Desmond Chow, Director with P2D Solutions Pte Ltd. P2D is a specialist in Personal Data Protection compliance, and a Data Protection Consultancy and Advisory Service for businesses, joined Grab’s public policy podcast series, Grab Conversations on Air, for a mini four-part series on Data Protection.
Speaking with Shivi Anand, Grab’s Regional Public Policy Manager, they discuss small businesses’ perspectives on Data Protection.
Listen to the full Episode 4 podcast on Spotify
Transcript of podcast
Shivi Anand
Today we have with us Desmond Chow, Director with P2D Solutions Pte Ltd. P2D is a specialist in Personal Data Protection compliance, and a Data Protection Consultancy and Advisory Service for businesses. Since its formation in Nov 2014, P2D has been providing organisations with tools and training which are cost-effective and painless to implement with the goal of protecting their users’ personal data and to comply with the Personal Data Protection Act. P2D is also the first Data Protection and PDPA compliance consultancy and advisory service in Singapore to have obtained IMDA’s Data Protection Trustmark Certification. Welcome Desmond.
Desmond Chow
Hi Shivi, good afternoon. It’s great to be here.
Shivi Anand
Could you give us a quick background of your work in the data protection space and how it’s evolved from when you first started?
Desmond Chow
Sure, I have been doing data protection and privacy consultancy since 2014, when the company was first set up. Back then when it first started, there wasn’t a lot of awareness about what data protection, privacy, or the PDPA actually was. You try and speak to companies about the need to get compliant with this PDPA, they just tell you – hey, we’ve never heard of this Act before. Are you sure this is something we need to comply with? But generally, as time has progressed, attitudes have certainly changed as well. Certainly since 2014 when the PDPA was first rolled out until now, it’s been seven years already but even from the first two or three years after the PDPA first came out, consumers’ attitudes have started to change. Maybe because they’re more savvy, more technologically accepting. They accept technology more easily or they realise that it’s more easy and more efficient to get things done online. Then they also realise that going online is a better way to get things done. But on the flip side, because they’re more savvy they are also more aware of how companies collect and use and protect their personal data. The last thing that they want is for companies to abuse the trust that they (the consumers) give to the companies and do things with the data that they were not informed about, or in fact may be illegal, or run afoul of the PDPA. So certainly, awareness has improved. There is acceptance that we need to have a data protection management program in order to comply with the PDPA. A lot more organisations are accepting the fact that they have to put one in place right now. You’d be surprised but I think from what I’m seeing in our work, generally speaking, a lot of SMEs, a lot of companies out there are still not PDPA compliant. They may say yes, I have a data protection policy, but do they have a comprehensive overall data protection management program? I would say no.
Some people tend to think that if we just do a privacy policy, that addresses all the issues of PDPA compliance. The thing is then it doesn’t! And sometimes they need some convincing that more needs to be done basically. And why I can say this is because at P2D we have worked with all sizes of companies – organisations from start-ups to SMEs to multinational corporations including charities and various volunteer welfare organisations large and small. But all these companies come from across various different industries as well. So after a while we have the experience to understand the unique problems that are faced by this multitude of companies across different industries. So each industry does have peculiarities and unique challenges faced by that particular industry. It may be sector specific regulations that are in play; like for example, if you are in the financial services, you have to follow the MAS regulations; or if you are a healthcare service provider, you have to follow the Ministry of health guidelines; or if you are a hotel, you have to follow the Hotel and Accommodations Act of Singapore. So things like that. So each and every company is different and therefore, each and every company’s data protection data management or protection program has to be tailored for their industry as well as specifically for the organisation. Because even though you may be in the same industry, how you handle personal data in one organisation may be very, very different from how you handle personal data in a different organisation. So different processes, different organisations use different software, and have different ways of getting things done. So it’s really important to not just accept a cookie cutter kind of policy or solution and to really sit down and assess which is the best solution that works for your organisation. And again it’s always the “trying to force a square peg into a round hole” kind of analogy. So try not to do that because invariably you’ll most likely end up not being compliant with the PDPA in some way, shape or form. You have to always be able to step back, look at the big picture, assess the risk, and then remediate based on where your data protection risks are specific to your own organisation and company.
Shivi Anand
Yeah makes sense, and it’s interesting to hear that approaches have to differ across industries because each industry is governed by its own sector-specific regulation. But it’s also interesting to hear that P2D has clients that are across the spectrum from small and medium-sized enterprises or SMEs to larger companies like MNCs. So I think what would be interesting for our listeners to understand is how does the approach to advising on data protection compliance change or differ between SMEs and larger companies?
