“Know” your data before achieving Data Sovereignty: SEA experts say
Published 24 February 2021
Data sovereignty, data residency and data localization are among the most hotly debated topics worldwide. Addressing the challenges, experts at W.Media’s Digital Week in South East Asia 2021 consider data classification as the main concern before rolling out any data protection policies for organizations and for countries.
According to Deloitte’s “Data and privacy protection in ASEAN” report, ASEAN is the gateway for an estimated $5.3 trillion of global trade each year and achieves one of the highest Internet and mobile penetration in the world with nearly four million new users expected to come online every month over the next five year. This comes with a great number of cybersecurity risks that may threaten the socio-economic growth of the region.
In Malaysia, the government and companies are stepping up the game with attempts to practice holistic protection and compliance policies on data.
Sina Manavi, Malaysian Senior Manager at Information Security Governance of AIA Group, said that Malaysian government was trying to invite investors to invest in cloud within the country and encourage local companies to build their own cloud service providers.
“I can tell that’s a good advantage because then we don’t need to have so much dependency on tech giant companies such as AWS or Google Cloud,” he said. “But basically, data security is not only about protection, it’s about the entire data life-cycle.”
In two contradict scenarios, data can be stored in a country, but used inside another country, and vice versa. Therefore, by data life-cycle, Manavi focused on the entire end-to-end process from the time and place that organizations create, process and store data.
“Given a certain dimension, we need to do the data classification. When you get to know your data, you can manage it properly,” said Manavi, underlining that as data is now mostly stored and managed unstructured, data classification of each single file and having a comprehensive data classification inventory remain significant challenges of the industry.
“You need to understand what is classified as public or private data,” added Sureendhran Subramaniam, Global Head of Cloud and Automation at British American Tobacco. “Then based on the data classification, you can be helped with the guidelines of GDPR and CSA to actually streamline or group the data as to looking at where it needs to be hosted.”
As a part of those challenges, Tanvinder Singh, Director of Cybersecurity and Privacy at PwC, also mentioned the overlap of Information Technology (IT) and Operational Technology (OT), which results in the misuse of technologies in tracking people and scraping personal data without consent during business processes.
“As they [IT and OT] are getting connected, I think we opened up that highway where anybody can misuse the access and OT has not been developed with keeping security in mind,” Singh said.
From a country perspective, the question is around mismatching between different regulations, especially when the world is not having one global governance framework to manage data.
“Make sure your partners understand your business, understand your organization, and understand the laws locally and globally,” said Subramaniam. “We got the policies, and what we need to achieve to make sure that it fits the different countries in terms of sovereignty and localization.”