By: Chris Pickett, Security Lead, Oracle APAC
Data is the “new raw material of the 21st century,” said Tim Berners-Lee back in 2011. Today, his words ring truer than ever. The economics of industry have given way to those of insight and intelligence.
Businesses recognise the value of data as real and justified. Data-rich companies are being bought, not for what they do but for what they know. As a precious commodity, data has a high tradable value – and it needs to be adequately protected.
Regulations on the rise
This is a standard approach for traditional business assets, which are carefully audited, recorded and regulated. Increasingly, a similar recognition of data is taking place. As its use continues to rise, it is becoming subject to more stringent standards and controls.
Increasingly, governments are making their presence felt. Rightly or wrongly, many regulatory authorities are taking an active interest in how organisations approach digital security – especially pertaining to citizen and consumer data. Legacy privacy regulations, originally designed for an analogue world, are being modernised or supplanted by newer legal frameworks more attuned to our digital millennium.
APAC catches up
Historically, in the realm of digital privacy, the Asia-Pacific region has been something of a laggard to Europe and North America with respect to the compliance and regulatory landscape. In the last several years, however, there has been a gradual but definite shift:
- Data breach mandatory notification laws have recently been made law within Australia – with compliance required by early 2018.
- In June 2016, the Reserve Bank of India (RBI) provided cyber security guidelines for the Indian financial sector, including the need to report details of a security breach. In addition, in August 2017, the Indian Supreme Court passed down a landmark ruling on privacy, which places the right to privacy as “an intrinsic part of Article 21 that protects life and liberty”. It is early days to see what impact this will have but it is certainly an area to watch.
- Korea’s Personal Information Protection Act (PIPA), effective since 2011, covers all data processors, whether private or public.
- China imposed strict new Cyber Security Law effective on 1 June 2017, of which detailed implementation regulations and standards are being made or drafted. These laws reform data management and impose new requirements for network and system security.
- In ASEAN, Singapore, Malaysia and Philippines all have dedicated data protection laws, and there are several initiatives to harmonise cyber security laws across the region.
- In Japan, the Amended Personal Information Protection Act (the “New PIPA”) came into effect on 30 May 2017, extending its applicability to all companies in Japan that use personal information in business, rather than just large enterprise.
Setting standards with GDPR
Further afield, the European Union has been working to standardise distinct national privacy laws relating to the protection of consumer and citizen data into a single legal framework. The end result, the EU General Data Protection Regulation (GDPR), which came into effect on 25 May 2018, aims to regulate the use and portability of personal data within the EU and its export from the region, and give EU subjects more control over how their data is used.
It would be a mistake for any APAC-domiciled business to imagine that the GDPR does not extend to Asia. Any retailer, manufacturer or airline (to take just three industry examples) will be impacted if their systems are storing and/or processing data related to EU subjects. It is of paramount importance that APAC businesses are aware of its implications and requirements, and that they begin working to ensure compliance. After all, fines for failure to comply could extend to 4% of a company’s global turnover in some cases
So what should APAC businesses, looking to expand either within the region or globally need to consider to avoid being lost in the matrix of testing individual security control against each regulation’s specific requirements?
In this context, the following three matters for consideration – amongst others – have been identified and suggested by industry observers as being important elements for businesses to consider as part of their compliance programme:
- Rationalise the control testing cycle i.e. test the efficacy of a control once, and apply the results to all associated compliance frameworks in-scope for the organisation.[1]
- Automate the auditing/attestation cycle – the skills of qualified security assessors are in high demand, so we must automate the process where possible, and where sensible.[2]
- Ensure continuous compliance with the regulations deemed to be in-scope for the organisation, which is likely to become a practical necessity for any organisation dealing with multiple regulatory frameworks.[3]
Businesses do have resources at their disposal to guide them through this shift. IT vendors, including Oracle, have taken the lead in helping companies once they have identified and assessed their needs, to adapt their security architecture to the demands of compliance requirements like GDPR.
On a more practical level, global law firm DLA Piper has created a mobile app which allows users to access the full text of GDPR on demand. The app also links articles from the new regulation to their corresponding articles in the EU Data Protection Directive, making it easier for brands to see exactly what needs to change in their current models.
Whether they choose to use these resources or go it alone, the countdown to GDPR is in its final stretch and businesses cannot afford to lose any more time.
Seize the opportunity of the data economy
GDPR – and similar regulations – also show the extent to which the data economy has grown up. It is a timely piece of regulation because it acknowledges that data is moving faster, further and more freely than ever. Those are trends businesses should be capitalising upon.
This opportunity is also being opened up by the greater maturity and sophistication of cloud at the infrastructure, platform and software levels. The ability to collate and analyse data at incredible volumes and speed has been enabled by the pervasiveness of cloud technology and its ability to connect once disparate systems, processes and silos of data via common, secure platforms.
It is no coincidence the value of data has risen exponentially with the wider end-to-end adoption of cloud technologies. If data is the raw material that will drive the businesses and innovations of the future, then a connected cloud is the means of extracting and fully exploring the potential and value of that raw material.
[1] “Build The Business Case for a GRC Platform” – Forrester Research Inc., January 24, 2013
[2] [2] “Build The Business Case for a GRC Platform” – Forrester Research Inc., January 24, 2013
[3] “Following the Regulatory Beat: Continuous Compliance” – SecurityWeek, June 10, 2015