25 April, 2016
The tightening of Asia’s data protection regulatory environment and the emergence of cyber security regulation comes at the same time as personal data has developed into an increasingly valuable business asset. It also comes as regional businesses seek to turn more to outsource data processing and transfer data across borders with a view to improving operational efficiency and leverage economies of scale.
An effective data protection and cyber security compliance program begins with a comprehensive look at the personal data being used within the business and then proceeds to map applicable regulatory requirements to this processing.
At a high level, the steps towards developing an effective compliance plan are as follows:
– What personal data does the business hold and use, how was it obtained and for what purposes is it being processed?
– Is the data being transferred to any other group companies or to unrelated third parties for any purpose? If so, into which jurisdictions is the data being sent?
– What future plans does the business have for processing data, in particular having regard to new business lines, new jurisdictions, new technologies, new business models and other potential new avenues to monetising data?
– What data protection and cyber security regulatory regimes apply to the organisation’s personal data holdings, bearing in mind both the location in or from which the data was collected and the location or locations where it is being processed?
– Are the business’s existing policies and procedures compliant? Where are the gaps and what are the practical options for achieving compliance?
Each of these steps is explored in more detail below.
A Personal Data Audit
The first step towards developing an effective compliance plan is to understand what personal data the business uses.
Customer Data
Customer databases are one of the more obvious holdings of personal data, particularly for consumer facing businesses. The practical issue for identifying the full extent of an organisation’s customer data holdings is that databases are not always clearly marked out as such, particularly now in the era of cloud computing and widespread use of mobile devices.
Engaging with sales, marketing, business development and technology teams is often the key to successfully auditing customer data holdings. Care needs to be taken to understand the specific technologies being used by the business and whether data is being collected or extracted online or through mobile handsets, whether directly or through third party service providers.
Data that has been anonymised or aggregated for profiling or analytics purposes may not, strictly speaking, be “personal data”, but this data should nevertheless be included as part of the audit. Data protection laws generally look at data from an entity- wide or group-wide perspective, meaning that de- personalised data sets that can be linked to identities will not avoid compliance requirements. With the proliferation of social media and online public data sources, the risk of “re-identifying” individuals from anonymised or aggregated datasets has never been higher. Assessing data protection compliance will involve assessing the procedures for creating and maintaining the de-personalisation of these datasets.
Employee Data
As Asia region businesses grow in scale and geographic reach, we see a trend towards increased consolidation of human resources databases and increased use of external service providers to administer HR processes and procedures. This development has been running up against stricter data privacy laws in general and, in particular, the imposition of data export controls in a number of jurisdictions – hence the need to be more vigilant and ensure that data holdings have been properly identified and audited.
An important aspect of employee data is that it almost invariably includes “sensitive personal data” such as information about health and ethnic background. Sensitive personal data is subject to enhanced privacy protection under a number of the region’s laws.
Other Personal Data
Many organisations will also hold personal data about individuals who are not their direct customers, such as shareholders, directors and company officers of corporate customers and suppliers, as well as family members and other individuals who are connected to customers or employees. In the context of social media and cloud services businesses, there are often holdings of user contacts or “refer a friend” data that has not been directly obtained from the business’s customers. This personal data will nevertheless be subject to regulation.
It can very be important to identify data holdings of individuals of this type, given that the business may not have any direct contractual relationship with the individuals concerned, and so find it more challenging to obtain data subject consents and otherwise be sure that compliance requirements have been met.
Assessing the Means of Collection and the Purposes for Processing
Once the various personal data holdings within an organisation have been identified, the next task will be to identify how the data was obtained and the purposes for which each group of data is being processed.
This will likely again be a matter of engaging with appropriate individuals within functions such as sales and marketing, HR, technology and operations who understand the business processes involved.
As noted above, the pace of technology deployment within an organisation may well run ahead of the legal and compliance teams’ immediate understanding of what sort of collection and processing is taking place across the business. Data analytics, for example, is an increasingly valuable business tool across a wide range of industries. It is too often the case that these technologies have been deployed without proper compliance checks.
Another area that can raise difficulties is the use of publicly sourced data. In some jurisdictions, such as Singapore, privacy laws do not in general apply to publicly sourced data. In others such as Hong Kong, regulators have made clear that publicly available data may only be used in compliance with general data privacy principles.
