­­Greetings, fellow privacy professionals.

There has been a lot of activity in the Asia-Pacific region this month, starting with Singapore’s recent announcement of the cross-border data transfer guidelines for cloud services, which aims to help businesses and cloud suppliers navigate the country’s data protection requirements to ensure they comply with the law. There is a growing trend of companies moving to the cloud and often forgetting the importance of data protection, namely data residency, as well as the controller/processor relationship between the cloud service provider and the organization using the services.

It is important to remember that CSPs, while traditionally thought of as the cloud infrastructure and hosting providers like Amazon Web Services, Microsoft and others, can also extend to your software-as-a-service providers where they could be providing services that are entirely cloud based. For example, if you are using a customer relationship management tool that is 100% cloud based, then you as an organization have an obligation to perform security and privacy impact assessments to ensure the SaaS provider has proper controls in place (e.g., ISO 27001). There are still more developments to come in this area, where new privacy-focused standards, like ISO 27701, will be used in the future as a benchmark for companies to demonstrate they have policies and procedures in place to manage a privacy program and a systematic method of mitigating privacy risks.

Singapore’s Personal Data Protection Commission also issued a new framework and road map for DPOs, which is a step in the right direction and details the training and certification needed to be qualified as a DPO in Singapore. I believe many other regions will follow with local guidelines, and the IAPP also has our own steps on how to become a qualified DPO and readiness for global regulations, like the GDPR. However, on a separate note, I have heard mixed views on how an organization should integrate a DPO into their business versus the practical implementation of this. Ideally, the DPO should be completely independent and serve a function that reports to the board. However, with the current global shortage of privacy professionals, how realistic is this, or will we see a period where the DPO and CPO role will be merged within an organization? And, if so, how effective will this be? It would be great to hear your expert thoughts on this and any other topics you would like to share. The IAPP welcomes you to submit your proposed topics for the Asia-Pacific Forum 2020 that will be hosted in Singapore. You can click here as we are now accepting proposals, and given the number and quality of the submissions last year, I encourage you to submit early!

If you are in Hong Kong and would like to be part of the privacy and security discussion, there are several upcoming events for you. The Open Data Conference will be held Tuesday, 29 Oct. with a panel consisting of Commissioner Wong and others discussing Personal Data Protection of Open Banking API and The 5th Cloud Forum where you will get expert commentary and sharing on data privacy and security matters. Finally, the IAPP and the Privacy Commissioner for Personal Data, Hong Kong, are jointly hosting an event 11 Dec., which will be centered around the recent updates on China’s Cybersecurity Law and PCPD’s guidance on this matter. I will moderate a discussion on the new CCL legal requirements, regulatory and practical implementation challenges. More details to come, and I look forward to seeing you there.

Looking forward to sharing more developments in this space in the next IAPP Digest!

Keep safe; keep secure.