Tackling Accountability in Asia

Many of us probably use the term often in our personal and professional lives: accountability. Who doesn’t value accountability? In my travels, I have found that Asian cultures, specifically, incorporate accountability into ideas of honor and responsibility. It is a point of pride in the business-world to be able to say that, yes, that was my job and if it wasn’t done well, it was my fault and I will fix it.

That is the essence of accountability: a willingness to take responsibility and to show that if something was done incorrectly it wasn’t due to a lack of planning or process, but rather human error, which will always be a factor as long as we have humans (the robots aren’t quite ready to take things over yet). If something goes wrong, both individuals and organizations should want to be able to honestly say, “We did everything we could.”

However, with accountability becoming an integral part of data protection law, from the EU’s General Data Protection Regulation to any number of laws in Asia, including in Singapore, Japan, and Hong Kong, it’s not enough to say you did everything you could have. You have to actually prove it.

That can be the hard part. How does a company document its efforts to manage personal data appropriately? Simply pointing to a privacy policy won’t be enough. Are you auditing to make sure employees are complying with the policy? Are you evaluating the policy on a yearly basis to make sure it remains in line with current law and regulation? Are you auditing the make-up of your user-base to make sure your users don’t hail from countries with extra-territorial jurisdiction without you knowing it?

In February, for example, the Singaporean Personal Data Protection Commission published the results of its public inquiry into how organizations should manage personal data. Within were a number of recommendations about accountability:

• Conduct and be able to produce privacy impact assessments for each new use of personal data in a product or service.

• If you are processing personal data without consent, under the argument that it presents a legitimate business interest, you must be able to produce your reasoning that the processing of the data provides more benefits to the public than it does harm to the data subject.

• The burden of responsibility rests with organizations to safeguard the interests of individuals.

• The PDPC reserves the right to request the privacy impact assessment for any processing activity to determine whether “there is any contravention of the PDPA.” 

Ultimately, accountability is about proper documentation, first and foremost, but also about training, demonstrating organizational commitment and proper audit practices. 

In a presentation to a conference in 2016, Honk Kong Privacy Commissioner Stephen Wong noted that accountability and risk management requires:

• Developing training programs for privacy awareness.

• Implementing privacy by design procedures.

• Testing incident and breach protocols to ensure plans have some chance of success.

• A top-down approach, where activities are dictated by top management.

• Proactive approaches that actively seek to avoid privacy incidents, rather than react to them when they happen.

Taking this kind of approach, Wong argues, will result in great consumer trust and, ultimately, a great contribution to the organization’s bottom line. Organizations that are truly accountable do more than simply comply with the law; rather, they are able to demonstrate and talk about the active steps they’re taking to make sure they don’t fall out of compliance.

Sound hard? Luckily, those of you in Singapore later this month can get yourselves a front seat for a discussion of just how some of the world’s leading privacy programs tackle the issue. As the closing general session on 24 July at the IAPP’s Asia Privacy Forum, “Incentivizing Accountability & Certifications as Enablers for Global Data Flows” will feature privacy leaders from Apple, Google, and TrustArc talking alongside Singapore’s PDPC about how accountability is best accomplished and what its benefits are for the organization as a whole in opening up global markets and making data-based operations more efficient.

This is a rare opportunity to benchmark your own efforts against some of the most sophisticated programs in the world, right as you hear from the Singaporean regulator about what they expect to see in an accountability program. It’s not to be missed.

Unless, of course, you’ve got your accountability program completely figured out. Which would put you ahead of most organizations around the world.