SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Survival kit for complying with GDPR and other regulations in APAC
Fri, 3rd Nov 2017
FYI, this story is more than a year old

A recent article published by The Guardian brought the issue of selling and buying anonymized data to the fore. A team comprised of a journalist and a data scientist acquired supposedly anonymous personal user data and discovered that, by using simple sleuthing and reverse engineering methods, they could successfully de-anonymize these data, and in some cases, even piece together comprehensive profiles of the actual users.

While as alarming as it sounds, selling and buying anonymized data are legal in many countries. Anonymizing sensitive information used to be the best defense for companies brokering their customer data. However, this will change very soon, as the General Data Protection Regulation, or GDPR, comes into effect in May next year.

The GDPR arrives at the juncture where old data protection rules no longer yield relevance, and cyberattacks are happening at an increasing pace. The regulation is devised to correspond to users' evolving internet needs, including the exploding use of social media and big data. GDPR also aims to unify the disparate regulations followed and enforced in different countries across the European Union (EU).

Asian countries are grappling with multiple regulations

However, the impact of GDPR will be far-reaching beyond the EU - it also applies to all companies and users conducting business or interacting with any EU members. This could potentially mean that a huge number of Asian companies now need to understand the nuts and bolts of the GDPR and quickly figure out a path to compliance. Noncompliance, on the other hand, will incur a hefty price - $21 million or 4% of the company's annual turnover, whichever is higher.

Adding to the changing landscape are the new data protection laws imposed by many Asian governments. For instance, Hong Kong is one of Asia's earliest adopters of comprehensive data privacy regulation. Instated in 1996, the Personal Data Privacy Ordinance (PDPO) outlined policies for businesses collecting, using, and disseminating personal data.

Similarly, the Philippines government passed the Data Privacy Act in 2012, and the final implementation came into force in late 2016. In China, the new Cybersecurity Law became enforceable on June 1 this year. In Singapore, the Personal Data Protection Act was introduced a few years ago, and new regulations are slated to be announced.

Other bills in the region include the Notifiable Data Breaches Bill in Australia, Act on the Protection of Personal Information (APPI) in Japan, and the Information Technology Act in India.

Needless to say, the landscape is now compounded. Not only do Asian businesses have to abide by country-specific rules and regulations, if they're dealing with the EU, they need to comply with GDPR too. Before the deadline hits, many companies are scrambling to enhance their data protection posture.

Here are three main steps businesses can take towards being fully compliant with these regulations.

Working on encryption

Gemalto has been building a data breach index since 2013. Our numbers show that since then, more than nine billion data records had been stolen or lost due to data breaches, translating to five million records compromised per day globally. Out of all these, only 4% are secure breaches, where encryption was used and the stolen data was rendered useless to the hackers.

Today, businesses are confronting the omnipresent threat of a deadly data breach – even big companies with sufficient security protection had fallen victim to malicious malware and deliberate attacks. In a time like this, we cannot emphasize enough the importance of encryption, which jumbles up users' personal information, therefore making them unreadable to hackers. Even when they are stolen, these data could not be monetized or sold on the underground market.

Ultimately, business must understand the type of data they are producing and which of the data is most valuable or sensitive for encryption to work effectively. Implementing encryption should be seen as a standard procedure and processes should also be implemented to enable fundamental control cover to who can access the data.

Secure encryption key management

On that note, businesses should also augment their security framework with an encryption key management strategy that grants them better accountability and assurance. As encryption keys are crucial to accessing large amounts of data, they are best stored in specially designed hardware that is disconnected from the network. Without effective key management, it is akin to fitting your house with the best security, only to leave the key under the doormat for the burglar to find.

Access management through strong authentication

Encryption itself is very effective, but the encryption keys need to be further safeguarded to prevent unauthorized individuals from cracking them. To do so, businesses should also focus on who is authorized to access valuable and sensitive data.

The best approach is to use two-factor authentication, which requires the employees to have something like a phone or access to an email address and to know a code or password that is constantly changing, rather than just a code or password that can be guessed. These types of security are readily available, but need to be more widely adopted by businesses.