Desmond Chow
Okay, typically speaking for SMEs – I’m just going to be very frank or direct about it – the level of PDPA compliance in general is much lower. Some companies may not even have the basic PDPA compliance in place. So in those cases, what we typically do is we go in and in consultation with the stakeholders, we put in place and draft and build their data protection management program, including putting in place the right policies, processes to protect personal data as well as help them provide the required training to raise awareness amongst the SME’s employees and so forth. So it’s really starting them out from square one and then helping build a rudimentary, basic PDPA compliance program data protection program. And at least that way they can say “Yes, we have at least taken the necessary basic steps, the baby steps that are needed to achieve some form of PDPA compliance”. So they can at least protect whatever personal data they hold and build trust with their clients and customers so that their customers will continue to do business with them. Basically that’s what it comes down to.
For MNCs generally speaking, especially if it’s an overseas MNC, what we have realised is that they have a data protection or privacy framework in place in most places already. What needs to be done is taking those policies from the headquarters or whatever group-wide policies, and then making the necessary amendments or adjustments so that it complies with the PDPA. So it’s more or less helping to synchronise the various global policies together so that it complies with the PDPA. And then we see, basically then for MNCs it’s just providing the necessary training to see and explain to people how the PDPA does differ from what they are used to operating within their normal daily routine. So that’s usually the biggest contrast between an SME and a Multinational corporation. And obviously, the resource levels available to SMEs are going to be much lower than that of the MNC as well. Some of the MNCs, they would have a compliance officer, they have a compliance department, they may even have a data protection department, a privacy office located somewhere in the organisation. Whereas for SMEs, typically they have no idea who to designate as a data protection officer. We usually have to help suggest who is the right person for that role and even provide the necessary training to make the person familiar and accept the role that he’s going to be designated as data protection officer. So in most cases in Singapore, your DPO is double hatting or triple hatting as well. In MNCs you also see the double hatting, but on the rare occasion you actually do see a dedicated designated Data Protection Officer.
Shivi Anand
It’s understandable that small and medium-sized enterprises don’t have the resources sometimes to have a dedicated data protection department or framework. And as a small business yourself, who has clients across different countries, a specific aspect of data protection that we’re interested in understanding is the free flow of data across borders or the limitations to it which are put through data localisation requirements in certain regulations. So what sort of burden would data localisation requirements put on small and medium sized businesses? And we’re really interested in understanding the practical implications. Do they have an impact on accessing global data infrastructure solutions like storage, processing, or global markets or access to funding? What are your views?
Desmond Chow
Well, if you are talking about the Asia-Pacific region, a lot of APAC countries do not actually have data localisation. I mean several of them do – China, the new Indonesian law may have some up and coming, some of the ASEAN countries may have some data localisation laws in place. But by and large, most of Asia Pacific’s data protection and regulations don’t have the data localisation requirement. So it really depends which country you do business with. And of course on the nature of the data transfers. Some people may transfer business information but may not be personal data. So if it is not personal data then it should not be a problem. If it is personal data, then obviously the organisation needs to be familiar with that particular market’s data protection regulations and work with whatever regulations they have on the ground to make things work. So if you’re operating in a territory that says “yes, there is data localisation” then you know you very well have to comply. I don’t think you can say “no I don’t want to comply” and still operate in that jurisdiction.
But by and large, I think, the free role of data flow across borders is a good thing because it allows for greater access to global markets. Thereby, you know when it’s all said and done there will be improved revenue streams, there will be overall increased access to affordable technologies like AI, cloud based services. And then you may see a lowering of certain business costs as well, so it’s still a move in the right direction simply because it’s almost universally accepted nowadays that the general trend is that data is increasingly viewed as the new fuel for the modern digital economy. I’m hoping it’s not the first time you heard me say this phrase. I think other people have probably parroted or echoed this many times over, global traffic from data centres. It’s increasing. It has increased since five years ago, the pace of change is definitely not slowing down by any means and this is simply because data is so important, even more important nowadays. Especially during the last two or three years of the global pandemic with everything increasingly going online, and everything else, more and more data is being collected and more and more data is being shared. Simply because of the pandemic, you can’t see or you can’t meet people face to face to do business anymore. So what’s the only other way? It’s to do it online. Companies invariably collect more personal data and then once you collect it, how do you keep it safe? Who should you be sharing it with to grow your businesses so on and so forth? So all this requires certain analysis to generate knowledge. And after that, the knowledge is then used in various ways, and if it’s used correctly, I would say the knowledge is transformed into business wisdom. And basically, it empowers your organisation to grow even larger and expand your business beyond your current borders so to speak.