We would recommend a holistic approach to analysing purposes be applied, with references to appropriately stress-tested checklists. New purposes for processing data may develop unexpectedly. For example, it may be a rare occasion that a business has a need to consolidate data on the servers of an e-discovery service provider as part of multi-jurisdictional litigation, but it is much better to be prepared for such an eventuality if it is a practical possibility.
Likewise, if personal data may be subject to demands by foreign regulators, care will need to be taken to understand this risk in order to factor in appropriate data subject consents and policies and procedures around data handling if the business is in the position to make the disclosure.
Mapping Data Transfers
A related task in the fact gathering process is to understand where personal data is being transferred to from its points of collection, both in terms of transfers to entities within the wider business group and transfers to unrelated third parties. The geographic transit of personal data will also be important given the proliferation of data export controls across the Asia- Pacific region.
Data transfers can broadly be of two types – (i) transfers to affiliated companies and business partners who collaborate in determining the purposes for data processing or have the discretion to pursue different purposes of processing data (i.e., “controller to controller” transfer scenarios); and (ii) “controller to processor” scenarios in which the transferee simply processes the data in accordance with the transferor’s instructions with no discretion to pursue new purposes for processing.
Both types of transfer will be relevant, although the compliance requirements will differ significantly in each case.
Cross-border transfers of personal data raise an additional layer of complexity in many jurisdictions in the Asia- Pacific region which now have data export controls.
Data Maintenance and Retention
Databases constantly evolve through their use, and so an understanding of how a database is updated, corrected and augmented is key to an effective regulatory analysis.
As the Asia-Pacific region’s data protection laws are all consent-based, a key consideration is what procedures are in place to ensure that requests from data subjects that processing cease are appropriately addressed.
Similarly, many of the regimes across the region have express data subject access and correction rights. Businesses will be expected to have policies and procedures in place to manage these requests.
As a general rule, the region’s laws also oblige businesses to cease processing personal data once the purposes for which it has been collected have been exhausted. There are few prescriptive data retention periods under general purpose data protection laws, but businesses will need to undertake an appropriate analysis to determine how long data should be kept.
Likewise, it will be important to evaluate approaches to securely erasing personal data once the purposes for having it have been fulfilled.
An Eye to the Future
While much of the personal data audit process is a forensic one aimed at generating a clear snapshot of the current state of data process across a business organisation, a well-executed review will also consider planned extensions of the purposes for processing of data and changes to business operations, such as plans to consolidate databases and deploy new technologies, such as the introduction of remote access by employees to cloud based services, the “bring your own device” policies and the introduction of behavioural profiling technology to company web sites and apps.
Assessing Regulatory Requirements
Once the organisation’s personal data holdings and processing have been understood as a factual matter to a sufficient level of granularity, an analysis against applicable data protection and cyber security regimes can be undertaken.
Leveraging what’s already there
The regulatory analysis will not necessarily be a matter of re-inventing the wheel, in particular for European-based multinationals who have invested years of effort in constructing policies and procedures that meet European standards.
European standards often (but do not always) meet or exceed national requirements across many jurisdictions in the Asia-Pacific region, and so it is often efficient to leverage global or regional policies from elsewhere in the organisation if they are transportable having regard to the nature of the business and the data processing taking place. As Asia’s data protection and cyber security regimes proliferate and develop, however, there are more and more local distinctions that will need to be taken into account.
A regional approach to compliance
Irrespective of the starting point a business finds itself in, we generally counsel clients with regional footprints to take a regional view of Asia-Pacific’s data protection and cyber security compliance requirements. Although there are important differences at every turn, there is a degree of general conformity, at least, around the principles set out in the APEC Privacy Framework.
“Levelling up” to APEC standards in jurisdictions without data protection laws often makes good business sense, given the obvious trend towards comprehensive regulation. We expect, for example, new laws to emerge in Indonesia and Vietnam in the coming years, and it is a virtual certainty that the new national laws there will take approaches to regulation that are similar to that taken by their neighbours.
There is also, of course, good business sense in having a strong brand for data privacy wherever the business may be. In the area of electronic and mobile commerce and payments, borderless data transfers, cloud computing and remote access to databases, a global or regional approach to managing data security and data privacy is becoming increasingly a business necessity.
While Asia has a number of jurisdictions that are yet to implement legislation tracking the requirements of the APEC Privacy Framework, Asia also has a number of jurisdictions sitting at the other end of the compliance spectrum. South Korea, for example, has marked itself out as being one of the world’s most challenging jurisdictions for data privacy compliance. There are other challenges across the region, such as Hong Kong’s direct marketing controls and Indonesia’s data export requirements.
