Vital to have stronger data protection in post-pandemic world

TECHNOLOGY has enabled businesses to respond quickly to the global pandemic, but at the same time, new data privacy concerns have emerged as organisations increasingly rely on user data and more employees are accessing sensitive information from home.

In Singapore, the Personal Data Protection Commission (PDPC) noted that the number of data breach alerts received tripled in the February-March period compared to the previous two months - an alarming situation that highlights the urgency for organisations to strengthen their data privacy policies so that they will not fall prey to these cyber risks.

As this week marks the third anniversary of General Data Protection Regulation (GDPR), the European data protection legal framework implemented since May 25, 2018, it is time to rethink how we are looking at data privacy and protection today - especially in the age of remote working and post-pandemic era - and if the world's toughest privacy law is still applicable.

AN ALTERNATIVE APPROACH TO DATA PRIVACY?

At a time where data security and sovereignty plays a crucial factor for organisations to innovate and be in the lead in this competitive global market, a new approach is necessary to build the next generation of cloud computing to ensure safe and secure data infrastructure.

Already, organisations are recognising this. In a recent KPMG white paper, respondents ranked data security and sovereignty as the important criteria for choosing cloud providers, ahead of other criteria such as service and quality. Some have even slowed down or given up cloud migration due to the lack of knowledge for offers ensuring data sovereignty.

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

Compared to the American-Chinese duopoly, Europe's approach to digital governance in data privacy has set a precedent for regulatory regimes across the world. At present, the current US regulation appears structurally irreconcilable with European GDPR principles, whereas non-GDPR compliance applies to Chinese extraterritorial rules.

Since 2016, the new data regulations in the US and EU have resulted in significant impact on cloud computing. With the invalidation of the EU-US Privacy Shield framework after the 2020 ruling, locating data with European data centres of US providers have become at risk of being subjected to US extraterritorial laws, hence making any potential data transfer non-GDPR compliant.

Following the "Schrems II" judgement of the European Court of Justice, transferring European personal data outside the EU in countries like the US, that do not ensure a level of protection equivalent to European privacy standards, has also become much more complicated than before. This is due to the need in reinforcing technical and organisational measures in order to restrict the possibility to access personal information.

The same applies for any non-European country which, like the US, does not comply with European privacy standards.

In addition, Europe is taking the next step towards establishing a sovereign digital ecosystem for its cloud providers and users through the GAIA-X project. This initiative is designed to comply with GDPR principles and European data laws by providing organisations with a common set of guidelines and requirements for data storage and data transfer for cloud services.

Based on the European values of transparency, openness, data protection and security, the European cloud initiative addresses concerns including sovereignty, portability, ending lock-in practices and providing the opportunity to exchange data between industry sectors and players. This 'alternative' approach not only ensures that the European cloud model is easy, transparent, and affordable for users but most importantly, helps to build trust in the cloud. This is critical in today's digital environment to offer users assurance when they adopt cloud technologies to navigate through the challenging time that we are all facing.

GDPR OUTLOOK IN ASIA-PACIFIC

While GDPR has marked a global shift in data protection and privacy across various industries over the last couple of years, what businesses in the Asia-Pacific region may not be aware of is that they may still be subject to GDPR despite not being physically based in Europe.

It is important to remember that GDPR targets not just European-based companies, but also companies that provide services to European customers or obtaining and transferring any EU citizen's personal sensitive information outside of Europe.

Given that 89 per cent of C-suite officers in the same white paper indicated that despite knowing that GDPR compliance is important or very important they still don't know how to go about it, a strong public-private partnership will be needed to help organisations better understand the requirements and deploy good data governance policy.

With the whole Asia-Pacific region progressively moving towards compliance with the GDPR and data privacy requirements, Asia-Pacific businesses need to ensure that they stay ahead of their competitors in terms of their data protection standards, especially if their competitors are operating in Europe. Additionally, it will be critical for organisations to find the balance between protecting personal data while continuing to enable the innovative use of such data.

Three years on since GDPR came into effect, there is no doubt that it has become a reference point and the "gold standard" for data protection in the region and across the globe. With data protection being a competitive factor that is increasingly taken into consideration to build consumer trust, it is vital for businesses in the Asia-Pacific to adopt Europe's GDPR standards to ensure the highest level of data protection possible.

• The writer is general manager for Asia-Pacific at OVHcloud