Finding their wayCorporates, governments and data privacy in AsiaAn Economist Intelligence Unit report
Commissioned by
1© The Economist Intelligence Unit Limited 2014
Finding their way: Corporates, governments and data privacy in Asia
Contents
About the report 2
About the survey 3
1. Awareness and corporate challenges 4
2. The importance of data privacy 6
3. Little faith in regulators 9
4. Barriers to growth 11
5. Corporate countermeasures 13
6. The road ahead 14
Appendix: Survey results 15
2 © The Economist Intelligence Unit Limited 2014
Finding their way: Corporates, governments and data privacy in Asia
Finding their way: Corporates, governments and data privacy in Asia is a report from The Economist Intelligence Unit, commissioned by SafeNet. Kim Andreasson was the author and Laurel West was the editor. The report draws on a survey of 360 executives in Asia, all of whom are familiar with their company’s policies on data
privacy. The survey findings are supplemented by wide-ranging desk research. The Economist Intelligence Unit bears sole responsibility for the content of this report and the findings do not necessarily reflect the views of the commissioning organisation.
About the report
3© The Economist Intelligence Unit Limited 2014
Finding their way: Corporates, governments and data privacy in Asia
In May 2014, The Economist Intelligence Unit conducted a survey of 360 executives to assess corporate attitudes towards data privacy and its effect on businesses in Asia. Nearly half (47 %) of survey respondents are board members or C-level executives, including 92 CEOs. All respondents are based in Asia-Pacific with a majority located in India (24%), Australia (23%), Singapore (22%), and Hong Kong (10%). Over half of the survey respondents (55%) work for companies
with global annual revenues exceeding US$500m. Nineteen different industries are represented in the survey sample, led by financial services (26%), professional services (14%), and information technology (IT) and technology (11%). The primary functional roles of respondents are general management (43%), strategy and business development (39%), and marketing and sales (22%).
About the survey
4 © The Economist Intelligence Unit Limited 2014
Finding their way: Corporates, governments and data privacy in Asia
1 Ericsson: http://www.ericsson.com/res/docs/whitepapers/wp-big-data.pdf
2 Also see Privacy International: https://www.privacyinternational.org/reports/a-new-dawn-privacy-in-asia
The rapid rise of the Internet and the diffusion of new digital technologies are creating a sea of data that is only getting bigger and deeper. This is leading to new business opportunities for organisations that are able to store, analyse and process data about current or potential customers. Citing IDC, a research company, Ericsson says revenues in the big data technology and services market alone are expected to reach US$16.9bn in 2015.1 At the same time, data privacy has emerged as a key concern. Regulations in this area vary among jurisdictions and are also still evolving, leading to a complex environment for businesses trying to leverage data while managing it properly.
In Europe, which has had strong data protection policies in place since 1995, the European Commission proposed an updated European General Data Protection Regulation in January 2012 in order to strengthen online privacy rights and standardise implementation across the region. In the US, the Obama Administration
Awareness and corporate challenges1announced a “Privacy Bill of Rights” in February 2012 to improve consumer online protection in a uniform way across industries, replacing sector-specific regulation.
This growing trend is also occurring in Asia, with recent initiatives in many countries including Australia, Hong Kong, India and Singapore.2 Although strict regulations can limit corporate options, many companies in these countries also welcome them as they can level the playing field for competition.
In the survey of 360 Asian executives conducted for this report, those who believe that national data privacy regulation is a benefit to their business outnumber those who say it is a burden by 3 to 2 (cited by 33% and 20% respectively (Figure 1)). Almost half of respondents (44%) did not think it was either a benefit or a burden. But this obviously depends on what the regulations look like in a local context. In Singapore, almost one-half (48%) of executives say national
In the country in which you are located, is national data privacy regulation a benefit or a burden to your business?(% respondents)
A burden
Neither a benefit, nor a burden
A benefit
Don’t know
Figure 1
33
20
44
3
5© The Economist Intelligence Unit Limited 2014
Finding their way: Corporates, governments and data privacy in Asia
data privacy regulation is a benefit while the equivalent number in Hong Kong is less than half of that (22%).
