–What data protection and cyber security regulatory regimes apply to the organisation’s personal data holdings, bearing in mind both the location in or from which the data was collected and the location or locations where it is being processed?–Are the business’s existing policies and procedures compliant? Where are the gaps and what are the practical options for achieving compliance?Each of these steps is explored in more detail below.A Personal Data AuditThe first step towards developing an effective compliance plan is to understand what personal data the business uses.Customer DataCustomer databases are one of the more obvious holdings of personal data, particularly for consumer facing businesses. The practical issue for identifying the full extent of an organisation’s customer data holdings is that databases are not always clearly marked out as such, particularly now in the era of cloud computing and widespread use of mobile devices.Engaging with sales, marketing, business development and technology teams is often the key to successfully auditing customer data holdings. Care needs to be taken to understand the specific technologies being used by the business and whether data is being collected or extracted online or through mobile handsets, whether directly or through third party service providers.Data that has been anonymised or aggregated for profiling or analytics purposes may not, strictly speaking, be “personal data”, but this data should nevertheless be included as part of the audit. Data protection laws generally look at data from an entity-wide or group-wide perspective, meaning that de-personalised data sets that can be linked to identities will not avoid compliance requirements. With the proliferation of social media and online public data sources, the risk of “re-identifying” individuals from anonymised or aggregated datasets has never been higher. Assessing data protection compliance will involve assessing the procedures for creating and maintaining the de-personalisation of these datasets.Employee DataAs Asia region businesses grow in scale and geographic reach, we see a trend towards increased consolidation of human resources databases and increased use of external service providers to administer HR processes and procedures. This development has been running up against stricter data privacy laws in general and, in particular, the imposition of data export controls in a number of jurisdictions – hence the need to be more vigilant and ensure that data holdings have been properly identified and audited.An important aspect of employee data is that it almost invariably includes “sensitive personal data” such as information about health and ethnic background.
Asia Pacific Data Protection and Cyber Security Guide 2018Sensitive personal data is subject to enhanced privacy protection under most of the region’s comprehensive data protection laws and in jurisdictions where it is not