small and medium enterprises in today’s post-pandemic environment, against the backdrop of an ongoing conflict in Europe, is simply to recover from a traumatic few years and to survive.
However, it is vital that organisations should govern their data and strengthen their privacy and security efforts in compliance with the data protection laws and to maintain trust with their customers and stakeholders.
They should also take a stance of implementing Privacy-by-Design, in keeping with the adage that prevention is better than the cure, especially if they are leveraging sophisticated and privacy-intrusive technologies, such as artificial intelligence and predictive analysis.
Case in point, Didi’s staggering fine accounted for about 4.7% of its US$27.3 billion total revenue last year. Days after the company went public, Chinese regulators ordered app stores to remove 25 mobile apps operated by Didi for excessive processing of data.
The restrictions have chipped away at Didi's dominance and allowed rival ride-hailing services operated by automakers Geely and SAIC Motor to gain market share.
As such, I would strongly recommend that all organisations address the risks and uncertainties in today’s business landscape by taking a data governance perspective, which focuses on good practices to achieve business objectives, versus a data protection perspective, which is focused on a compliance objective.
If compliance is seen as a “show-stopper” and a hindrance to innovation, then data governance should be seen as an enabler, a way to derive greater value from data.
As for consumers, the good news from recent developments is that privacy awareness will continue to increase, especially in the use of mobile apps and social media, driven by the adverse publicity of data breaches and the education efforts of the respective regulators.
In terms of personal responsibility, users should think twice about using apps that are unclear about how they use and protect their data. This advice is even more important when it comes to using any free apps. As a saying in tech and privacy circles goes, “if the app is free, you are the product”.
