Enterprise Customer data regulations in Southeast Asia
Today, data transfers are occurring in every industry imaginable at breakneck speed. From food delivery, apparel, media, and even education, it’s obvious that data is the new oil. This, of course, has been fueled by the rapid uptake in internet users across Southeast Asia, which, according to The Straits Times, has skyrocketed from 260 million in 2015 to 400 million in 2020. With the world now on the brink of the 4th revolution, there’s no doubt that this growth trajectory will continue to soar. This is why it’s important to remember that with great power comes great responsibility.
As data is being generated at faster and faster speeds, the inconvenient truth is that cyber security risks have grown astronomically. According to the Allianz Risk Barometer 2020 cyber incidents—including data breaches—now rank as the most serious business risk globally. Compare this to their 2013 report, which showed that the same threat held a distant 15th position only a few years ago. The cost of a data breach is also jaw dropping. According to IBM Security’s 2020 Cost of a Data Breach Report, the average cost of a security breach in Southeast Asia in 2020 was $2.71 million USD each.
This means that it’s critical that companies are aware of the evolving regulatory landscape for management and storage of customer data. Governments across Southeast Asia have been drafting revised standards and regulations for companies to abide by, and they now impose hefty penalties for non-compliance. In fact, just last year in 2020, Singapore announced heavier penalties for companies found to be complicit in data breaches. The landscape is also evolving quickly, and there are many more acts and decrees across the region that are expected to take effect in the years ahead. Companies operating in Southeast Asia therefore need to ensure that they have adequate data protection measures in place before the timer runs out.
Here’s a summary of the state of play on data privacy regulations across the region.
Data regulations in Singapore
Data protection in Singapore is governed by the Personal Data Protection Act (PDPA). Released in November 2020, companies who are found responsible for data breaches under this act are liable to a fine of 10% of their annual turnover or $1 million SGD (whichever is higher). This is a marked increase from the previous maximum penalty, which was capped at $1 million SGD. These higher penalties were instated in exchange for greater flexibility that allowed companies to collect, use, and disclose personal data without the consent of individuals, as long as there are “legitimate interests” involved, such as utilising data to help with criminal investigations.
Under the PDPA, the Do Not Call (DNC) scheme also requires organisations to provide customers with information on how to opt out of unwanted telemarketing messages through the same medium. A 21-day grace period is given for companies to cease all telecommunications. Additionally, individuals may register themselves under the DNC registry to opt out of telemarketing messages altogether.
For the latest Data Privacy regulations in Singapore, please visit the official PDPA website.
Data regulations in Indonesia
Due to a lack of overarching legislative laws governing its cyber security environment, Indonesia has been vulnerable to cyber attacks. In 2020 alone, BBSN reported that Indonesia recorded over 423 million cyber attacks. One of the worst hit websites was well-known e-commerce platform, Tokopedia, from which the emails and passwords of 91 million accounts were stolen.
In the aftermath, Indonesian officials have taken steps to unify data protection legislation previously scattered across different sectors. The newly drafted Personal Data Protection (PDP) bill will take precedence over the previous main source of reference, the law on Electronic Information and Transactions (EIT). Under the PDP, businesses will be required to obtain expressed consent from customers before being allowed to legally handle their personal data. Data processors are also legally obliged to follow specified procedures when handling personal data, which can range from a person’s age and gender to their financial data and even political views.
For the latest Data Privacy regulations in Indonesia, please visit the official data protection in Indonesia overview.
Data regulations in Thailand
Introduced in May 2019, the provisions of the Thai PDPA were originally expected to take effect from 1 June 2021. However, the Thai Cabinet recently announced a new temporary effective date of June 1, 2022 in order to accommodate delays that resulted from the COVID-19 pandemic.
While the additional grace period was given to provide businesses more time to implement the necessary data protection infrastructure, companies are nevertheless expected to abide by minimum security standards from now until the law fully kicks in. This includes the responsibility to inform staff and stakeholders about personal data protection standards, as well as install minimum levels of safeguards.
Businesses are encouraged and expected to monitor updates to the Thai PDPA closely to be informed of potential changes. Companies caught violating the PDPA will be liable to a fine of approximately 1.6 million USD on top of being punished with the relevant criminal charges.
For the latest Data Privacy regulations in Thailand, please visit the official data protection in Thailand overview.
Data regulations in the Philippines
Announced in 2016, the Implementing Rules and Regulations of the Data Privacy Act (IRR) requires data processing systems to be registered when companies employ 250 or more individuals or process sensitive personal information of at least 1,000 individuals. The act defines “personal information” as information that can be used to reasonably identify an individual if pieced together with other bits of information.
Fines for violation of the IRR range from 0.5% to 5% of the gross annual income of the personal information controller or processor handling the personal data. The severity of the fines will rest on several factors, including the number of subjects affected, whether or not affected subjects were notified of data breaches, and the intent, character, and severity of the offense.
For the latest Data Privacy regulations in the Philippines, please visit the official Data Privacy Act FAQs.
Data regulations in Vietnam
In December 2019, Vietnam released an outline of the Draft Decree on Personal Data Protection (commonly known as the "Draft Decree"). The Draft Decree was meant to unify laws under the civil code, the law on cyber-information security and the law on telecommunications. Another version was released in February 2021 for public consultation.
Notably, the Draft Decree protects Vietnamese citizens regardless of their geographical location. Companies processing the personal data of Vietnamese residents have to be mindful of the laws within the Vietnamese Draft Decree as well. Offending companies are liable to penalties of $4,344 USD for their first violation and 5% of their total revenue for repeated data violations, on top of additional sanctions, such as the suspension of data systems for three months and the revocation of grants to transfer personal data across borders. The Draft Decree is currently expected to take effect on 1 December 2021.
For the latest Data Privacy regulations in Vietnam, please visit the official data protection in Vietnam overview.
Data privacy solutions from 8x8
While it’s obvious that neglecting your customers' privacy is far too risky in today’s digital world, it is no easy feat to keep up with the constant changes to data protection regulations and cross-border communications. The waters are further muddied, as it’s more common now for employees to work from countries outside of their company’s registered home address. But the fact remains: no matter the size of your company, a privacy breach destroys all trust.
8x8 recommends protecting your customers' privacy using call masking. This solution uses a Voice API to automatically anonymize phone calls, which prevents misuse of your customers' personal details and also gives you the opportunity to use local numbers to connect with your customers.
Call masking is becoming a popular solution across many industries, as it helps to reduce the risk of seeing an angry mob of customers voicing their displeasure with a company online—something we all know stands to cause irreparable damage to one's brand image, revenue, and growth.
Learn more about our call masking solution or contact us at: hello-cpaas@8x8.com.