Happy New Year my friends!
Sorry I have not updated the blog for a while. I went for a year-end break and then was busy setting up 4 LinkedIn groups for Data Protection Officers (DPO). These are for DPOs from Singapore, Malaysia, Thailand and The Philippines. The LinkedIn groups are named “Data Protection Officer (DPO) – ”. Hope you can join. Doesn’t matter if you are DPO as long as you are interested in data protection. Feel free to contribute.
This year is going to be an exciting and hectic year in data protection.
No, I am not talking about number of data breaches (I hope not), I am talking about more countries are enacting legislations and stepping up enforcement.
Thailand, Malaysia, Indonesia and Singapore
Thailand’s PDPA was gazetted last year and after a 12 months grace period, will take effect on 27 May 2020. (DPO Support Group for Thailand) I am anxious to see how well businesses have been preparing for this and also how the newly established data protection committee will help (not just punish) the businesses to comply.
Malaysia’s PDPA was enacted in 2010, the first among ASEAN countries. It has been under review since 2019 to incorporate areas not earlier addressed or make the definitions / clauses clearer. The review has taken long enough and I look forward to an announcement this year. On 14 Feb 2010, the Personal Data Protection Commissioner of the Ministry of Communications and Multimedia Malaysia issued a public consultation paper. But the consultation is only opened for two weeks until 28 Feb 2020. I seriously has to question the sincerity of the PDPC (note: the deadline was subsequently extended) (Malaysia consultation paper)
Indonesia is drafting a PDP law. Let’s see if it will materialize this year or next. (Jakarta Globe 2020 Feb 10)
Singapore’s PDPC has made clear its plan to implement a mandatory notification regime. It is also pushing more awareness of data protection and trust mark. (Data Protection Trust Mark)
There were several high profile data breaches in the public sector and military. Although the Government is exempted from PDPA, they realised they cannot continue to be tardy. I believe the Government will remain above the PDPA law but chances are there will be more stringent data protection requirements and audits on private sector suppliers. Ouch!
Mandatory to appoint a DPO
There is one common thread in the various country PDP law – that it is a must to appoint a Data Protection Officer. From a practical point of view, this makes sense. Data protection permeates the whole organsiation. It is already difficult enough to implement an effective data protection management programme WITH a DPO, let alone without one.
Lately, the selling point of data privacy is not about compliance and avoiding fine. It is about customer trust and branding. Did you notice Apple Inc. has changed its marketing message? It is now selling ‘privacy’. Of course, not the same way as how Facebook used to sell data and privacy.