The Blue Oceans for the Data Protection Officers (DPO)

By: Sonny Zulhuda

I recently concluded my talk at this event called Data Protection Excellence Network Forum 2019 upon invitation by Singapore Management University (SMU) and Straits Interactive on Tuesday this week (11/6/2019).

Featured together in the opening panel session with me were Commissioner Raymund Enriquez Liboro (Chairman of the Philippines National Privacy Commission), Dr Yudhistira Nugraha (Ministry of Communications and Informatics of Indonesia) and Kevin Shepherdson (Straits Interactive Singapore) discussing the trends and challenges of data protection law in the region and the new market demands for Data Protection Officers (DPO). The event with over hundred attendees were officiated by Dr Lim Lai Cheng who is the Executive Director of the SMU Academy.

Each of us spoke about the regional development of the data protection laws in Malaysia, Philippines, Indonesia and Singapore respectively.

Malaysia had first enacted the law in 2010. Both the Philippines and Singapore followed the suit in 2012. Indonesia is currently preparing a draft bill and is expected to legislate by next year (2020). In term of enforcement, Singapore has recorded dozens of imposition of fines and notices against contravention of their personal data protection law. Meanwhile, the Philippines may only expect enforcement to begin next year in 2020.

In Malaysia, efforts to implement the law come in a combination of prosecution, inspection, establishment of codes of practices as well as public education.

There are in Malaysia at least five successful prosecutions of data users who contravened the PDPA 2010. Besides, it was noted that six sectoral data fora had registered their Codes of Practices (COP) including the banking and insurance sectors, electricity, telecommunications, aviation, and legal services.

In 2018 alone, the office of PDP Commissioner has carried out at least 57 inspections on data users nationwide. Empowered under section 101 of the PDPA 2010, such inspection is meant to promote the compliance of the law while trying to correct and improve the practices by data users in term of processing personal data.

Screenshot_2019-06-14-08-48-17-927_com.microsoft.office.powerpoint

There is one interesting finding from the talk session. Each of the four countries commonly view that it is necessary legally for the data users to appoint a Data Protection Officer, a specifically designated high-level official to oversee the increasing challenges of data governance. Singapore and the Philippines have this in their laws. Indonesian draft bill includes this. And Malaysian government looks out to consider this matter in their ongoing review of the law.

This DPO is a blend of new skill. Straits Interactive noted that each lawyers and IT professionals make up to about 30% of the DPOs. Others come from business managers, HR, accountants, marketing as well as others. Therefore there is now an emerging need to somehow standardise the skill, hence the need for certifications. The good news is, this skill is acquirable.

In that Forum crowded by more than hundred of data users and data protection professionals from Singapore and the region, the demand for this market could not be overstated. It is simply obvious and there to grab.

So the ultimate message we had for all the lawyers, IT professionals and virtually everyone.. Is that there is a blue ocean in front of us now for the highly demanded data protection professionals. Let us swim there!

Advertisements

Keandalan Sistem Informasi Pemilu – Mulai dari mana?

Oleh: Sonny Zulhuda

solution 6Bicara tentang masalah sistem IT (tepatnya sistem informasi) KPU bisa dimulai dengan membedahnya dengan menggunakan pisau bedah “CIA” – Yaitu aspek kerahasiaan, keutuhan dan ketersediaan sistem tersebut.

Aspek-aspek inilah yang mendasari kriteria keandalan sistem elektronik sebagaimana tertuang dalam pasal 16 Undang-undang No. 11/2008 (UU-ITE) dan juga telah menjadi dasar konseptual pemidanaan cybercrime dibawah Budapest Convention 2001.

Pertama, tentang KERAHASIAAN sistem (“Confidentiality”). Intinya adalah bahwa sebuah sistem informasi yang aman wajib menjaga kerahasiaan sistem informasi dan membatasi akses hanya kepada yang betul-betul berwenang.

Pertanyaan yang bisa disodorkan adalah seperti berikut:
1. Siapa saja yang bisa mengakses sistem IT KPU?
2. Siapa yang berwenang memiliki kode akses (password, PIN, etc) terhadap sistem tersebut?
3. Apakah pengelolaan sistem IT KPU dapat diakses dan dimanipulasi oleh orang yang tidak berwenang?

