With data, comes value – and risk

Data privacy regulations are undergoing rapid and stringent changes globally, and it’s no different in Asia-Pacific.

  • In Australia, following a series of high-profile breaches that affected millions of citizens, the authorities reviewed the country’s Privacy Act of 1988 and increased the maximum penalties for data breaches from AU$2 million to AU$50 million.
  • In Singapore, financial penalties outlined in the Personal Data Protection Act (PDPA) were also increased. The Personal Data Protection Commission (PDPC) is now authorised to levy fines up to SG$1 million, or 10% of an organisation’s annual turnover in Singapore, whichever is higher, for PDPA violations.
  • In April 2022, Japan amended its Personal Information Protection Act (PIPA), extending its reach to companies beyond its borders. Businesses offering goods or services to Japanese consumers and enterprises must now adhere to PIPA regulations. This includes investigations and orders by the Personal Information Protection Commission (PIPC). The expansion also introduced heightened penalties and new compliance mandates, covering breach notifications, cross-border data transfers, and the use of cookies.
  • India’s Digital Personal Data Protection Act recently received the president’s assent. This gives individuals the legal power to withhold or grant consent for the use of their personal data. Violations will fall under the scrutiny of the Data Protection Board, empowered to impose penalties ranging from 10,000 INR to 25 million INR. These are to be remitted to the Consolidated Fund of India, an official government account.

Regulatory shifts across APAC

With the regulatory landscape intensifying, enterprises face increasing pressure from both regulators and stakeholders to protect their information assets.

Companies that start inventorying and monitoring their data footprint now, and actively redact or remove unnecessary data from their environments, will have a clear advantage when all changes are finalised.

Previous research from Imperva found that the predominant data type targeted by cybercriminals is personally identifiable information (PII), comprising 42.7% of data taken. In the context of data breaches, leaked information often dates back decades and lacks any valid reason for organisational retention. As data privacy regulations tighten and data storage costs rise, reducing the data footprint has become a priority for many organisations. Proactively identifying and eliminating unnecessary data not only minimises organisational exposure to breaches but also reduces costs and financial penalties while strengthening data security.

Navigating this path to streamlined data, however, presents a challenge for many. The expansive data landscape in modern enterprise environments makes it difficult to determine where to start and what to prioritise. Often, valuable data originates from an organisation’s customers and begins its journey as structured data within a database. It is at this early stage in the data lifecycle that organisations must intensify their efforts to secure and monitor data. However, attention often shifts only after data moves from controlled realms to unstructured formats, rapidly permeating the enterprise.

A prime challenge organisations confront in their privacy initiatives is safeguarding unstructured data – emails, messages, and conversation transcripts. A recent Gartner survey found that half of the respondents witnessed a 25% increase in the volume of unstructured data between January 2022 to January 2023.

A significant challenge organisations face in their privacy initiatives is safeguarding unstructured data—emails, messages, and conversation transcripts. A recent Gartner survey titled “Consult the Board: Unstructured Data Management” found that half of the respondents witnessed a 25% increase in the volume of unstructured data between January 2022 and January 2023.

There’s a shift in focus towards unstructured data, as businesses often have little insight into the risk exposure this type of data presents. If an organisation can’t manage this data type today, the problem will grow exponentially. By connecting unstructured data sources, businesses can compile a credible inventory and discover hidden data that could put their organisation at risk.

Managing data security in a complex landscape

Here are some specific steps organisations can take to establish a more comprehensive and effective data-centric security ecosystem.

  • Data discovery and classification: Many organisations are embarking on large-scale data classification projects to ensure valuable information stored in shadow databases is properly managed. By categorising data based on its sensitivity, business criticality, and relevance, initiatives can be launched to identify and tag data for deletion or offloading. This has the net effect of reducing the overall data risk footprint and lowering the costs associated with data storage and retention of data that no longer serves a purpose.
  • Data masking: In pursuit of efficiency and innovation, development teams testing applications often inadvertently spread sensitive production data to non-production and staging environments. This significantly increases the risk of non-compliance with data privacy regulations and data breaches. Organisations can mitigate these risks by replacing production data sets with masked and tokenised sensitive data that retains the original semantics. This is equally useful for development teams in non-production environments. The process involves creating a realistic but anonymised version of organisational data to protect sensitive information while providing a functional alternative when real data is not required.
  • Unified data environment: A centralised data protection environment streamlines data management processes, enhances security and privacy measures, and ensures consistent policy application to data, regardless of its type (structured or unstructured) or location (on-premises or cloud). This leads to improved efficiency and a reduced total cost of ownership.

By adopting the appropriate mindset and implementing the necessary measures, organisations can fully unlock the value of their data without exposing themselves to the risks of data loss and compliance issues.