In order to delve deeper into data privacy in Asia and what it means for businesses, this summary
report uses the survey results to analyse awareness and corporate challenges across the region, with an emphasis on Australia, Hong Kong, India, and Singapore.
Is national data privacy regulation a benefit or a burden to your business?(% respondents)
Figure 2
A benefit A burden Neither a benefit, nor a burden Don’t know
Australia
Hong Kong
India
Singapore
44
3
8
1
24
50
49
29
25
10
22
32
22
32
48
6 © The Economist Intelligence Unit Limited 2014
Finding their way: Corporates, governments and data privacy in Asia
The importance of data privacy2In line with global developments, 5 in 10 Asian executives (54%) say data privacy is very important to their organisation today with a further 4 in 10 (38%) saying it is important (Figure 3). Unsurprisingly, the numbers are generally higher in industries that rely on data to a greater extent. Among executives in financial services, for instance, two-thirds (66%) say data privacy is very important today with nearly
one-half (46%) also claiming it will be a lot more important in the future.
Among all Asian executives, one-third (35%) predict that data privacy will be a lot more important to their organisation three years from now while another one-third (37%) say it will be more important. But there are again stark regional differences (Figure 4). More than
How important is data privacy to your organisation today?(% respondents)
Important
Neither important nor unimportant
Very important
Unimportant
Figure 3
54
38
7
1
Very unimportant 1
Don’t know 0
Where will data privacy be a lot more important(% respondents who say data privacy will be a lot more important in three years)
Hong Kong
India
Australia
Singapore
Figure 4
32
19
55
31
7© The Economist Intelligence Unit Limited 2014
Finding their way: Corporates, governments and data privacy in Asia
half (55%) of all survey respondents from India believe it will be a lot more important, which far outnumbers the figures for more developed countries, such as Australia (32% said the same), Singapore (31%) and in particular Hong Kong (19%).
This reflects the general notion that India’s current data privacy laws are weak and will rise in future importance (and that those of Hong
Kong are already strong). This is reinforced by other research. DLA Piper, a global law firm which has compared data privacy regulations and enforcement across the world, also says laws are “heavy” in Hong Kong while “limited” in India; in Australia and Singapore they are viewed as “moderate.”3
In Hong Kong, about two-thirds of executives in the survey say current data privacy regulations
In your opinion, how would you rate current data privacy regulations in the country where you arelocated today as it relates to your industry?(% respondents)
Good
Neither good nor bad
Current data privacy regulation—or the lack thereof—is very good for our industry
Bad
Figure 5
11
42
26
14
Very bad 4
Other, please specify 2
Don’t know 1
In what area(s) can current data privacy regulations in the country where you are located be improvedthe most as it relates to your industry? Select two.(% respondents)
Scope of data privacy regulations
Corporate compliance processes
Level of enforcement
Penalties for data breaches
Figure 6
39
28
27
25Emerging technologies requiring
an update to current policies
Consumer rights, such asdata portability
Roles and responsibilities amonggovernment agencies
23
22
20
Other, please specify 1
Don’t know 2 3 DLA Piper: http://dlapiperdataprotection.com/#handbook/world-map-section
8 © The Economist Intelligence Unit Limited 2014
Finding their way: Corporates, governments and data privacy in Asia
are very good (11%) or good (53%) for their industry.4 In India, meanwhile, barely a quarter of all respondents view data privacy as positive (2% and 22% respectively). India’s regulations were updated in 2011; however, implementation
is uneven.5 In particular, in order to improve data privacy in India, a majority of executives (55%) call on their country to enhance the level of enforcement.
4 Office of the Privacy Commissioner for Personal Data: http://www.pcpd.org.hk/engindex.html
5 Department of Electronics & Information Technology, Ministry of Communications & Information Technology: http://deity.gov.in/content/cyber-laws
9© The Economist Intelligence Unit Limited 2014
Finding their way: Corporates, governments and data privacy in Asia
Nine in 10 Asian executives (90%) say their own understanding of data privacy regulations has improved in the last three years (Figure 7). An overwhelming majority of respondents also believe their CEO (80%) and senior management (77%) have high levels of awareness regarding national data privacy regulations in the country where they are located.
