Data Regulations For Business
Are You Experienced?
In this post, we explore recent trends in data regulation and discuss their implications for businesses at large, with a particular emphasis on the ASEAN region. In addition, we outline how businesses can utilise Credify’s suite of products to facilitate compliance with these regulations and — importantly — monetise their data in a lawful manner.
Sound too good to be true? Read on!
Data Protection Is Trending
The European Union’s General Data Protection Regulation (GDPR) came into force in 2018 and introduced a comprehensive, harmonised data protection regime. With limited exceptions, the regime applies to all data processing entities that deal with individuals in the EU, regardless of where they are based. As such, ASEAN businesses need to also familiarise themselves with the GDPR’s implications.
The GDPR contains a suite of rights designed to place consumers at the helm. As we have mentioned in previous articles, many businesses have sought to exploit users’ personal data by selling it off to third parties in an opaque manner. Social media platforms have engaged in particularly egregious instances of abuse, with the Cambridge Analytica scandal still looming large over our heads.
Amongst the GDPR’s most consequential rights are the following:
- Lawfulness of processing (Article 6): the user needs to have consented to the types of processing that the business will undertake (including transfers of user data to third parties).
- Right of access (Article 15): this requires businesses to provide users with a copy of the personal data that they hold upon request.
- Right to erasure (Article 17): users can request that their personal data be completely erased from a businesses’ systems, unless this needs to be kept for regulatory purposes.
- Right to data portability (Article 20): users have the right to request that their data be transferred from one service provider to another.
Note that the GDPR requires businesses to facilitate these actions, as opposed to being mere bystanders. The fines for business that process personal data and do not comply with the GDPR can reach €20 million or 4% of global turnover (whichever is greatest!).
Although these fines may seem unnecessary punitive, they reflect the seriousness with which regulators are taking data processing activities. After all, many people spend the bulk of their working hours in front of a laptop, generating a greater footprint in the digital economy than in the tangible world. Regulators view personal data as a valuable form of personal property, no different than our tangible possessions. Consequently, unauthorised activities by data processing businesses are regarded as forms of data abuse or identity theft.
Strengthening Local Regulations
The GDPR is not the first (nor the last) data protection regime that ASEAN businesses need to act upon. There are, of course, local regulations that also come into play when dealing with users in specific geographies. Nonetheless, the GDPR is influencing the development of these regimes, pushing regulators towards a more comprehensive and consumer-centric model.
Vietnam is the perfect example to highlight this trend. At present, the country’s data protection regime is highly fragmented. Data protection laws are spread across 50 legal instruments on diverse subject matters, which hinders consistency and interpretability (to the detriment of both businesses and consumers). [1]
To address this situation, Vietnam’s Ministry of Public Security has presented a draft decree that aims to lay down a unified and extensive set of data protection rules. Many provisions in the decree mirror those of the GDPR, such as the need to process data within the boundaries of users’ consent and to notify users of activities involving their personal data. [2]
Singapore is in the process of updating their data protection regime, while Indonesia is in the process of finalising comprehensive data protection legislation (scheduled for November 2020). [3] We expect other countries in the ASEAN region to revamp their local regulations too. So far, Japan is the only neighbouring nation to have been granted GDPR-adequacy status by the European Commission, confirming the compatibility of their respective data protection regimes. [4]
The Comply Advantage
Now is the time for businesses to evaluate their data management processes and consider whether sufficient protections are being afforded to their customers. The failure to do so can leave businesses liable to not only regulatory sanctions, but also exposed to the potential loss of customers. As a result of this regulatory shift, consumers will increasingly demand that their data be handled in a lawful and transparent manner. On that basis, data management strategies should be at the forefront of businesses’ minds.
If you’ve come across our previous articles, you may already be aware of work that we’re pursuing at Credify (see e.g. here for an outline of our products). We think that Credify can be the perfect partner for businesses looking to undertake this regulatory transition. Credify’s business model is grounded on the need to provide consumers with greater control over their data. As such, its products respect the principles enshrined in regulations like the GDPR, facilitating the data management process in a transparent and efficient manner.
In particular, Credify’s idX system enables businesses to associate personal data with individual user accounts. Through Credify’s idPass application, users can monitor the personal data that each business is holding and track how their data is being used in an auditable log. The application also allows users to check whether their personal data is up to date; everyone hates correspondence that is sent to an old email or residential address. Importantly, businesses can obtain users’ consent for specific activities (such as sending data to an affiliate or commercial partner) through the idX system — a notification will appear on the idPass application and will record the users’ consent (or refusal) to the transfer.
Credify’s solution is privacy-centric, since Credify’s ability to access users’ data is highly restricted. In fact, we are proud to be working with world-renowned cryptographers and technologists to provide users and businesses with strong security assurances. At present, Credify is using proven technical standards (such as Open ID Connect) and the latest auditing technologies (such as blockchain) to meet our privacy and security objectives.
Gaining An Edge
Although this wave of regulation may pose initial challenges, it will also open up new opportunities for forward-thinking players. Businesses can still adopt processes to monetise their user data and acquire data from other businesses, so long as users’ rights are fully respected.
As we hinted above, Credify’s tools can also be used to support a lawful monetisation strategy. Let’s imagine that a marketplace is willing to share a user’s data with an insurance company, which is looking to build a diverse profile about a potential client. The marketplace requests the specific user’s consent and, once accepted by said user through the idPass, Credify can open up a direct channel between the businesses to handle the transfer. In turn, the audit log will be updated to reflect this activity.
We previously introduced the concept of a data highway. To move data from one end-point to another, users are likely to ask for some sort of incentive (or “toll”). After all, their data is valuable and they are entitled to refuse the transfer if they so choose. Popular incentives can take the form of discounts or vouchers. In the example above, the insurance company may pass on savings attained in the due diligence process (as a result of the data transfer) in the form of lower premiums for participating users. We would also expect the insurance company to compensate the marketplace for each user that they are able to acquire. In short, every party is able to benefit from this transaction.
Summing up
We have provided a roadmap for the future of data regulations, with a focus on the ASEAN region. We encourage all businesses to start adapting to this regulatory shift, irrespective of how developed local data protection regimes currently are. This trend is set to strengthen in the coming years and there are significant risks to being caught off guard.
If you’re a business looking for a technological solution to these problems, as well as an avenue to monetise your data in a lawful manner, look no further. Credify has the tools that you need and is willing to work with you to facilitate your success.
About Credify
Credify is a Singapore based software development company building technologies and services that empower individuals to take ownership of their digital identities, give businesses more effective user acquisition tools and address the need for trust in systems where counterparties to transactions are either anonymous or lack sufficient information for establishing a true basis for confidence in commercial engagements.
For more information, visit their website: https://credify.one/ or follow the LinkedIn page.
About the Author
Alfonso Rius is a Senior Research Advisor at Credify and a PhD student at Imperial College London, where he conducts research at the intersection of law, economics and computer science. Alfonso has worked with start-ups, investment funds, and government entities on opportunities in the realm of emerging technologies. He obtained an MSc in Law and Finance from the University of Oxford and in a previous (less enjoyable life) worked as a business lawyer.
References
[1] https://www.dataguidance.com/notes/vietnam-data-protection-overview
[3] https://www.refinitiv.com/perspectives/big-data/navigating-gdpr-data-regulation-asia/
[4] https://www.regulationasia.com/data-privacy-in-asia-pacific-a-fragmented-landscape/
Usual (boring) disclaimer: this article is not intended to comprise legal advice and should not be relied on as such. Credify does not warrant that this article is an accurate or up-to-date representation of international or local data protection regimes.
