By Gibu Mathew, VP and GM APAC, Zoho Corp.
When data abuse is discussed, people immediately think of data breaches or data leaks. While data privacy and data security are interrelated, the two are not the same. Data breaches are easier to identify, and during the pandemic, Interpol found a surge in cybercrime and data theft throughout the Southeast Asia region.
It is no surprise that findings from IDC note that Asia Pacific spending on security-related products has been increasing year after year, and would reach USD39 billion by 2025. Improving data security is always a good idea, but is merely scratching the surface of data privacy abuse, as the same tools to fight hacks cannot be applied for data privacy.
Fortunately, data privacy has gained greater attention recently with regulators and technology companies pushing the privacy agenda for end consumers. However, this is still insufficient. Data privacy adoption has been at differing rates in Southeast Asia, where some countries have already passed data privacy laws and other regional regulators are only establishing guidelines this year. This has engendered uncertainty, especially with businesses in the region in terms of best practices, compliance and government enforcement.
This gap in regulations has left the door open for companies to independently decide what is best for the business over the privacy needs of customers. In addition, this lack of clarity in data privacy compliance also stems from the region not reskilling and upskilling rapidly enough to meet the demands of data protection talent, according to AT Kearny.
Privacy is trust
Data privacy is the governance of users’ personal identifiable information (PII), as well as its data collection, exchange and transaction online. Secure handling of this data helps build consumer confidence in a brand or organization. Today, data on every visit, click or online activity is being captured, mined and used by organizations, retailers and technology vendors to deliver personalized campaigns to target consumers, this data is usually utilized by site owners for marketing purposes. Customers are increasingly aware of the potential for abuse of their data and are savvy enough to define their own privacy settings when browsing the web.
Taking it a step further, today, customers are already voting for privacy with their wallets by choosing to shop with businesses that value customer data privacy. With data transfers happening at lightning speed, customers need to be able to trust corporations with personal information including banking and geographical data. Erosion of that trust means having that customer walk out the digital door, never to return.
Not every business upholds privacy
The heart of the problem is the practice of businesses abusing the data collected from consumers. In Europe, the GDPR and ePrivacy Directive requires the user to provide consent before businesses are allowed to use any cookies, a technology concept used by web browsers, except those related to website functionality. The same standard and regional protocol is not in place in Southeast Asia, with businesses lacking a comprehensive regional framework for the management of cookies, online visitor tracking, and handling of PII.
Today, having the ability to collect and leverage data means having an edge over the competition. This, however, makes handling personal data vulnerable to data privacy breaches, especially for businesses lacking knowledge of best security practices. While government bodies like the Monetary Authority of Singapore and Bank Negara Malaysia have set privacy rules for banks and financial institutions, the private sector needs to be better organized or risk losing the trust of customers permanently. With more businesses turning to SaaS vendors for business solutions, it is also important to ensure that your vendor values the privacy of your business data.
Enterprises should also prepare for a post-cookie digital world by adopting pro-consumer privacy policies and safeguard consumer data with privacy technologies. By championing customer privacy, businesses gain the trust and confidence of an increasingly digitally-savvy audience.
Vendor chain leaks can affect your privacy posture
With more businesses turning to SaaS vendors for business solutions, it is important to ensure that your vendor values the privacy of your business data. Businesses need to closely examine the privacy policy for all members in their chain of dependent services to ensure that they are compliant with any privacy pledges made to the end users. Data-handling aside, consequently, as it becomes common for businesses to turn to various vendors for their business application needs, it is an increasing risk that a leak or a breach may be with a third party provider. This is a risk that businesses have to be aware of and conduct regular reviews with service providers to ensure business and consumer data is appropriately safeguarded. This should be a rigorous part of the business process and not to be taken for granted.
Keeping customers safe by first keeping employees safe
Apart from looking outside the organization, business owners should also consider prevention by keeping their own employees safe from data leaks. Security tools, login authentications, VPNs, appropriate business application usage patterns and encryption solutions can help enterprises protect customer data especially as companies increasingly manage distributed teams and embrace a hybrid work model. The use of clean rooms, differential privacy and encryption protocols will also take center stage as privacy becomes a bigger concern among consumers.
As ideas on consent and data privacy evolve and create a domino effect across Southeast Asia, businesses need to go beyond digital transformation to an ideological transformation in the way they treat customer data and how they use it for business. Challenges are always a welcome opportunity for enterprises to organize themselves and course correct through proactive policy making. They should ensure that efforts are made to safeguard user privacy continually, before the regulations come into force in the region.