Data Privacy Risks and Challenges in the Digitally Transformed World
I recently had the pleasure of conducting a panel discussion with senior Deloitte partners across the APAC region, talking through the evolving topic of data protection and data privacy. Puneet Kukreja, Deloitte China’s Chief Strategy Officer, Manish Sehgal, Partner in Risk Advisory practice in Deloitte India, and Daniella Kafouris, Partner in Cyber and Data Privacy at Deloitte Australia got together with me to explore these issues. You can listen on demand here, or take a look at highlights below.
Nick Savvides: Data privacy is obviously a broad topic, and we could take this conversation in any number of ways, and still be talking next month! But focusing in on the new normal of remote and hybrid working, I’ve found that the topic of data privacy has come back into focus. Across our region in particular we have extreme complexity of different regulations, but I wanted to ask, what are the biggest challenges your clients are facing at the moment?
Daniella Kafouris: 2020 was, putting it mildly, an incredibly abnormal year. Digital transformation accelerated because, of course, the pandemic forced people’s hands. With that swift movement came all the privacy and cybersecurity risks. Customers at the moment are challenged with simply understanding the implications and risks: what they do need to worry about, and what can they put to one side for the moment.
Here in Australia we’re having multiple conversations around data processing consent: regulations are changing and of course Australia’s Information Commissioner has taken Facebook to court over Cambridge Analytica’s misuse of personal data, which will be something we all watch with interest.
Separately and in some cases a surprise to see back on the agenda, is the retention and destruction of data within a data lifecycle. Data retention, you may have thought, should have been covered back in 2018 as part of the GDPR planning, but for those organisations with a bigger footprint, simply operationalising data destruction is a huge task. Thinking about these “Paper Dragons” in theory was one thing, but making it actually happen is quite another.
Puneet Kukreja: I agree with Daniella, the acceleration of digital transformation has been extraordinary this year. As people in China and Hong Kong rushed towards cloud, the adoption of digital technologies and the embracing of Zoom, often cybersecurity considerations were put aside just so companies could continue to operate.
Aside from the pandemic, I’d say over the last 18 months we’ve also see the China Cybersecurity Law influence decision making. Alongside the forthcoming releases of the Data Security and Data Privacy Laws, between them these three pieces of regulation have acted as a force factor for multinational organisations in the region to consider proper multi-cloud strategies. We’ve seen a huge rise in all enterprises doing this, but particularly those in financial services, manufacturing, and life sciences have invested multimillions in multicloud, as well as developing proper privacy considerations and data security controls.
Cross-border data transfer is now a legal requirement within the China Cybersecurity Law, and due to this, organisations need to put their data flow strategies into practice. While these topics were being talked about a year ago, the combination of COVID and remote working plus new regulations and laws, means we have now seen a real rethink of what applications to use, where to host their data and when business data is required to move cross-border, what operating processes are required to change.
Across the region, multinational organizations are really getting to grips with the broad range of data regulations, and addressing system architecture, multicloud and data management. COVID really acted as an accelerant, getting business leaders back to the drawing board and saying, perhaps just enabling a cloud service isn’t good enough any more.
Manish Sehgal: Unlike the other countries, India is still coming up with its own privacy law. From a regulatory point of view, the trend in digitisation is actually pushing the regulators to get the privacy bill for India out. We had originally expected it in the government’s Monsoon session but has been pushed to Winter – so really it’s going to be early 2021 year before we get a chance to look at it. One of the big drivers for speed here is the sheer amount of digital data now out there, and because of COVID we also have a large quantity of health information online, which has to be looked at seriously by policy makers.
What has been the biggest challenge for enterprises is that there is a sense of insecurity. Everything is now out of business leaders’ physical boundaries. There was a sense before that if information resided physically in an office or network it was safe, and now that’s not the case, people are feeling insecure. Speaking to privacy officers, the question they are being asked by the board is, now people are outside the office, are the privacy requirements taken care of in the same way as they were when they were IN the office? And the answer is, there is no simple answer.
The best you can do is to ensure your security programmes are well implemented, as there is a focus on endpoint protection. Systematic protection is required. Data at home means a whole new definition of privacy: and this is not about implementing a technology solution, but a personnel challenge. Are people educated enough on how to deal with data at home?
Nick Savvides: These are really useful insights. It seems rapid digitisation has driven a huge raft of changes in how we handle data, and we’re only now beginning to understand what that means. Health data, as you say Manish is a perfect example: and in some cases you’re pitting technology giants against governments.
The idea of it being a personnel rather than a technology challenge also resonates, I’ve often found working in security that we suffer from a feeling that another tool will fix our problems: another one will fix us, but often the efficacy of stacking those doesn’t add up.
Data at home is a really interesting concept in the way we feel differently about it. Data management is indeed a huge challenge for multinationals across our region, because what’s acceptable in one jurisdiction is not applicable in another.
I think we know that in data management, our people can be the weakest link but they are also a pivot point. They can pivot to a breach and let us down, but can also protect our enterprises. I believe it’s up to us as a cybersecurity industry to empower people to be that strong point, and help protect our enterprises against unnecessary data breaches.
To hear more of our discussion, examining the biggest challenges in data protection across APAC, listen on demand to the roundtable.