Asia-Pacific organizations continue to grapple with data protection challenges, even for those that see the value of having sound data protection practices.

For a start, many still see data protection from a compliance perspective, treating it as a laundry list of requirements that they can tick off to satisfy regulators, with little or no impact on their data protection practices.

Other gaps involve poor risk management. Some organizations are not aware of the common risks when processing personal data, such as attaching unsecured documents with personal data to emails and having poor access controls.

These challenges underscore the low maturity of data protection practices in the Association of Southeast Asian Nations (ASEAN), where data protection and privacy laws are relatively new compared with countries in the European Union.

Countries such as Singapore and the Philippines have mandated organizations to appoint a data protection officer (DPO) in their data protection regimes. Others with new laws such as Thailand have also required a DPO when a company meets certain criteria.

But DPOs are often not properly trained to perform their roles and responsibilities.

Small and medium-sized enterprises (SMEs), in particular, may not have financial resources to hire a DPO to safeguard personal data. This is aggravated by the shortage of skilled DPOs in the region, which pushes up the cost of attracting them.

As such, many SMEs appoint an existing employee, such as an HR, marketing or IT professional, who may not be well versed in data protection practices. And even if a DPO is appointed, an organization’s management priorities may be elsewhere, such as ensuring profitability, or in today’s pandemic, the survival of the company.

So, a common gap is in the governance of personal data, where there is either little or no management buy-in, or data protection is not seen as a business priority.

People Are Still the Weakest Link

The weakest link in data protection, however, is still people, with many surveys over the past decade or so attributing at least half of all data breaches to human factors.

Industry experts have called for more effective and continuous staff training instead of a one-off workshop to cover not only the requirements of data protection laws but also specific data protection policies and procedures of the organization.

For one thing, it is certainly not enough to ask new employees to read an organization’s privacy policy, even if they are required to sign something to confirm that they have done so.

Simon Piff, Vice President of Security Practice at IDC Asia/Pacific, told Computer Weekly, a TechTarget publication, that many data protection challenges stem from how IT teams have captured, created and curated data, versus where IT security had focused on in the past.

IT security teams were focused on systems and networks to protect a virtual perimeter that is being eroded, while data management and storage teams were focused on maintaining availability and reliability of systems.

“Neither group had expressly looked at data security as an issue,” Piff said. “In many cases, security teams saw it as a data management challenge, and the storage team, who were never named the ‘data management team,’ had been considering it a security issue. It has fallen between the gaps.”

Contributors: