Skip to main content

Data Privacy in Asia

What are the impacts and how to prepare for it.

01

Introduction to Data Privacy

Data Privacy is a Major Ongoing Topic

Companies are investing heavily in Digital technologies and Big Data. The volume of personal information collected has been increasing significantly in the last decades and will continue in the upcoming years.

The use of digital technologies increases risk and raises issues, such as consumer rights violation. Consequently, regulations are emerging globally, in order to reinforce the data privacy frameworks and to give more rights to consumers. 

Considering those future requirements will be a key issue for each company. But Data Privacy is more than compliance and can be seen as an opportunity. Investing in Data Privacy is a strategy rather than a cost.

Data Privacy is a strategic investment to:

  • Strengthen your data management process
  • Increase cybersecurity capabilities
  • Improve your client’s level of confidence
Past and Upcoming Milestones
02

Data Privacy Law Specificities around the Globe

General Data Protection Regulation (GDPR) was approved by the EU Parliament on April 2016 and enforced for all EU countries on May 2018

  • Data deletion principle

  • Data minimization principle

  • Right to Opt-in

  • Clauses in third party contracts

  • BCR (Binding Corporate Rules) for intra group transfers

  • Deadline to notify to the regulator in case of a data breach

  • Strict guidelines to establish a data privacy governance

  • Risk Assessment on high risk processes – PIA (Privacy Impact Assessment)

  • Control plan on data privacy risk

  • Annual data privacy report

  • Register of Processing to document personal information and processes

California Consumer Privacy Act & Federal Trade Commission (USA)

The US has several sector-specific and medium-specific national privacy or data security laws. The California Consumer Privacy Act (CCPA) is a state statute that provides their residents an enhanced privacy rights and consumer protection.

  • Clear framework and dedicated data privacy authority

  • Individuals rights including right to know, right to delete, right to opt-out and right to non-discrimination 

  • Data disclosure requirements

In addition, the US Federal Trade Commission (FTC) has jurisdiction over a wide range of commercial entities under its authority to prevent and protect consumers against unfair or deceptive trade practices, including materially unfair privacy and data security practices. 

Cybersecurity Law & Personal Information Protection Law (PRC)

Introduced in 1 June 2017 by the Standing Committee of the National People's Congress (NPC), it is the first set of comprehensive legislation governing cyber security and data privacy in China. 

  • Onshore data storage requirements

  • Significant regulation for transferring data offshore

  • Individual rights including right to access information, rights to data portability, right to be forgotten and objection to direct marketing

In October 2020, the NPC released a draft of Personal Information Protection Law (PIPL) which came into effect on November 1, 2021. It becomes China’s first comprehensive law on the protection of personal data which binds compliance obligations previously considered recommended practice and requiring organizations to comply with additional requirements.

The Personal Data (Privacy) Ordinance (Hong Kong)

One of the longest standing comprehensive data protection laws based on OECD Privacy Guidelines 1980 to ensure an adequate level of data protection to retain its status as an international trading centre and give effect to human rights treaty obligations.

  • Clear framework (''Data Protection Principles'' or DPP) and dedicated data privacy office

  • DPP1: Lawful purpose for collection

  • DPP2: Data accuracy and only for intended use 

  • DPP3: Prohibits the use of personal data for any new purpose unless consent is received 

  • DPP4: Data users take all practicable steps to protect the personal data

  • DPP5: Ensure openness of their personal data policies and practices

  • DPP6: Data subject right to access and correction of their own personal data

Personal Data Protection Bill (India)

Personal Data Protection Bill (PDPB) is very much inspired by GDPR and sets rules for how personal data should be processed and stored. The PDPB is currently pending consideration of the Indian Parliament and may undergo significant changes to its current form. The PDPB is expected to come into effect towards the end of 2021:

  • Clear framework and dedicated data privacy authority

  • Individuals rights

  • Cross-border transfer requirements

Once the PDPB is enacted, we should expect widespread effect on almost all business across India's economy to meet the bill's conditions.

 Personal Data Protection Act (Singapore)

The Personal Data Protection Act (PDPA) is a well established data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. The PDPA aims to strengthen and entrench Singapore's competitiveness and position as a trusted, world-class hub for businesses.

  • Restriction in terms of cross-border movement of data

  • Mandatory data breach notification

  • Individual rights including right to access information, right to data portability, right to be forgotten, objection to direct marketing and profiling, right to correct data as well as the right to withdraw consent, use and disclosure of data.  

Protection of Personal Information (Japan)

The Act on the Protection of Personal Information ("APPI") regulates privacy protection issues in Japan and the Personal Information Protection Commission ("PPC"), a central agency acts as a supervisory governmental organization on issues of privacy protection. The APPI contains similar provisions as the GDPR. 

