What is GDPR, and why should Malaysian companies care?

‘Conflicting demands for more and faster data-driven business value and reduced data driven business risk are the biggest issues for enterprises today,’ Praveen Kumar told Computerworld Malaysia.

By AvantiKumar
Oct. 5, 2017


data (storyblocks)

Credit: Storyblocks

 

  Organisations in Malaysia are pushing data privacy to near the top of their agenda in Malaysia. Regulatory pressures are feeding some of this change coupled with increased efforts by businesses to better manage and extract insights from their data.

The introduction of the Malaysia Health Data Warehouse (MyHDW) for example prompted public and consumer groups to demand greater transparency in the management of confidential health data, to ensure that personal information is in safe hands.

Seeing data as a primary asset is also gaining strength from various initiatives by national agencies - such as Malaysia Digital Economy Corporation (MDEC), MIMOS and NanoMalaysia, which are positioning the country as a Big Data Analytics Hub. (See - MDEC exclusive: Looking for the X factor behind Malaysia's Digital Hub strategy)
 
Controlling and managing data - especially unstructured data - is a major challenge, particularly in the wake of the EU General Data Protection Regulation (GDPR), which is forcing enterprises to develop new approaches to information management.
 
Organisations today collect massive amounts of customer data on a daily basis--so much that many often don't realise how much they have in inventory, nor do they have a solid understanding of how to properly manage this personal data in accordance with growing data privacy regulations.

 How can Malaysian enterprises prepare to be GDPR-compliant while continuing to tackle enhancing visibility, management - as well as gaining insights, of course - of their data?  In a recent Computerworld Malaysia interview, Praveen Kumar (pic below), general manager, Asia Pacific, ASG Technologies, shared his perspectives on these characters concerns.

Praveen Kumar - ASG

  How can organisations retain visibility, control and compliance of their data?
 
Conflicting demands for more and faster data-driven business value and reduced data driven business risk are the biggest issues for enterprises today.

Across the APAC region, enterprises are rapidly adopting new technology such as cloud, without a clear view of where their data is hosted. At the same time enterprises are increasingly faced with regulations that require them to implement a comprehensive data governance policy.

This is why we developed our technology to discover and map data and analyse data lineage. This provides a key foundation for visibility, control and compliance. 

To start with - your organisation must map data and content estates, business processes, and data flows that involve personally identifiable data (PID). Regulations require companies to demonstrate they know what data have been collected and how they are used.
 
Only then will you be ready to begin protecting personal information. With a policy-based management of content, you can put processes in place for obtaining (and managing) consent for storing personal information.
 
With data mapping already taking place, you'll know where the PID is stored and have the processes to apply policy-based retention procedures against data collected on individuals.
 
Once you've identified the processes, you'll need to enact governance to manage the use and the quality of the PID. This includes reviewing new processing activities, assuring compliance, responding to people's requests for information and action about their PID, responding to audits and setting internal standards within your organisation.
 
To ensure compliance across the board, reporting on governance is crucial. Create reports that provide a management view of PID usage. Within these reports, you can prove knowledge of what data is being processed and for what purpose.
 
Why do Malaysian companies need to comply with Europe's GDPR?
 
The GDPR will have a global impact on all companies that process the PID of European citizens.

Whether businesses reside in the EU or not, local and regional companies that deal with EU consumers or employees will have to comply or risk running into hefty fines.

This is particularly impactful for Malaysia, where the standards will likely provide private sector organisations subject to the Malaysian Personal Data Protection Act 2010 (the PDPA) with much-needed guidance on how to comply with their data security, data retention and data integrity obligations but they are also likely to raise practical issues for businesses if adopted in their proposed form. (See - Malaysian businesses must prepare for complaints as PDPA finally in force, says global law firm)

 The implications for businesses that fall under the remit of the GDPR are significant. Organisations, which fail to comply will be subject to a fine of up to 4 percent of global turnover, or EUR 20 million, whichever is greater.
 
 Why the need for complete visibility of data for Malaysian enterprises when traditionally (culturally) local companies keep their activities private for commercial reasons?
 
The idea of complete visibility for data ultimately stems from existing data protection policies - the foremost reason being legal requirements.
 
Until now, customer data has largely been the responsibility of "data controllers" - the companies that collect personal information - rather than the "data processors" that service it.

Central to these obligations are eight data protection principles, comprising enforceable standards over the way personal data is collected, managed and used. However, the principles do not provide a template for compliance.

They typically use non-specific terms to describe processing such as "adequate", "relevant" "fair" and "appropriate" and for this reason, compliance by the controller is down to interpretation - reinforcing the need for a global standard for privacy protection.
 
At the same time, the information age has provided society with great tools, but also caused growing concern as to the future of individual privacy. Consumers are becoming increasingly sophisticated and wary of their privacy rights, especially in terms of how personal information is used. At the very heart of the GDPR and other data protection regulations is consumer protection.
 
It's also important to make the distinction between complete visibility of a company's activities, and visibility of how a company is using personal data - it is the latter which the GDPR is targeting.
 
How can Malaysian organisations actually guarantee transparency as well as the assurance that personal data is being handled safely?
 
Complying with data regulations is grounded on a full understanding where personally identifiable data is sourced and how it is used.

Malaysian companies must make sure that the data that they have is only used for the purposes specified when collected.
 
To achieve this, organisations must map data and content estates, business processes, and data flows that involve personally identifiable data (PID). Regulations will require companies to demonstrate they know what data have been collected and how they are used.
 
For example, data lineage tools such as ASG's Enterprise Data Intelligence solution also allow organisations to track and trace all application use of protected personal data. Organisations can create reports to demonstrate protection by design with a data inventory or catalogue of protected data showing that you know how data are stored within the data estate and how they are used.

By implementing data protection at the base of your data management framework, organisations will always be ready for an audit.
 
In the light of increasingly sophisticated cyber attacks, how seriously do you feel companies here taking security?
 
Given the evolving threat landscape and wealth of new technologies introducing risk, the GDPR regulations are providing a new opportunity for CIOs and IT directors to build a data privacy and cybersecurity programme that will better position the company to deal with future threats.

As the GDPR has set a definitive price on cyber risk, secure data management is becoming a key priority for enterprises today. While cybersecurity and privacy management are not the same, they are closely related. Mapping the use of personal information provides key insight into how cybersecurity measures should be deployed.

To see some Malaysian data regulatory articles, visit:
Deep Dive into Malaysia's Digital Economy with MDEC CEO Datuk Yasmin Mahmood - Part 1 and Part 2.
Securing the Internet of 'Nano-Things,' an exclusive with NanoMalaysia CEO Dr Rezal Khairi Ahmad
MDEC exclusive: Can Malaysia really become a Data Centre hub?
MDEC exclusive: Looking for the X factor behind Malaysia's Digital Hub strategy
Malaysian businesses must prepare for complaints as PDPA finally in force, says global law firm

The latest edition of this article lives at Computerworld Malaysia.

SPONSORED LINKS

ADDITIONAL RESOURCES