IT is widely understood that businesses around the world have been collecting massive amounts of consumer data to facilitate personalized user experiences in the digital sphere. This has raised questions about data privacy and prompted the crafting of appropriate laws and policies to protect consumer rights and individual privacy as well.

In a Q and A session with The Manila Times, Arun Kumar, regional director for Southeast Asia, ManageEngine, provided an overview of the general privacy laws and policies, the approaches being adopted, and the areas to focus on to ensure the privacy of sensitive information in an increasingly online world. Excerpts from the conversation: The Manila Times (TMT): Please describe the current data privacy landscape? Its challenges and trends?

Arun Kumar (Kumar): The privacy environment has undergone a significant transformation worldwide, the watershed moment being the adoption of the General Data Protection Regulation GDPR by the European Union. Data is a valued resource for making crucial business decisions and data privacy laws give customers more control over their data, requiring organizations to get customer consent before using their personal information and providing transparency on how data will be processed. It’s vital for organizations to comply with these legal requirements.

However, the data protection laws which are territorial in nature face unique challenges when data moves across boundaries. This has resulted in governments coming up with enhancements related to the transfer of data to the existing data protection laws. Data protection laws will continue to be adopted by more countries and will evolve to better protect individuals’ rights.

TMT: What are the data management/privacy challenges that companies need to focus on?

Kumar: The competing standards for data protection across different regions create challenges in navigating the complex regulatory space. For instance, Popia, the South African data protection act, classifies information about a company or facility as personal data. This criterion is specific to South Africa, meaning organizations should be aware of variations like these and accommodate them in their policies and procedures.

Corporations also need to be vigilant and conscious about transferring data. It’s possible that some of the former processes through which these transfers occurred are obsolete. Businesses must restructure their work procedures and examine how sub-processors handle data in order to shield data against potential threats and comply with regulatory requirements.

Businesses should also adopt a privacy-by-design strategy, particularly if they are using advanced and privacy-invading technology like artificial intelligence and predictive analysis. Thailand’s Personal Data Protection Act went into effect in June 2021, and Indonesia adopted a new personal data protection law in October 2022.

TMT: Are there specific approaches that ensure the privacy of sensitive information?

Kumar: An organization can handle sensitive information as a processor or as a controller. If the organization is the processor, it is the responsibility of the service provider to enable the controllers to protect sensitive information using advanced encryption and privacy-enhancing techniques. The services offered must have provisions for strict access controls.

On the other hand, the controller should adopt data minimization. Sensitive data must not be collected unless it is crucial. Once captured, sensitive data has to be put under the strictest possible access controls so that only a limited number of people have access to it. It is worthwhile to have a comprehensive audit trail of how sensitive information is processed and the duration it is stored.

TMT: How does ManageEngine address the regulatory/ policy aspect of data privacy protection?

Kumar: We consider privacy a core part of our business. Since its inception, Zoho has taken a stance that data privacy will be its main governance ethic. Blocking adjunct surveillance in 2020, Zoho took a strong stance to protect user privacy.

For one, Zoho does not use third-party trackers and cookies. While this may lead to less visibility into the customer pipeline, Zoho considers such tracking an invasion of user privacy.

To comply with data protection regulations across various geographies, we decided to have a common baseline structured around an established standard. We were an early adopter of the ISO 27701 privacy information management standard.

Employees play an important part in ensuring the data protection commitment with customers. To promote awareness and foster innovation in security and privacy, we hold internal events like cybersecurity month along with mandatory privacy and security training for all employees.