China raises a unique overlay of difficult laws and regulations that pose compliance challenges on a number of fronts. The “new normal” for Asia-Pacific data privacy compliance is setting an ever increasing bar for compliance.
Cyber security regulation is steadily introducing new variables to approaches to data management in the Asia-Pacific region. China’s move to require that businesses use “secure and controllable” technology is beginning to drive businesses in regulated sectors in particular to localise technology and data to the mainland. Indonesia’s Regulation 82, due for implementation in 2017, is forcing the same considerations there.
Typical Compliance Considerations
The typical range of compliance measures that most businesses will need to turn to will include:
– Personal information collection statements (PICS) prepared either as consents or notifications, as applicable, incorporated into customer terms
and conditions, privacy policies for web sites and apps, employment terms and conditions and other interfaces with data subjects.
– Data processing policies and procedures for internal stakeholders to understand and administer, including policies and procedures dealing with:
– Data collection and capture, including policies concerning the use of appropriate PICS and the mechanics of collecting consents and the usage of third party data sources;
– Direct marketing, including alignment of PICS with direct marketing activities, implementation of “opt in”/”opt out” mechanisms, prior consultation with applicable “Do Not Call” registries and compliance with direct marketing formalities, such as consumer response channels and any required “ADV” indicators;
– Human resources management, including policies dealing with job applicant data, retention of and access to employee files, notification and consent to data privacy policies, employee monitoring, management of sensitive employee data and the use of external vendors for functions such as payroll and counselling;
– Data analytics, including policies specifying
the types of profiling data that may be used, anonymisation/aggregation principles and policies around “enhancing” datasets through the use of publicly available data or third party datasets;
– Data commercialisation, which looks more broadly for the potential use of the organisation’s data to collaborate with other businesses in marketing initiatives and consumer profiling;
– Security, including technical standards applicable to various types of internal and external data processing, data access and permissioning, the use of encryption technologies and policies around the use of data in cloud services and other technologies;
– Business continuity and disaster recovery, including data back-up procedures, the use of redundant storage and contingency planning;
– Data subject access, including procedures for assessing and verifying requests, considering the legal implications of requests and managing costs of responding to requests;
– Complaints handling, including complaints from customers, employees and other affected individuals;
– Data quality management, including procedures for updating and correcting databases and determining if data is to be erased;
– Data processing and outsourcing, including vendor due diligence policies and standard contract clauses and templates for onshore and offshore processing;
– Data retention, including policies for determining how long data of various types are to be retained and how it is to be securely destroyed;
– Cyber threat assessments and incident response planning, including programs to identify and review cyber threats across the organisation, allocation of responsibilities for escalation of and response to incidents;
– Data breach management, including policies for escalating, containing and remediating data breaches and evaluating the need for regulatory or data subject notifications, as well as procedures for assessing any need for change to policies and procedures following the occurrence of a breach; and
– Privacy impact assessment, which includes a general framework for the organisation to assess privacy impacts due to proposals for organisational, technological or policy change.
Management oversight and review:
Developing effective data protection and cyber security risk management policies and programs will involve engagement with the right stakeholders across the organisation and creating an effective governance regime for approving, overseeing, implementing and reviewing the various policies. The appointment of official roles such as a Data Protection Officer is becoming more common as best practice in the region, even in jurisdictions where the designation is not required by law.
Regulators in the region are becoming increasingly conscious of the degree to which data protection and cyber security policies have been prepared under senior management and board direction. Input from such high levels lends credibility to the compliance effort. Effective implementation of data privacy policies will need to consider appropriate channels for reinforcement of new policies following their publication. Training of individuals within the organisation will be necessary in order to lend context and emphasise the importance of compliance to the business. The policies will need to be seen to have been acted upon in order to be evidence of due compliance, and so enforcement procedures will be critical. Policy breaches will need to be examined after the fact with a view to understanding whether or not any organisational change is needed in response.
In order to be effective, an organisation’s data privacy policies will need to be under regular review, reflecting changes in law and regulation, changes in the data being collected and used and changes in technologies and operating procedures. The benefit of experience must also be brought to bear.
For further information, please contact:
Patrick Sherrington, Partner, Hogan Lovells
patrick.sherrington@hoganlovells.com
