Data protection

Tailoring Data Privacy Strategies for Asian Markets

Data Security
Data protection

It’s a stark reminder that all three lines (especially IA & ERM), should step up their understanding of personal data privacy – strategy, implementation and potential implications. Data privacy regulations are fast evolving in many parts of Asia. While there are commonalities with GDPR, there are specific nuances to be understood and audited across markets. For example, GDPR requires breaches to be notified within 72 hours, however, some jurisdictions in Asia do not stipulate a precise timeline, implying prompt disclosure. These would require tailor-made processes and stakeholder awareness.

Rebalancing Data Security

In some companies, disproportionate focus goes into employee privacy and its related enablers. In this process, efforts get diluted in assessing the discovery and enablers of protecting third-party personal data (consumers, vendors, etc.). Research has shown that 60-80% of breaches relate to third-party personal data. If you think this only applies to full-fledged B2C companies, it’s time to rethink. Unstructured development of applications is posing risks to third-party personal data (APIs, application security etc.). With increasing web facing systems, organizations are more vulnerable to leakages if risks are not identified and addressed (e.g., OWASP gaps).

Challenges in IA Functions

Some IA functions are yet to gain an understanding of the different rights and obligations of data subjects/controllers and processors, PDL (Personal Data Landscape) and PDI (Personal Data Inventory) in their organizations. Even with some large companies, the absence of global experience within teams inhibits immediate appreciation of outside-in views. Some who believe that high-impact compliance audits are covered as a part of conventional programs could be managing their Boards momentarily. 

Proactive Auditing: Reducing Risks through Early Collaboration

In my experience, progressive IA functions collaborate with business and line 2 at early stages of roll out of key regulations and perform follow-through assessment after implementation. Auditing at the speed of risk is an opportunity to reduce surprises or avoid post-consequence scapegoats. For instance, if an auditor has not understood the various digital assets and touchpoints of third-party personal data, then he/she would assume that they have the best practices.

Dedicated Compliance Audit Programs

In companies where I used to work for a longer tenure, I was able to introduce dedicated compliance audit programs incorporating emerging-risk levers. This helped to further strengthen the closed-loop process with management controls-self-assessment including advising on design. Businesses may rebalance their efforts and resources towards the larger risks. IA can better understand the external and business changes and help identify solutions for secure and sustainable business growth. 

Ultimately, it’s about the mindset.

Author

CEO & MD at Innowave360
Experienced Chief Internal Auditor, Chief Risk Officer and Controller – Large US, Europe and Asia listed MNCs

Leave a Reply

Your email address will not be published. Required fields are marked *