So overall, even with the data localisation, there may be certain hurdles in how you store personal data and how you collect it for certain jurisdictions. But by and large, cross border data flows generally remove barriers for businesses rather than put barriers in place, and create more opportunities. So again, there are multiple benefits through cross-border data flows and once these companies have access to these new technologies, for example, they can
- Better serve customers,
- Reach customers in new territories and markets,
- Reduce costs,
- Improve productivity and scale,
- Enable additional digital collaborations around the world; it makes the world a smaller place,
- Improve the customer’s experience; you can then respond to a customer quicker and better
And basically cross-border data flows will catalyse significant economic growth, not just for the organisation, but if multiple or a significant portion of the organisations in a single country or jurisdiction are able to tap on cross-border data flows, you will probably see significant economic growth in that region or in that country if it is done properly. Obviously, a country’s governments policies and direction are also very important for all these to take place. But by and large it is a beneficial thing to have happening right now.
Shivi Anand
That was very helpful to understand what the value of cross-border data flows is and how it benefits consumers, businesses, and governments as well. Switching gears to talk about the regulatory aspect of data protection. Could you talk about the standard data privacy practices that fulfil regulatory requirements? Data protection in Southeast Asia is fast becoming relevant and top of mind for users as well as product/service providers. Regulators in the region have taken note and formal data protection regulations are already in place in Singapore, Malaysia, Philippines, Thailand, and now Indonesia, while Vietnam is at an advanced stage of discussions on their PDP Bill. And how do they take into account the privacy needs and preferences of end users?
Desmond Chow
Okay so as a result of the great digitalisation, data flows are growing in a sense that they are richer than ever before and in that sense more data, in amount and types, is being collected and transferred. Now while this is a good thing, there are obviously bad actors out there as well whose purposes for the collection and use of data are not very clear. And this is what should be guarded against because you want to try and build trust with your customers. And organisations should try and protect the personal data that they have collected and used.
With respect to cross-border data flows, there are two ways of managing or monitoring these data flows. Two broad types of data policies have emerged so far especially in the Asia-Pacific, ASEAN region. One category conditions the movement of data across borders. They put in place requirements that both the sender and and the recipient have to meet before the data can be transferred. You want to have in place agreed-upon mechanisms for data transfers. And of course, like you mentioned, the second group is those that mandate that certain types of data have to be stored locally, which is data localisation. So each approach addresses different and sometimes overlapping issues. But the manner in which different countries approach their data related policies will naturally reflect the underlying preferences and the tradeoffs, including the preferences of its citizens. Although we are in ASEAN, because there are so many different countries and cultures in ASEAN, invariably each country’s views of data protection will vary. And the idea is then to find a common ground on which we can build upon and agree, and then still manage to share and flow data across borders.
So to operationalise data transfers across international borders in a trustworthy and secure manner, there are two most common methods in Singapore. So I will be speaking mainly from a Singapore PDPA angle. The first way to do it is the APEC CBPR and PRP certifications. The APEC CBPR system was developed by APEC economies and this is to build consumer, business, and regulator trust in cross-border data flows of personal data. So this APEC CBPR requires participating organisations and companies to implement data privacy policies consistent with the privacy framework which was developed a couple of years ago. And this is to help bridge the different data privacy laws within the APAC region, therefore reducing barriers to the flow of information for global trade. The APEC CBPR framework is based on nine basic privacy principles which are (i) accountability, (ii) prevention of harm, (iii) notification, (iv) choice, (v) limitation of collection, (vi) use of personal information, (vii) integrity of personal information, (viii) security safeguards, and (ix) access and correction. So in essence, this framework has been endorsed by all twenty-one APEC economies, and this is in order to promote comfortable and responsible transfers of personal data between the APEC economies. Once you have this certification, you can then basically transfer personal data to the other participating economies in APAC.
The second common method from a Singapore perspective is the ASEAN Model Contractual Clauses or the MCCs as I refer to them. These are voluntary contractual terms setting out baseline responsibilities requiring personal data protection measures and related obligations on both parties involved in the transfer, usually that protect the personal data of data subjects. The MCCs’ terms are based on the principles of the ASEAN Framework on Personal Data Protection published in 2016. From a Singapore PDPA perspective, ASEAN MCCs can be used to fulfil the transfer limitation obligation under the PDPA for countries with data protection regimes based on the framework or the OECD Privacy guidelines. What’s good about MCCs is that businesses can adapt these clauses with the appropriate modifications at their discretion for transfers within Singapore or countries outside of ASEAN as well. These are two of the most common transfer mechanisms. The benefits of both systems is the set of enforceable standards and accountability.