  • Restriction on the transfer of personal data to foreign countries

  • Security requirements and third party management 

  • Individual rights including privacy notices, rights to access information, rights to data portability, rights to be forgotten etc. 

On 5 June 2020, the law amending the APPI was enacted, and is expected to enter into force within 2 years of the publication date (i.e., by 12 June 2022). 

03

Data Privacy Maturity Assessment & Implementation Support

Our standard approach

Sia Partners has assisted many organizations in the assessment of all departments based on Local Data Privacy Laws and GDPR regulation, by proposing an analytical and risk-based approach.

Our standard approach

Throughout our assessment, we enhance awareness about Data Protection and Data Privacy issues to all stakeholders in order to prepare for the change.

Implementation of corrective measures

Sia Partners has assisted many organizations in the implementation of data privacy roadmaps, both on Local Data Privacy Laws and GDPR regulation, by proposing a standard but customisable approach,  implementation using quick wins or minimal viable compliance manual, followed by an Automation Phase.

Implementation of corrective measures

The goal of the phased approach is to achieve minimal compliance in the first months. Industrialization & Automation is then applied to achieve an effective and efficient solution. Phase 2 regroups all major IT impacts.

 

Key Success Factors

  1. Identify an efficient and accurate data cluster to initiate the setting up of the framework
    Reduce the scope of data at the beginning of the project and expend it over time with a trajectory that has been validated
  2. Document the data flows and produce a reporting of the Data Privacy level measured
    The first results of Data Privacy measures will follow the identification of controls, in the main critical data batch that has been identified
  3. Use as much as possible the existing tools, controls, actors, committees and documents
    Many data privacy components are already in place within the company. They have to be used in order to simplify the accession of Data Privacy actors
  4. Define an efficient governance across the company
    Data Privacy is a transversal subject across the company. A Data protection officer has to rely on a data privacy network of correspondents
  5. Nominate a sponsor for the Data Privacy Project
    The quantity of actor in a Data Privacy governance makes the decisions difficult.
    A sponsor will take the decisions about Data Privacy issues
  6. Communicate throughout the project to make as easy as possible the accession of actors
    The communication in a Data Privacy project is essential. Newsletters, training sessions and Data Privacy reports can be produced on a regular basis
  7. Ensure the availability of operational teams
    Many works have to be led with operational teams (identification of the processes and the controls, definition of automation rules…)
  8. Analyse the opportunity to industrialize some data flows
    The automation of processes and the implementation of Data Privacy controls has to be considered. They improve significantly the quality of the data
04

Credentials

Insurance and brokerage

  • AXA Global Life
  • AXA Assurance Banque
  • Direct Assurance
  • Caisse d'epargne
  • Credit Agricole
  • Interiale Mutuelle
  • Alptis 
  • ZA International

Banking, Asset Management and Financial Companies

  • Konew Financial Express
  • AXA Investment Managers
  • BNP Paribas

Other Industries (utilities, retailers, airports, etc.)

  • Ingenico
  • Engie
  • EDF
  • SGS
  • Club Med
  • Aéroports de Lyon
  • Rungis Marché Internationale
  • GBP
  • Riley Cillian

Asia Selected Credentials | Data Privacy

APAC Personal Data Protection control framework design

  • Harmonization of the Personal Data Protection (PDP) framework of the bank across the 14 Asia Pacific jurisdiction where the CIB business unit operates, ensuring compliance with local requirements and applicable group standards
  • Definition of the personal data protection controls of the 1st  and 2nd lines of defense​
  • Building the implementation plan and quantify the associated costs

GDPR Maturity assessment and implementation 

  • Assess the maturity of company data protection framework regarding the GDPR requirements
  • Formalize a comprehensive reporting of GDPR maturity level as of today
  • Define and Implement the compliance roadmap to achieve GDPR compliance Implement the compliance roadmap to achieve
  • GDPR compliance

Writing up Data Privacy policy

  • Assess the current state of company/employee data protection framework
  • Support the formalization of a comprehensive data privacy policy document for the client’s business
  • Provide recommendations and define an action plan to enhance the client’s company data privacy framework

Data Protection compliance assessment

  • Analyze present activity involving personal and sensitive data processing
  • Formalize benchmarks related to ethic on social platform
  • Assess the level of compliance level regarding GDPR and other relevant data protection law
  • Develop action plan of targeted processes and controls

GDPR Maturity Assessment 

  • Assess the maturity of company's data protection framework and configuration
  • ​Support the formalization of a comprehensive reporting of GDPR maturity level for the client’s business
  • ​Provide recommendations and formulate compliance roadmap to faciliatate foreign business expansion