Kedua, tentang faktor keutuhan (integritas) sistem informasi. Pesan utamanya adalah bahwa sistem informasi termasuk segala data dan proses yang terkait tidak boleh diragukan validitasnya, kebenaran dan keutuhannya. Segala halbyang dapat mereduksi integirtas sebuah sistem harus dienyahkan.

Hal-hal yang dapat ditelisik termasuk:
1. Apakah data yang masuk sudah dipastikan akurasi, keutuhan dan kebenaran faktualnya? Contoh, apakah DPT sudah akurat? Apakah penghitungan suara tepat?
2. Apakah keandalan sistem tersebut sudah diuji kekedapannya terhadap peretasan?
3. Apakah ada sistem pengujian terhadap keabsahan data yang akan, sedang dan telah diproses?

Ketiga, perihal ketersediaan dan dapat diaksesnya sistem informasi (“Availability”). Intinya adalah bahwa sebuah sistem yang andal adalah yang dapat berfungsi sesuai tujuan dan linimasa yang telah digariskan. Sistem tersebut mesti andal dan bertahan dan mereduksi resiko kegamangan informasi.

Untuk itu bisa diselidiki antara lain:
1. Apakah sistem IT KPU kita selalu online dan dapat diakses dengan baik oleh pengguna (masyarakat)?
2. Apakah pengelola mengantisipasi resiko-resiko serangan terhadap sistem tersebut?
3. Apakah sistem informasi KPU memiliki prosedur pengamanan dan recovery yang tepat menghadapi krisis data seperti downtime, insiden peretasan, bencana dsb?

Sebagai pondasi penting ketiga faktor ini adalah isu pengaturan yang baik (“Good governance”) yang memprasyaratkan kepemimpinan teladan, transparan, jujur dan adil.

Sekian, sekadar urun sharing.
Artikel ditulis di <sonnyzulhuda.com>

A New Boardroom Affairs is Called ‘Data Protection’

By: Sonny Zulhuda

IMG_20161118_122932_HDRData is an asset in today’s interconnected world. With the changing digital lifestyle and emerging digital workplace, managing personal data becomes a key trust factor for organisations.

The digitalisation of process and records, mobile workplace concept, synchronisation of gadgets and data, as well as emergence of smart contract have all contributed to this change.

Internally, managing data serves as a critical assets management. Externally, it becomes a shield of legal compliance as well as a key competitive value in a more increasingly regulated environment.

In many parts of the world, Personal Data Protection (PDP) is made as a critical trade issue, including a potential trade barrier in the event of trans-border data transfer.

The EU General Data Protection Regulations (GDPR) is setting a new global PDP benchmmark. Meanwhile in this part of the world, Malaysia, Singapore and the Philippines are already enforcing their respective PDP laws. Soon Indonesia and Thailand are following the suit with the drafting and enacting of the laws.

The requirement of PDP law raises a new set of data due diligence for organisations. Privacy Impact Assessment (PIA) and data breach notification (DBN) are among those legal regime that requires careful due diligence under the PDP law.

In short, all life cycles of data management have now to be embedded in a comprehensive, cross-sectoral governance within the virtually every data-reliant organisation.

The data management policies need to be comprehensive and up-to-date. Public communication has to be real-time. For that purpose, not only do we require a specially designated high-level data protection officer (DPO), but also a regular transparency report on our data affairs.

Gone are the days that data protection is only seen as technical and trivial issues. PDP is now a boardroom issue, looking out to both reputational and legal risks and opportunities.

From Brussels: The Islamic Legal Conceptions of Privacy

By: Sonny Zulhuda

IMG_20190130_094243Last week (1st February 2019) I concluded the International Conference on Privacy and Data Protection (CPDP2019) in the heart of Europe, City of Brussels. It is organised by a consortium of primary European universities, supported by global companies, and endorsed by the European Union institutions.

It’s the 12th edition of this annual global event on privacy & data protection. 3 days of fascinating and thought-provoking talks, speeches and discussions. Thank you @CPDPconferences for inviting me as a speaker on privacy in Islam.