In data protection and privacy, you can’t know anything about data protection without hearing the word accountability. So it’s very important for a company to demonstrate that they are able to protect personal data, and in some cases they may have to demonstrate that to a third party assessor or assessment body – that they have the proper policies, proper processes, and proper practices in place. These are risk-based protections. They have to implement security safeguards. It’s consumer friendly complaint handling, the right to access, the right to correct, the right to withdraw consent. Both of these mechanisms do have that in place. It allows consumers control over their personal data, which is increasingly important to the general public. It empowers consumers and builds consistent protections for all participants and parties involved. So there are definitely a lot more benefits of having these types of standardised data transfer programs in place. If not, organisations have to spend a lot more time and resources on trying to meet the data transfer requirements on a country by country basis. And certainly that’s not the most efficient thing to do, cost-wise or time-wise, because every country’s data protection recommendations are going to be different. As long as you transfer personal data, you are going to have to encounter that problem.
If you have to do so much compliance, if you are an MNC, that’s fine as you may have the resources to do it. But if you are a family business, an SME, certainly it’s not easy. Even if you have a DPO designated already, in 80-90% of these places the DPO is not equipped or knowledgeable enough to understand how to synchronise the data protection requirements or regulation or policies for like three or four different countries. If your Data Protection Officer can handle Singapore’s PDPA, in most cases that’s what most SMEs are aiming for.
Shivi Anand
To round off this conversation, my final question to you is – In addition to harmonisation of laws across the region, what are your thoughts on the steps that governments/regulators can take to support the growth of industry in the region while also ensuring the safety and security of personal data?
Desmond Chow
As far as I’m concerned, trade in digital goods and services is definitely going to increase within the ASEAN region. There’ll be an increase in the sharing of data between borders, between countries, between different legal regimes. And I think frameworks such as the APEC CBPR are a good step that various governments have taken to facilitate the free movement and use of personal data safely and securely. These frameworks, rather than working as a treaty, provide a set of common standards to raise privacy protections to a good baseline for companies’ privacy practices. As for governments moving forward in terms of policy making, they need to strike a balance in developing privacy rules and regulations in the ecosystems; balance between enabling both the private sector-led innovation and growth to reduce the digital divide but at the same time developing and harmonising regulatory practices through an exchange of expertise and best practices. So it’s a very, very thin line. If you are too onerous, it’s going to affect the way you do business. The cost for compliance is definitely going to increase and it makes doing business across different countries a lot more difficult and a lot more costly. So they have to balance between the two; to allow innovation and growth as well as keeping a certain standard of protecting consumers or protecting personal data in general once it is being transferred.
So like I said, I think the CBPR framework is in the right direction. It generally tries to meet these requirements and I think at least it shows a willingness from all parties involved to try and get something done because they recognize that this is like the tide – it’s definitely coming and there’s no stopping it, you might as well get ready for it and try and be in a position to capitalise on it as and when it comes about. If regulations are done right they unlock astronomical growth potential in the digital economy. To materialise the potential however, would then rest on the governments and regulators on how they mould the regional ecosystems and the necessary regulations they pass in respect to all these privacy and data protection and data transfers. Basically I give you an example – if every country in the Asia Pacific region says, “yes we will have data localisation laws” then it makes it a lot more costly to do business in every single country because you have to have resources to store data in every single country. You can’t have centralised systems anymore and that obviously adds on the cost of doing business.
What I’m also quite happy about is the regulators of governments in certain countries, especially Singapore, keep updating these data protection regulations to take into account new technologies, new innovations, and the changing economic socio-economic environment of the country right. And this is something that needs to be done on a regular basis. So there’s no point having a law in place where it’s out of date and cannot keep up with the current technology. I mean case in point, that’s why the PDPA Amendment Act was announced and passed in Parliament back in November 2020. It was to take into consideration that the world has changed. Therefore if regulation wants to remain effective, it has to change with the times.
Shivi Anand
Right, regulation has to be an iterative and evolving process. My key takeaways are – there needs to be a balance between supporting innovation and regulating industry, and harmonisation in laws across the region.
That was great! It really helped me understand some of the nuances that small and medium-sized businesses have to consider while deploying data privacy and security practices. Thanks so much for bringing your expertise on this topic and taking the time to chat with us.
Desmond Chow
Thanks for having me, Shivi. Good to have this opportunity to share.