By contrast, not even 6 in 10 (59%) Asian executives believe government regulators in
Little faith in regulators 3their country have a high level of knowledge about data privacy regulations, which is not only concerning but also surprising as they are in charge of enforcement. In India, the situation is particularly bad—only 38% of executives cite a high level of awareness among regulators. This has practical consequences as the level of enforcement (cited by 29%) is viewed as the biggest area of contention between the public and private sectors in India, followed by roles and responsibilities among government
Figure 8
Very high level of awareness 1 2 3 4 Very low level of awareness 5
Your customers
Your employees
Your senior management
Your CEO
Your government regulators
11
15
34
40
24
34
38
43
40
35
28 19
29 14
17 5
14 3
929
9
3
2
2
3
In your opinion, what is the level of awareness regarding national data privacy regulations in the country where you are located among the following stakeholders? Rate on a scale of 1 to 5, where 1=Very high level of awareness and 5=Very low level of awareness. (% respondents)
Figure 7
Agree Disagree
My own understanding of data privacy regulationshas improved in the last three years
Data privacy regulations in my country are stricter than those in other Asian countries
In my country, data privacy regulations limit corporate opportunities
In my country, consumers don’t seem to care about data privacy
90
62
33
41
67
59
10
38
Do you agree or disagree with the following statements? Select one in each row. (% respondents)
10 © The Economist Intelligence Unit Limited 2014
Finding their way: Corporates, governments and data privacy in Asia
agencies (22%). Conversely, respondents from Australia are the least concerned about the level of enforcement in their country among the four geographies (only 6% raised it as an issue).
Existing rules in Australia were updated through the Privacy Amendment (Enhancing Privacy Protection) Act 2012, which took effect in March 2014 and simplifies regulations through a set of 13 new harmonised privacy principles.6 In response, three-quarters of Australian executives in the survey say data privacy policies for their
industry are very good (24%) or good (50%) at present.
Rather than enforcement, in countries with stricter data policy regulations, such as Australia, Hong Kong and Singapore, the biggest area of contention between the private and public sectors in all three territories (cited by 31%, 31%, and 23% respectively) is the scope of data privacy regulations, which can potentially hinder business opportunities.
In the country in which you are located, what is the biggest issue of contention between governmentand industry in regards to data privacy? (% respondents)
Figure 9
23
18
14
13
11
9
9
1
3
Scope of data privacy regulations
Level of enforcement
Corporate compliance processes
Roles and responsibilities amonggovernment agencies
Emerging technologies requiringan update to current policies
Consumer rights, such as dataportability
Penalties for data breaches
Don’t know
Other, please specify
6 Office of the Australian Information Commissioner: http://www.oaic.gov.au/privacy/privacy-act/privacy-law-reform
11© The Economist Intelligence Unit Limited 2014
Finding their way: Corporates, governments and data privacy in Asia
When asked about the primary business challenges with data privacy regulation in their country, Asian executives highlight the burden of compliance with external authorities (33%) and customer concerns and expectations (30%), the
Barriers to growth4
7 Personal Data Protection Commission: https://www.pdpc.gov.sg/personal-data-protection-act/overview
latter of which can be attributed to low levels of knowledge among consumers (Figure 11). In fact, only 11% of executives say their customers have a high level of awareness regarding national data privacy regulations (Figure 8). Few companies
What are the primary business challenges with data privacy regulation in the country where you are located? Select two. (% respondents)
Figure 11
33
30
24
24
20
19
16
4
3
13
Burden of compliance with external authorities
Customer concerns and expectations
Limits data mining on potential customers
Limits information sharing with other companies
Burden of compliance with internal company policy
Lack of internal coordination
Limits data mining of current customers
Potential penalties for data breach
Other, please specify
Don’t know
Figure 10
Australia
Hong Kong
India
Singapore
38
30
22
43
Where does data privacy regulation limit corporate opportunities? (% of respondents who say it does)
12 © The Economist Intelligence Unit Limited 2014
Finding their way: Corporates, governments and data privacy in Asia
see internal compliance (cited by 20%) and limitations to data mining on current and potential customers (16% and 24% respectively) as burdens. An exception is Singapore where 39% of executives say that national policies are a business challenge, affecting their abilities to use data on potential customers.
