With the General Data Protection Regulation (GDPR), Europe has become the world’s benchmark for regulations governing people’s right to privacy. The US and Asia are looking at this solution with interest, not least because companies operating in European countries must comply with the regulation. To find out more, we interviewed Kevin Shepherdson, CEO of Straits Interactive, a leading privacy and data protection company in the ASEAN region (Indonesia, Singapore, Malaysia, Philippines, Thailand, Vietnam, Cambodia, Myanmar, Brunei, Laos).
Is the European GDPR the best regulation for data protection? If yes, why?
Since it was proposed, adopted and ultimately implemented in 2018, the European Union’s General Data Protection Regulation (GDPR) is widely seen, and used, as a global regulatory standard on the data protection and privacy landscape.
The GDPR was developed to safeguard personal data relating to individuals when it is processed by both public and private organisations located in the EU. In fact, it takes a strong view of privacy as a human right that necessitates protection. Especially where business practices and personal data are concerned.
It is not unusual to see multinational corporations that are headquartered in the EU choosing to take the GDPR as the default position for data privacy across all of their global operations. That way they ensure consistency among the countries in which they operat. Or because they simply think that it is the right thing to do.
Since its adoption in 2016, there was a two-year “sunrise” period before the GDPR took effect in 2018. The GDPR has been seen as a useful yardstick in many countries introducing data protection law for the first time or modernising existing data protection law.
How do Singaporean companies address and manage user privacy?
Singapore’s Personal Data Protection Act, or PDPA, is intended to support the development of international trade and gives consumers some rights in connection with personal data about them. However, it is not based on concepts of privacy.
Every organisation in Singapore must appoint someone to take responsibility for the organisation’s compliance with the PDPA. That individual has become known as a data protection officer, or DPO.
However, compliance with the PDPA is an “all of organisation” requirement in the sense that it is a business requirement, not simply a legal requirement, and is fundamental to an organisation being able to maintain the trust of its customers, employees and other stakeholders. Organisations typically establish a data protection committee comprising heads of departments that process personal data. The DPO generally acts as both. A project manager and as a subject matter expert. In order to assist the data protection committee to develop and implement a data protection management programme (DPMP).
To do his or her job effectively, the DPO has to stay updated on changes to the PDPA and regulations made under it. In addition, the DPO has to keep an eye on the various guidelines and other guides issued by the Personal Data Protection Commission and the Commission’s stance in its published enforcement decisions.
What difficulties do Asian companies with ties to Europe face and therefore need to adhere and comply with the GDPR?
Asian companies that choose to market their goods or services to individuals located in the EU or who choose to profile such individuals must comply with the GDPR when they carry out these activities. For most Asian companies, such compliance is typically little different from complying with local data protection or data privacy law.
What are the biggest privacy risks for users when using software, applications and social media?
The extent to which users are tracked across applications and social media, generally for the purpose of serving targeted advertising, is probably seen as the biggest privacy risk for users. These practices are the subject of considerable regulatory concern in the European Union. Changes are likely to take place in the next year or two.
Other privacy risks include data mining, identity theft and phishing. Typically, users provide many pieces of personal information when they sign up for social media accounts or memberships. All of this data is gathered and analysed by companies to do better targeting for advertising campaigns, or for the data to be sold.
Identity theft is also a risk as there may be bad actors who can use the information in an individual’s profile to impersonate them. With cyber attacks and phishing on the rise, criminals could attempt to “phish” for personal data; they could do so by sending phishing links via messages to an individual’s contact list or by gaining control of social media accounts.
What should users do to protect themselves against risks?
In most cases, the biggest pitfall for the average user is not reading the privacy policies of organisations before doing so. Usually because they fear they will not understand them or because they want to use the application or other services and think that they have no choice but to accept the privacy policy.
In reality, there is generally some choice, even if relatively limited. For example, there may be a choice to accept location tracking only when using the relevant application rather than accepting location tracking all the time. In addition, privacy policies are required to tell users about their rights under applicable data protection law.
Finally, if a user fails to read the privacy policy before using an application, social media service or other online service offering they actually do not know why certain data is being collected from them or how this data is being used. For instance, some users do not know that their data is being shared with third-party platforms.
What are the key points of Straits Interactive’s data governance solutions?
We help businesses build trust with their customers, employees and other stakeholders by developing and implementing responsible data protection policies and practices. Such policies and practices do not get in the way of doing business – they support it by providing operational excellence. We do this through a combination of cloud technology, professional services and training.
In addition, our services extend to assisting companies in navigating the various funding options available in Singapore for training and digitalisation of key business processes, with data protection firmly ingrained in these initiatives.
Let’s talk about the Data Protection Excellence Network. How did the idea come about and what does it represent for Asia?
The Data Protection Excellence (DPEX) Network is a community where data protection and privacy professionals can get a wide range of support. It offers free resources that are refreshed on a regular basis, including exclusive webinars, industry updates, research, articles, videos and discussion forums. It also provides a way for its members to chat with one another and seek peer input to help solve common problems.
We created the DPEX Network to fill a void in the data protection and privacy resources available online, especially for the ASEAN market. We also use it as a way to connect with our clients and the public in a professional environment where the community can interact.
Straits Interactive has activated some partnerships with other companies in the sector, also in Europe. What are they and what kind of advantage do they give you over your Asian competitors?
Straits Interactive and DPEX Network have multiple partnerships with organisations in the region. For instance, we signed a memorandum of agreement with the Asian Institute of Management recently to roll out certificate programs to enhance Data Privacy and Data Protection skill sets in the Philippines. In Singapore, we have also partnered The Media Consultants to offer Singapore’s first Crisis Communication and Data Breach Response course for data protection and privacy professionals. In addition we launched the Advanced Diploma in Data Governance and Management with Singapore Management University (SMU) Academy. We also gained accreditation from the National Privacy Commission of the Philippines under their Training-the-Trainers Program (T3P) last year.
For our DPEX Network webinars, we frequently invite key influencers such as regulators and C-suite leaders in the data protection and privacy industry to join us in panel discussions to share their insights on latest developments in the industry. These activities give us an edge over our competitors that may not have access to a wide array of expertise from accredited experts.
Why is Asean considered the hottest region for privacy regulations?
ASEAN’s founding members are expected to have data protection laws put in place in 2022. Recent trends indicate that the entire region is pressing the reset button on data privacy, opening up new business opportunities and driving strong demand for data protection professionals, a number of whom would be pursuing professional certifications to be a part of, or to further their careers, in this industry.
You have worked in the past at Creative, Sun Microsystems and Oracle. What did these experiences leave you with and what proved useful when you founded Straits Interactive?
As part of my career, I have learned that it is always about leveraging your key strengths and managing your weaknesses in the workplace. It is important to note that each team member brings his or her own strengths that adds to the overall team capabilities. These skills need to be identified in advance and utilised as part of the combined team strength to solve problems in the workplace. I’ve learned that if your responsibilities make use of your skills and talents, then the team member will always feel actively engaged in the workplace and that leads to overall job satisfaction and greater team output.