If you have undertaken the Compliance Questionnaire, you may be wondering what further steps you can undertake to ensure your compliance and improve your cyber resilience.
This resource will outline some key privacy laws around Asia and guide your business to understand how it can comply with all their compliance requirements.
There are three main cybersecurity and privacy laws your business should understand when you conduct business in China:
- The Cybersecurity Law
- The Information Security Technology – Personal Information Security Specification (‘Specification’)
- Regulation on Network Protection of Children’s Information
In order to comply with both the Cybersecurity law and the Specification, adhering into the Specification’s obligations will ensure compliance into the law. If your business is trading in China, the following privacy protection should be considered.
- Apply data minimization principle – only collect personal information that directly relates to carrying out the business activity or service.
- Obtain consent and authorisation from individuals – individuals need be explicitly informed regarding the collection and use of their data, and provide their consent if they agree.
- Inform users on the use of third-party data processors – third-party data processors are also required to obtain explicit consent from individuals. Under this obligation, your business will need to ensure that the use of information will not exceed the authorised scope by the consumers.
- Undertake a security assessment on the third-party data processors
Under the 2020 revised Specification, whereby biometric data (e.g. genetic information, fingerprints, voiceprints, palmprints, face scans, etc.) is being collected, the controller will need to inform the individuals:
- Intended purpose of collection
- Method of collection
- Scope for collection
- Storage time
In addition to complying with the above laws, China also requires the additional compliance with Regulation on Network Protection of Children’s Personal Information. In addition to the above, the following requirements should also be considered.
- Parental or guardian consent must be obtained prior to the collection, use or process of children’s personal information
- Notification on the purpose, methods and scope for the collection, storage, use, transfer and disclosure of children’s personal information
- Implement security measures to safeguard the personal information of children
- Inform the consequences of parent or guardian’s refusal to provide consent
- Provide an avenue for reporting violations or filing complaints with the network operator
- Provide an avenue to correct and delete children’s personal information
- Ensure a minimum authorisation principle is applied, only allowing strict access for personnel handing children’s personal information
Failure to comply or in the event of breach would be penalised under the relevant Chinese laws and regulations.
Singapore’s personal data protection act, the Personal Data Protection Act 2012 (‘PDPA’) sets out the following obligations if your business collect, use, or disclose their citizens’ data via online channels of platforms (including parent company or subsidiary):
- Develop and implement privacy policies to explicitly inform consumers that their personal information is being collected
- Notify consumers how the data is being used and whether disclosure will be made to third-party
- Must obtain consent prior to any personal data being collected by way an opt-in method
- Allow consumers to request for access, revise and delete collected data in the past year
- Integrate a privacy safeguard for data protection to prevent any unauthorised access, collection, use, etc. by way of encryption and physical security mechanism
- Implement a data retention period policy to ensure personal data are disposed of once it has fulfilled its scope or purpose
- Enact a data breach notification for affected individuals should a dat a breach occur (while this is currently not mandatory, there is an ongoing public consultation for this regime)
Being ranked 101 out of 165 in terms of being vulnerable to cyber attacks, Vietnam’s cyber security law, the Law on Cybersecurity will impose not only data retention obligation, but also data localisation. The following are various key things to consider to ensure your business’ compliance when carrying on a business in Vietnam.
- If your business “provides services in telecommunication networks, the internet, and value-added services on Vietnam’s cyberspace“, you will need to establish a branch or representative office in Vietnam
- Your business is obliged to establish data localisation if it collects, exploits, analyses, or process personal information of users in Vietnam
- Following data localisation, personal information and other related data are required to be stored in Vietnam for a duration of time
- Comply with any audit of information system if there has been a violation of the cybersecurity law, or there is a request from the information system owner