In developing the 2012 Personal Data Protection Act, Singapore referred to good practices elsewhere, including in the EU, and also held three public consultations before the regime went into effect.7 This open process, as implied by the survey results, may have led to stricter regulations surrounding the Act’s three pillars of consent, purpose and reasonableness.
Overall, only one-third (33%) of Asian executives agree that data privacy regulations limit corporate opportunities, but the numbers vary greatly according to jurisdiction. For instance, almost twice as many executives in Singapore (43%) believe current policies are a barrier to growth as in India (22%) (Figure 10). It is likely that perceived levels of enforcement within
countries play a role as companies in a weak environment may take advantage of this at the expense of consumers. In fact, three-quarters (75%) of Indian executives say consumers in their country do not seem to care about data privacy, further encouraging aggressive companies to take risks.
More successful Asian businesses are also more likely to view national data privacy regulation as a benefit rather than a burden. Among executives who say they are much stronger than their competitors in terms of profitability, 45% say regulations are a benefit, compared with 33% of all respondents (Figure 12). Strong and transparent regulations level the playing field for companies and those who have greater knowledge can use them to their advantage. For instance, survey respondents who say their organisation is much more profitable than their competitors are also more likely to say that their CEO’s awareness of national data privacy regulation is very high (52% compared to 40% for all respondents).
Figure 12
In your opinion, how does your company compare to its closest competitors in the following areas? Rate on a scale of 1 to 5, where 1=We are much stronger and 5=We are much weaker. (% respondents)
We are much stronger 1 2 3 4 We are much weaker 5
Senior management awareness of data privacyregulations in the country where you are located
Your company’s compliance with data privacyregulations in the country where you are located
Corporate profitability
21
19
13
42
44
36
31 4
33 3
42 7
1
1
2
13© The Economist Intelligence Unit Limited 2014
Finding their way: Corporates, governments and data privacy in Asia
To deal with data privacy regulations, a majority of executives (55%) say their organisations have established or enhanced their processes regarding internal company data policies (Figure 13). Fewer (41%) have established or enhanced corporate processes regarding compliance with national data regulations, which is likely to partly explain why Asian executives highlight the burden of compliance with external authorities as their greatest challenge.
It is also important to acknowledge that the level of required reporting varies tremendously across industries. For instance, in financial services, which is highly regulated in most countries, more than half of respondents (52%) say they have implemented such processes. Financial services respondents are also more likely to say that corporate compliance policies are the
Corporate countermeasures5biggest issue of contention between government and industry in regards to data privacy (20% compared with 14% for all respondents).
To deal with customer concerns and expectations, the second biggest business challenge, a majority (55%) of Asian executives say their organisation is informing customers of their corporate data policies, although far fewer (29%) are educating them on national data regulations. Again, survey respondents in financial services are ahead of the curve. Two-thirds (66%) of banking executives say their organisations inform their customers about corporate policies and 4 in 10 (40%) inform them of national data regulations. In India, meanwhile, only 41% and 21% respectively provide information on corporate and national data policies.
What measures, if any, has your organisation implemented to deal with data privacy regulation in thecountry where you are located? Select all that apply. (% respondents)
Figure 13
55
55
45
44
41
29
3
2
Established or enhanced corporate processesregarding internal company data policies
Informed customers of our corporate data policies
Informed business partners of our corporate data policies
Designated a person or group to be in charge of datapolicies and regulations
Established or enhanced corporate processesregarding compliance with national data regulations
Informed customers of national data regulations
Other, please specify
Don’t know
14 © The Economist Intelligence Unit Limited 2014
Finding their way: Corporates, governments and data privacy in Asia
The survey of 360 Asian executives conducted for this report finds that there is almost unanimous agreement on the importance of data privacy across the region. But perceptions regarding future importance vary greatly between those who have weaker (India) and stronger (Australia, Hong Kong, Singapore) regulations.
