Protecting consumer’s personal data at all costs.
Startups in Asia are becoming multinational companies faster than ever before. Having customers spread out across the region can lead to big money. Unfortunately, in order to get that cash, startups should know local regulations for data protection, which can become a cold shower for your entrepreneurial fantasies.
There is some good news. Though ensuring compliance with data protection laws is like going through hell for some people, it is actually not that bad. Check out this simple breakdown to understand what data you have and how you can use it to drive your businesses without getting burned by the law.
Question 1: What is consumer personal data anyway?
Metaphorically? Your company’s reputation and, by extension, your future. When companies fail their customers, criminals benefit and the public notices.
To remain a trusted company, you need to protect your customer’s personal data. Definitions for “personal data” differ slightly from country to country but the generally agreed upon definition is “data which alone can identify an individual or can be combined with other easily obtained information to identify an individual.” Below you can find which countries follow that definition and which have variations of it.
Question 2: Ok…but why do I need to protect that personal data?
Unless you love answering to angry customers, paying stiff fines, or getting the full Shawshank experience, you might want to keep the data safe and secure. Failure to do so could result in a penalty.
Keep in mind that regulatory bodies almost always start out with a warning and then slowly escalate into real penalties. However, if your company is caught red-handed doing some shady business, you might not be able to count on such a measured response.
Question 3: Hmmm…what does personal data protection entail?
For our purposes, let’s think of protection as the ultimate goal of your security measures. What are you trying to prevent from happening? The standards here are also relatively uniform. The phrasing is different from country to country but, generally speaking, the goal is to keep customer data from being tampered with in any form.
Question 4: Wait a sec, where in Asia can I transfer personal data to?
This is a lot less complicated. Much of Asia is surprisingly laid back about cross-border data transfers. For most countries, you only need to get the explicit consent of the user. For a few, you also need to prove that your company’s data protection system matches a certain level. I could write a whole other blog post about how you can prove that. This chart shows what you need to do to transfer data out of a country.
Question 5: Great, so what are the techniques for protecting personal data?
Data protection comes down to access. Making sure only the right people can access the right data at the right time. Barring an unscrupulous employee, maintaining a proper access system will prevent many future headaches.
There are a multitude of information security techniques but one that is a must is encryption. Data points should be liberally hashed, salted, and bcrypted. There are many skilled code breakers on the web but the tougher your security, the less likely it is they will slip into your servers and leave with your data.
Another point to consider is the question of who-has-access-to-what within your own company. Sensitive data like credit card numbers should be encrypted but the relevant codes and access privileges should only be disseminated on a need-to-know basis.
Other sensitive data, like religious beliefs or health history also need to guarded from some of your own employees. Depending on circumstances, engaging (or not engaging) in a business transaction or marketing campaign on the basis of such sensitive data can be considered discriminatory and illegal. To make sure your star employees in sales and marketing are not unwittingly getting the company in trouble, restrict their access to potentially troublesome information.
Wrap up
So there you have it. The big, scary bogeyman of data protection can be distilled to two simple concepts. In your home country, make sure there is no unauthorized access, collection, use, disclosure, copying, modification, and disposal of the data. And, when sending data overseas, get the customer’s permission and make sure your branch offices protect data the same way HQ does.
Finally, you should know (and I hope this does not come as a surprise) that neither Tech in Asia nor the author can be considered a lawyer. This article below is a high-level explanation, not legal counsel. If you need to make a decision about your data, be sure to speak with an accredited professional.
References
Singapore Personal Data Protection Act
Malaysia Personal Data Protection Act
Philippines Data Privacy Act
Hong Kong Data Protection Law
Taiwan Computer Process Data Protection Law
India Information Technology Reasonable Security Practices and Procedures and
Sensitive Personal Data or Information Rules-Rules-2011.pdf)
There is no consolidated data protection law in Thailand
There is no consolidated data protection law in Vietnam
South Korea Protection of Personal Data Act (Unofficial translation)
Japan Act on the Protection of Personal Information
China Decision of the Standing Committee of the National People’s Congress to Strengthen the Protection of Internet Data
DLA Piper Data Protection Laws of the World
BakerHostetler 2014 International Compendium of Data Protection Laws
Linklaters Report on Data Protection Laws
Legal professional and want to give feedback on this article? Comment below or reach out to me here.
Protecting your customer’s personal data: a comparison across countries in Asia
No comments:
Post a Comment