Thanks to @darahallinan who initiated this panel for the first time. Entitled “Islamic Legal Conceptions of Privacy.” The idea is to understand how privacy is actually a universal value adopted by wide and global communities and traditions.

Being the first speaker, I first introduced that for every Muslim, Islam is the way of life and provides a comprehensive guidelines for both private and public interactions.

Then I spoke mainly on the evidences from the Quran (as the primary source of Islamic law) which provide basis of privacy right and how to implement it in life, starting from early childhood: they should ask parent’s permission before entering their private rooms at three specific times in a day.

I highlighted how important it is to respect others’ dignity by not transgressing their rights, not spying on them, not backbiting, not ridiculing them, and not calling them by undesired labelling/tagging.

Muslims are told to get mutual consent when affecting others’ rights, to record agreements, to enter their houses upon prior consent, and to leave if asked to. Not less importantly a command to investigate information received (verification and authentication).

Those are exactly the rights pertinent to privacy and data protection nowadays.

At the end, I noted that 1. Islam calls for peace, justice and harmony; 2. Privacy is one of important rights to be preserved; and 3. At all time, Muslims will be accountable to God, Society and oneself.

And not forgetting I also shared some updates on the privacy laws and Personal Data Protection laws in both Indonesia and Malaysia. Some good news here and there.

Thank You Chair, moderator and fellow panelists Prof Andrew Adams (Japan), Prof Elizabeth Coombs (Malta), Nighat Dad (Pakistan), Lahoussine Aniss (Marocco), and Patrick Penninckx (EU) for making it a beautiful panel. Looking forward to connecting further. Thank you @CPDPconferences.

#PrivacyinIslam #CPDP2019 #Brussels #Malaysia #Indonesia #PDPA

The Jakarta Post 22/1/2019: #10yearschallenge could simplify data collection, expert says

The following passages are copied from the report in the Jakarta Post online <https://www.thejakartapost.com/life/2019/01/21/10yearschallenge-could-simplify-data-collection-expert-says.html> which quoted my comments about the recent social media trend #10yearschallenge. It is partially reproduced here for the purpose of wider reach. Please click on the above link to the original source for the complete report.

=========================================================

BIG-DATA

The #10yearschallenge has recently swept across social media, with users posting pictures of themselves in 2009 and 2019. Sonny Zulhuda, a lecturer in cyber law at the International Islamic University Malaysia and advisor at Malaysia’s Department of Personal Data Protection, said the hashtag could be a shortcut used for data collection.

Speaking to Antara news agency in Kuala Lumpur on Monday, Sonny said netizens mostly participated in the challenge for entertainment and nostalgia purposes. However, he also said users might not realize the photos could be used for other purposes that could help social media companies or third parties in their lines of work. These include improving databases of users’ faces based on age, time period, race, gender and environment.

“With such an indicative label as #10yearschallenge, data filtering and interpretation would be so much easier. It’s almost like giving a shortcut for data collection. For some people, this is hardly a new issue as the data has been stored on social media and the internet. What’s considered new is how users have made it easier for companies in regards to data curating and packaging.”

Sonny shared that big data curators could freely verify the data in their database packaging, something that is considered a difficult and important process. “This is because the verification has been done by the data owners themselves. In terms of security, it won’t be a problem should the face transformations be stored securely so they are not misused,” he added.

He also said that facial recognition technology had positive effects, such as helping to solve cases of missing people. However, he said that the same technology could be used by private investigators to spy on other people, or by parties that might use data for commercial and marketing purposes. According to Sonny, the worst possibility is if parties misuse the availability of face data for identity forgery.

“Our faces, biographical data, communications, movements and the combination of all those things are considered assets in this digital era. Let’s always be aware,” he said. (wng)

Menyoal Tren “10 Years Challenge”

By: Sonny Zulhuda

jpdp

Akhir-akhir ini pengguna media sosial pasti sudah banyak melihat foto-foto transformasi wajah yang dilabel hashtag #10yearschallenge. Tidak kurang, politisi dunia hingga artis dan selebriti pun berpartisipasi dalam trend yang satu ini. Aktivitas ini dimanfaatkan oleh masyarakat media sosial sebagai bahan hiburan dan obrolan yang menarik dan tidak jarang menggelitik.