This is reflected in the level of faith that corporate executives place in awareness among government regulators. In India this figure is particularly low and hence the level of enforcement there is also seen as the biggest area of contention between the public and private sectors. The largest issue in the other jurisdictions is the scope of data privacy regulations, as this can presumably impede potential big data initiatives.
Yet only one-third of Asian executives agree that data privacy regulations limit corporate opportunities. In particular, successful businesses are more likely to view national policies as a benefit rather than a burden, likely
The road ahead6because they have greater knowledge of them and can seize a competitive advantage. There is also a gap between those who have established corporate initiatives regarding compliance with national data regulations, an area led by financial services, and those who have not
The tension between corporate opportunities and data privacy is set to increase by any measure. This is a particular problem for companies doing business across borders as regulation varies across jurisdictions. In an Asian context, the perceived differences between policies in places such as India and Hong Kong can therefore have large practical implications for companies doing business in the region. But there is a local aspect to data privacy as well. As enforcement levels rise and consumer awareness increases, companies without proper policies will suffer. As indicated by the survey conducted for this report, it means that companies with greater knowledge of regulations are also able to seize on the data opportunities ahead.
15© The Economist Intelligence Unit Limited 2014
Finding their way: Corporates, governments and data privacy in Asia
Appendix: Survey results
Note: Percentages may not total 100 due to rounding or the ability of respondents to choose multiple responses
1. In your opinion, how would you rate current data privacy regulations in the country where you are located today as it relates to your industry? (% respondents)
Current data privacy regulation—or the lack thereof—is very good for our industry
Good
Neither good nor bad
Bad
Very bad
Other, please specify
Don’t know
11
42
26
14
4
2
1
2. In what area(s) can current data privacy regulations in the country where you are located be improved the most as it relates to your industry? Select two. (% respondents)
Level of enforcement
Scope of data privacy regulations
Corporate compliance processes
Penalties for data breaches
Emerging technologies requiring an update to current policies
Consumer rights, such as data portability
Don’t know
Other, please specify
Roles and responsibilities among government agencies
39
28
27
25
23
22
20
2
1
16 © The Economist Intelligence Unit Limited 2014
Finding their way: Corporates, governments and data privacy in Asia
A benefit
A burden
Neither a benefit, nor a burden
Don’t know
33
20
44
3
3. In the country in which you are located, is national data privacy regulation a benefit or a burden to your business? (% respondents)
Very important
Important
Neither important nor unimportant
Unimportant
54
38
7
1
Very unimportant1
Don’t know0
4. How important is data privacy to your organisation today? (% respondents)
A lot more important
More important
About the same
Less important
35
37
28
0
A lot less important0
Don’t know0
5. How important will data privacy be to your organisation three years from now? (% respondents)
Very high level of awareness 1 2 3 4 Very low level of awareness 5
Your customers
Your employees
Your senior management
Your CEO
Your government regulators
11
15
34
40
24
34
38
43
40
35
28 19
29 14
17 5
14 3
929
9
3
2
2
3
6. In your opinion, what is the level of awareness regarding national data privacy regulations in the country where you are located among the following stakeholders? Rate on a scale of 1 to 5, where 1=Very high level of awareness and 5=Very low level of awareness. (% respondents)
17© The Economist Intelligence Unit Limited 2014
Finding their way: Corporates, governments and data privacy in Asia
Burden of compliance with external authorities
Customer concerns and expectations
Limits data mining on potential customers
Limits information sharing with other companies
33
30
24
24
Burden of compliance with internal company policy20
Lack of internal coordination19
Limits data mining of current customers16
Potential penalties for data breach13
Other, please specify4
Don’t know3
