Meet the expert: Carolyn Bigg to speak at PrivSec Global

Streaming live November 29 and 30, PrivSec Global unites experts from both Privacy and Security, providing a forum where professionals across both fields can listen, learn and debate the central role that Privacy, Security and GRC play in business today.

Carolyn Bigg is Global Co-Chair of DLA Piper’s data protection and cyber practice, and heads the firm’s data privacy and cyber practices across Asia Pacific. With 20 years’ experience in the data field, her clients turn to her as a trusted adviser on their critical and ground-breaking data projects.

Carolyn appears exclusively at PrivSec Global to discuss the evolution of data protection regulations across Asia.

Below, she answers questions on her professional journey and the themes of her PrivSec Global session.

Could you outline your career pathway so far?

I’ve been a data lawyer for over 20 years now. I started off in the UK, and I moved to Asia 15 years ago. I’ve been fascinated by data law all the way through; I feel like I was one of a handful of people that was interested in privacy and data back in the early 2000s. I never imagined that I’d be able to have a whole practice built on advising on data, but I’m delighted that I have.

I am particularly excited to be living and working in Asia for the last 15 years because I’ve seen it change dramatically from a region with very few data laws to a region that is leading the world, arguably, in how data is used; whether it’s using data for good, using data for interesting new technology or analytics or AI, and arguably now having some of the most complicated data laws in the world. I feel very lucky.

What have been the key developments in data protection regulation across Asia in recent years, and how has this changed the way global companies do business in the region?

There have been almost too many developments to talk about. It’s a very fast evolving picture across Asia. We don’t have a harmonised data law, and so we’re seeing new laws, enhanced laws and enforcement, as well as different regulatory priorities in different countries across the region.

I think from the perspective of multinational business, the one that probably catches the headlines is cross-border data transfers and data localisation. Some jurisdictions, like Vietnam and China are moving towards strict data localisation, whereas other jurisdictions, such as Saudi Arabia, and Indonesia, and in particular, India, are seemingly moving away from that. So, it’s a real mixed bag.

The new data laws in India and Indonesia should also be a focus for MNCs as they plan data compliance programmes for 2024.

From a regulation point of view, what comparisons can be drawn between the risks businesses face in Europe and those facing enterprises across Asia?

The culture of data is very different here, but also the policy and aims behind data laws are very different in Asia as compared to Europe. So, the risks that you have to manage when it comes to data protection in Asia are very different to Europe (large fines), and to North America (class actions).  

In Asia, the risks are more operational and contractual. Yes, we are starting to see a few big fines in this part of the world, and regulators getting powers to impose bigger fines. But the bigger risk is that regulators will take down systems, block apps, or require data to be kept only in one country, for example. So, the operational impact of not being able to use global systems or not be able to continue global data flows – the operational impact of that can be way more damaging to a business, particularly if you’re a service provider or platform provider. You may then find yourself having contractual liability.

It’s probably one of the really big topics to talk about when we consider what’s the same or what’s different between Europe and Asia - the risks are fundamentally very different.

How well are enterprises across Asia adapting to the evolving regulatory landscape?

As I said, there’s a different ethos and driver behind the approach. The laws in Asia are not really driven like Europe by a fundamental absolute right to privacy; they’re much more pragmatic. They have evolved because of, perhaps, cyber incidents, or from a need to have protections in place to support local outsourcing industries, or to stop the worst abuses of data.

So, the laws are much more pragmatic, and they’re centred around a concept of data having a value. The laws are consent-based because people can choose whether they share their data, in return for something like a more personalised service, or a more tailored experience, or convenience. And so, it’s a very different way of looking at compliance; it actually goes to the customer experience or the consumer expectation, rather than compliance for the sake of compliance.

It becomes actually more fundamentally part of the strategy, part of commercial and business aims and successes almost than just being a compliance exercise. For that reason, I think businesses here do take it seriously. It is a matter of trust and meeting customer expectations.

More importantly, there are many businesses, particularly consumer businesses, where this is an incredibly important market for them. So, having a data protection compliance programme that’s built on GDPR principles, maybe isn’t enough. It also enables businesses to seize opportunities to do a lot more with data in Asia than there might be under GDPR.

I would say there’s a challenge, though. There is a talent shortage in this part of the world, for individuals with that depth of understanding about, not just local data laws, but also regional and international data protection practices and standards. So, a lot more investment needs to be made on training individuals locally. Businesses are having to invest in skilling up their local teams to help with compliance.

How prepared are businesses across Asia and what challenges do they face as they bid to comply with evolving data protection standards?

Pretty much all jurisdictions have dedicated or at least clear data protection laws. Even Mongolia has a data protection law.

And there are commitments at the level of APEC, for example, to have privacy laws in place under the APEC privacy framework. So, it’s an important issue from the business perspective. My impression is that businesses want to be doing the right thing.

The challenge is, when you’re in this region, you’re not just dealing with one law, but many laws. So, it’s not a question of preparedness, it’s a question of prioritising and risk management. And that’s the challenge that businesses face:  not just looking at the law, but looking at what the actual risks are on the ground, and prioritising what’s important.

The results might be different to what you prioritise in Europe. So, for example, you may spend a lot of time in Europe at the moment focusing on certain governance activities, such as RoPAs. Whereas actually, across a lot of Asia, that’s either not a requirement, or it’s probably seen as a low priority by the regulators. 

And actually, your compliance focus should perhaps be on consent or cross-border data transfers in Asia, because that’s what the regulator’s care about. I do think it’s important to listen to colleagues on the ground in Asia to understand what the actual priorities and risks are and to plan around that.