Applying a Global Data Privacy Policy in Asia – Sebastien Lacroix
Royal Bank of Canada’s APAC Regional Privacy Officer, Sebastien Lacroix, shares his perspective on the rise of data privacy concerns and challenges in the region
It’s easy to get excited about how our lives as consumers, employees and citizens can be improved by advances in data and analytics technology, and many data leaders around the world advocate for greater maturity in the data sciences for this reason.
The increasing position of data and analytics’ place in the modern corporate enterprise is also creating a greater need for data privacy experts to help keep the guardrails on data innovations within business.
Data-driven business thinking isn’t itself new, but Sebastien Lacroix, who serves as the Royal Bank of Canada’s APAC Regional Privacy Officer, says risk and compliance concerns around data have increased considerably over the past decade.
“I think one of the main differences is that previously the regulatory fines levied by the authorities were not so high and as things are changing, people have now started paying more attention due to the cost of not being compliant,” Lacroix says from his Singapore home office.
"But once the industry saw that regulators were getting serious about data privacy and not hesitating to ban people from doing business or to name non-compliant companies publicly, they started to pay a lot more attention.
“Regulators have since pushed for more spending in this area, and risk and compliance has become more high profile and had more resources devoted to it.”
Even still, Lacroix says data privacy is still a work in progress. With legislation able to change so quickly, risk and compliance specialists often find themselves trying to catch up with the latest regulatory development.
Lacroix's career spans over 25 years with roles covering compliance, privacy and risk going back to the 90s. More recently, his job titles and role remits have increasingly incorporated data concerns.
“If you look at data privacy officer as job 10 years ago, it hardly existed then,” he says. “There were not so many massive data hacks, and you didn’t have GDPR. Singapore Personal Data Protection Act (PDPA) only went live in 2012.
“It’s a field that has evolved a lot and especially this year because of China. Everyone is keeping an eye on what goes on in China because it impacts the world.”
“It’s been an interesting ride to have seen things progress from when data and personal data was just an afterthought, to now with most organizations recognising the need to take these things seriously because of the impact it can have on reputation, not to mention the risk of fines or losing clients as well. Things have changed quite a bit.”
Data Privacy Policies at RBC in Singapore
The way the world thinks of and treats data is changing, but that doesn’t mean all countries are taking the same approach at the same time.
One unique aspect of Lacroix’s role is that because he works from Singapore for a bank headquartered in Canada with a remit that covers the Asia region, he must help the organization apply a privacy policy that covers every market.
“I’m fortunate to work for an organization that has a strong privacy framework, being headquartered in Canada and having Canada being recognised by the EU as an adequate country in terms of privacy legislation,” he says.
“Canada serves as the basis for our global policy. So the standard is always the highest. Even if I’m in Asia, I’ll still follow requirements set out from the highest level in Europe or Canada.”
Lacroix says this approach works quite well but can become complicated in countries that have particular additional regulatory requirements, such as China.
“Usually, in Singapore or Hong Kong, if your data is collected and sent overseas, the institution only needs to get your consent once. For China, it needs to be gained twice. First, when we collect the data and then again when we send it overseas. That’s unique to China. So, we need to incorporate all the particularities into our processes,” he says.
“Another thing is that when we work with third parties, we need them to comply with the top-level standards that we adhere to. Sometimes they will ask why they need to meet such strong compliance standards when the law in their country doesn’t require it. Of course, because we have a global policy, that’s just what we need to do.”
For the most part, Lacroix says an appreciation of data’s sensitivity and the need to protect it is growing.
“People are becoming more and more understanding of the importance of data and personal data. With machine learning and new technology coming on board now, the industry is becoming better at ethically approaching what we should be doing with data,” he says.
“In the old days, our thinking might have gone straight to doing whatever innovative thing we could with the data. There are now so many technologies now that enable you to do amazing things with data, and that’s why we need a strong regulatory framework to make sure that ethical lines are not crossed.”
Market Maturity
Having spent 14 years living in Singapore, Lacroix has witnessed how the global shift toward stronger data regulation has made its way into Asia, and has a solid vantage point of data privacy maturity in those markets.
“What was a real game-changer didn’t actually originally happen in Asia but it impacted Asia, and that was the introduction of GDPR in Europe,” Lacroix says.
“All of a sudden, Europe said it was OK to send data to some countries and not others. For example, you can’t send personal data from Europe to Singapore and process it there because Singapore does not yet meet the GDPR adequacy requirements set by the EU.
“There was a really big push for Singapore and the region to become more mature from a data privacy point of view if they did not want to be penalised from a business point of view, especially regarding e-commerce, for example. We still clearly see some differences. For example, in some Asian countries, there is no difference when it comes to personal data processing regarding adults and minors.
“Whereas in other countries, including China, whenever you handle personal data related to children, it automatically becomes very sensitive. In Hong Kong and Singapore, we do not see yet see such a clear distinction between adults and children when it comes to the processing of their personal data.”
Lacroix says the differing degrees of data regulation can be based on risk tolerances, privacy as a priority and desire for data innovation.
“I think Asia is willing to take a little more business-oriented approach when it comes to how to use personal data so as to be more innovative than Europe or Australia while keeping the need to protect people’s privacy in mind. The ways might be slightly different but the end result is the same for regulators in Europe and Asia: people need to feel confident their personal data will be processed with the due care they are entitled to,” he says.
“Officially when GDPR came online it was to protect people first then second, help European businesses grow. In Asia, finding the right balance is an ongoing endeavour.
“Each country has its own unique way of looking at personal data. But since Europe has done it and since China will do it, I’m pretty sure we will see legislation evolve in the region as well.”
To receive weekly data and analytics stories and insights, delivered right to your inbox, subscribe to Business of Data