7. In our opinion, what are the primary business challenges with data privacy regulation in the country where you are located? Select two. (% respondents)
Established or enhanced corporate processes regarding internal company data policies
Informed customers of our corporate data policies
Informed business partners of our corporate data policies
Designated a person or group to be in charge of data policies and regulations
55
55
45
44
Established or enhanced corporate processes regarding compliance with national data regulations41
Informed customers of national data regulations29
Other, please specify3
Don’t know2
8. What measures, if any, has your organisation implemented to deal with data privacy regulation in the country where you are located? Select all that apply. (% respondents)
Scope of data privacy regulations
Level of enforcement
Corporate compliance processes
Roles and responsibilities among government agencies
23
18
14
13
Emerging technologies requiring an update to current policies11
Consumer rights, such as data portability9
Penalties for data breaches9
Don’t know
Other, please specify
3
1
9. In the country in which you are located, what is the biggest issue of contention between government and industry in regards to data privacy? (% respondents)
18 © The Economist Intelligence Unit Limited 2014
Finding their way: Corporates, governments and data privacy in Asia
Agree Disagree
My own understanding of data privacy regulations has improved in the last three years
Data privacy regulations in my country are stricter than those in other Asian countries
In my country, data privacy regulations limit corporate opportunities
In my country, consumers don’t seem to care about data privacy
90
62
33
41
67
59
10
38
10. Do you agree or disagree with the following statements? Select one in each row. (% respondents)
We are much stronger 1 2 3 4 We are much weaker 5
Senior management awareness of data privacy regulations in the country where you are located
Your company’s compliance with data privacy regulations in the country where you are located
Corporate profitability
21
19
13
42
44
36
31 4
33 3
42 7
1
1
2
11. In your opinion, how does your company compare to its closest competitors in the following areas? Rate on a scale of 1 to 5, where 1=We are much stronger and 5=We are much weaker. (% respondents)
$250m or less
$250m to $500m
$500m to $1bn
$1bn to $5bn
36
9
13
14
$5bn to $10bn8
$10bn or more21
What are your organisation’s global annual revenues in US dollars? (% respondents)
Board member
CEO/President/Managing director
CFO/Treasurer/Comptroller
CIO/Technology director
5
26
6
4
Other C-level executive6
Head of Business Unit10
Head of Department10
Manager15
SVP/VP/Director19
Which of the following best describes your title? (% respondents)
19© The Economist Intelligence Unit Limited 2014
Finding their way: Corporates, governments and data privacy in Asia
Aerospace and defence
Agriculture and agribusiness
Automotive
Chemicals
1
1
2
3
Construction and real estate2
Education8
Energy and natural resources6
Entertainment, media and publishing3
Financial services26
Government/Public sector2
Logistics and distribution2
Retailing2
Telecoms2
Transportation, travel and tourism2
Manufacturing6
Professional services14
Healthcare, pharmaceuticals and biotechnology6
IT and technology11
Consumer goods2
What is your primary industry? (% respondents)
20 © The Economist Intelligence Unit Limited 2014
Finding their way: Corporates, governments and data privacy in Asia
Customer service
Finance
General management
Human resources
13
21
43
5
Information and research10
Legal4
Marketing and sales22
Operations and production13
Procurement2
Risk14
Strategy and business development39
Other, please specify3
R&D5
Supply-chain management4
IT12
What are your main functional roles? Select up to three. (% respondents)
While every effort has been taken to verify the accuracy of this information, The Economist Intelligence Unit Ltd. cannot accept any responsibility or liability for reliance by any person on this report or any of the information, opinions or conclusions set out in this report.
Cover image - ©Thinkstockphotos
LONDON20 Cabot SquareLondonE14 4QWUnited KingdomTel: (44.20) 7576 8000Fax: (44.20) 7576 8500E-mail: [email protected]
NEW YORK750 Third Avenue5th FloorNew York, NY 10017, USTel: (1.212) 554 0600Fax: (1.212) 586 0248E-mail: [email protected]
HONG KONG6001, Central Plaza18 Harbour RoadWanchaiHong KongTel: (852) 2585 3888Fax: (852) 2802 7638E-mail: [email protected]
GENEVARue de l’Athénée 321206 GenevaSwitzerlandTel: (41) 22 566 2470Fax: (41) 22 346 9347E-mail: [email protected]