Namun, mungkin banyak yang sadar bahwa foto-foto yang disebar itu akan memudahkan pihak media sosial atau pihak ketiga untuk melakukan beberapa pekerjaan mereka seperti:

1. Penyempurnaan database wajah individu berikut kronologi tahun dan usia.
2. Penelitian pola transformasi wajah manusia berdasarkan usia, periode, dan demografi lainnya seperti ras, gender, lingkungan, dan lainnya.
3. Pemrograman pada teknologi artificial ingelligence dalam melakukan rekaan wajah secara lebih akurat.
4. Identifikasi dan penyamaran.

Apalagi, dengan label yang sangat indikatif seperti #10yearschallenge akan semakin memudahkan penyaringan dan interpretasi data sehingga memberikan jalan pintas untuk pencarian data itu sendiri. Label hashtag itu sama dengan fungsi metadata. Semakin banyak hashtag, maka akan semakin mudah pencarian data tersebut di domain publik.

Continue reading

From Privacy Suit to EU GDPR: Data Protection Updates from Malaysia – As reported in the Borneo Post

By: Sonny Zulhuda

The beginning of the year saw my interview with the Malaysian daily the Borneo Post that was published on 1st January 2019. This interview was initiated by my colleagues from the consultancy firm Straits Interactive. The report was entitled “Malaysians increasingly aware of risks with data breach.” It can be found in this link.

The article started to to note that Malaysians now are more aware about the risks associated with breaches of their personal data. In fact, we in Malaysia have seen in the past five years, that there is a sharp increase in data privacy civil suits in the local Malaysian courts.

Among the points I highlighted in the interview are as follows:

What are the costs of data breaches?

  • The cost of data breaches can be seen in many areas. In terms of legal liabilities, companies in breach of the Malaysian PDP Act 2010 can be fined up to RM500,000 – for offences such as unlawful sale or unlawful collection of personal data, as well as collection of data without the required certificate of registration.
  • And when a data breach occurs, costs can also be incurred through technical repairs and loss of reputation. Business can also suffer because of bad publicity.
  • Civil suits can also be brought against companies, and these can cost businesses a lot of money. Malaysians are becoming increasingly more aware of the risks associated with breaches of their personal data, and we have seen a sharp increase in data privacy civil suits in the local Malaysian courts in the past five years.

Are we prepared? Here is what I said:

  • Unlike companies in the US and Europe, many companies in the Asean have yet to reach an acceptable level of preparedness. Data protection does not tend to be a part of the business culture, however some industries (banking and finance) are more prepared due to legislation and legal requirements.
  • To bolster the understanding and preparedness of other industries, we need more public awareness, training, and certified professionals in the field of data protection.

What are among the common concerns?

  • One major concern in Malaysia is how much our MyKad (ID cards) details are easily and unnecessarily exposed. Many people needlessly impose the collection or retention of MyKad details before people start business communication or interactions, enter premises, or participate in events. Unfortunately, lots of people are happy to submit these details and this gives the impression that these practices are approved and not an issue.
  • Another problem is direct marketing, as well as unsolicited commercial calls, emails and text messages. While it’s clear individuals have the right to refuse direct marketing, it still regularly happens.

What has been prepared?

  • I highlighted that leading consultant like Straits Interactive plays the role to champion a public-private partnership by establishing alliance with academia, industries and the government. This partnership will ensure Malaysia as a nation moves together and responds to data privacy issues with a common understanding and comprehensive programmes.

Does the European Union GDPR (General Data Protection Regulations) have anything to do with the Malaysians?

  • With the passing and enforcement of the EU General Data Protection Regulation (GDPR) in May 2018, Malaysia needs to gear up for these stronger laws and better enforcement.
  • The GDPR applies to companies who also interact with European citizens, and this requires short-term training programmes and certifications in the field of data protection.
  • A collaboration at the regional level is also timely and necessary. We are heading towards that.

Credit on this Interview to the Straits Interactive and the Borneo Post.

  • June 2019
    M T W T F S S
    « May    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
  • Visitor

    free counters

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,624 other followers