Data Privacy: A hotspot for legal and compliance professionals.
over 2 years ago by Linus Choo / Back to all blogs
By: Linus Choo, Legal, Risk & Compliance
Our digital age has led to an explosion of data exchanged and collected across countless of business sectors. The staggering demand for data privacy and security expertise shows no signs of slowing, as organisations recognise the business-critical role of privacy specialists in our ever-evolving operating and regulatory landscape.
In tight talent markets like Singapore and Hong Kong where demand for such specialists shows no sign of slowing, data privacy has become a hotspot for legal and compliance professionals to specialise.
Here, Ethos BeathChapman’s Legal, Risk & Compliance executive recruitment practice reflects on challenges faced by organisations and offers actionable advice to practitioners considering a transition into the data privacy domain.
The exponential growth of data revealed risks and vulnerabilities that organisations had been unprepared for. In 2020’s highest profile data breach, a coordinated hack by bitcoin youth scammers into the Twitter accounts of influential individuals including Joe Biden, Barack Obama, Elon Musk, Jeff Bezos and Bill Gates, threw the social media giant’s security under global scrutiny.
Singapore’s healthcare system also fell prey in 2018 to what was described the “most serious breach of personal data” in the country’s history. Nearly 1.5 million patients’ personal information, including records of Prime Minister Lee Hsien Loong, had been stolen from the database of Singapore’s largest cluster of healthcare institutions, prompting a combined fine of SGD 1 million (over USD 730,000) imposed on SingHealth and its IT management vendor for their data security failure.
Experts have attributed phishing attacks, the need for increased employee vigilance and organisational culture as some key factors contributing to organisations’ data governance failures.
The challenge at hand for organisations is not only around tightening cybersecurity practices to better encrypt and protect consumer data from unauthorised access, but also around internal organisational education. Employees need to understand what data privacy laws mean to each organisation, how they impact day to day operations and organisations need sound frameworks in place to ensure employee vigilance and compliance.
Rapid growth of technology and ecommerce
Even before the Covid-19 catalyst, facial recognition, 5G and edge computing had been at the forefront of growth, not to mention the evolution of the internet of things (IoT) and the pressure for organisations to offer more mature ecommerce offerings.
That said, the pandemic is without a doubt the game-changer that forced millions of organisations to turn to technology for survival. According to Baillie Gifford, one of Tesla’s largest shareholders, the Covid crisis accelerated technology adoption originally predicted to take place over a decade. Along with technology adoption, organisations had to redefine their data privacy frameworks while others had to start from scratch for the sake of business agility.
Post-pandemic, technology will not slow down. The pressing need to stay ahead of cutting-edge technology means that organisations will also have to contend with new data privacy concerns and issues that come with it.
Consumers have become increasingly concerned and discerning about how their personal data is used, demanding full accountability and transparency from organisations collecting their data.
In a 2019 consumer study by IBM and the Harris Poll, 83% surveyed will not do business with a company that shares their data without their permission. In the same survey, 53% of participants ranked how well a company protects consumer data from a cyber-attack as more important than the quality of their goods and services.
Consumer trust is clearly a priority for organisations. According to a separate 2019 C-suite study by IBM’s Institute for Business Value (IBV) and Oxford Economics, 82% of business leaders surveyed “strongly believe data helps create a strategic advantage in strengthening their level of customer trust as well as their bottom lines.”
With consumers being more aware of these issues, they will be more intuitive in spending. Organisations can no longer ignore these trends and issues. Ready or not, this is our reality.
It is not just organisations, but regulators are also trying to catch up with technology. As the global regulatory landscape evolves to mirror our digital globalisation, new privacy legislations and reforms continue to put increased pressure on how businesses operate and communicate.
Closer to home, Hong Kong’s proposed privacy reforms include granting Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD) the sanctioning powers to impose administrative fines linked to the annual turnover of data users. This is similar to the European Union’s General Data Protection Regulation or GDPR, where regulators are able to impose up to €20 million or 4% of the data user’s global annual turnover in the preceding year.
Singapore’s Personal Data Protection Act (PDPA) had also undergone updates since it came into effect in 2012, with 2020’s proposed amendments pushing for greater organisational accountability, consumer autonomy and increased financial penalties on organisations that breach the PDPA.
Many of these amendments in Singapore and Hong Kong are motivated by EU’s GDPR. The GDPR served as the global standard in privacy protection law for other nations to replicate and integrate in their respective territories. Singapore and Hong Kong are not alone in this move. Brazil, Thailand, India, Australia and South Korea are also joining the global movement for stricter and stronger data privacy laws.
In response to these complex risks and challenges, organisations recognise the need to hire the right data privacy experts to keep them ahead of the evolving operating landscape. In a LinkedIn analysis done for Axios, job postings for the titles “chief privacy officer,” “privacy officer” or “data protection officer” increased 77% from 2016 to 2019.
Additionally, we can expect to see law schools introducing privacy law modules as part of their curriculum to address this pressing global need. A group of legal practitioners and privacy law academics have in fact kickstarted a recent petition through this open letter sent to deans of all law schools in the US, citing the importance of educating students in this growing field.
Until then, this growing area is a prime opportunity for legal and compliance practitioners to pivot and advance their career. Practitioners seeking to transition into data privacy should firstly get certified with the relevant International Association of Privacy Professionals (IAPP) certifications below, stay updated on the latest technology news and regulations, then start to apply the expertise within your organisations.
This is most relevant for legal and compliance professionals, as well as data governance, information management and HR professionals. The CIPP educates professionals on privacy and data protection laws and requirements within their respective jurisdictions and their application.
IAPP’s advanced programme for privacy professionals who have at least three years of work experience in data privacy and already possess the CIPP certification, in addition to the Certified Information Privacy Manager (CIPM) or Certified Information Privacy Technology (CIPT) certification.
The IAPP reflected on the massive growth of the data privacy industry worldwide. The international association sees it both as a challenge and as an opportunity for privacy professionals. “The complex requirements these laws place on privacy pros call for scalable, efficient technology and operational know-how. And clearly the market is responding,” said IAPP’s CEO and President J. Trevor Hughes. “The privacy profession is only growing more complex, and with that, ever more essential to the modern economy.”
Axios’ view on the global shortage of privacy experts succinctly sums up this article, “The privacy field is still in its early days, and laws and best practices are changing at warp speed. It's more important than ever for companies to have privacy experts… but it's hard to find people with the expertise to do it.”
In evaluating your organisation’s readiness, every business leader needs to ask the question of how well placed their organisation is to address today’s data privacy landscape. If the answer is “not well enough”, what will you do about it?
Organisations needing to hire, attract and retain data privacy specialists can approach Ethos BeathChapman for additional insights on the data privacy talent market in APAC.
Besides leading Ethos BeathChapman’s Legal, Risk & Compliance practice in Singapore, Linus Choo personally conducts retained legal search assignments up to the C-level and appoints senior in-house legal and compliance practitioners into Fortune 500 companies within the Asia Pacific region. Connect with Linus.