From New Regulations to Generative AI: Shaping Data Privacy

From the new rules regarding data protection to the challenges of Generative AI, Kevin Shepherdson, CEO and Founder of Straits Interactive talks about his journey with the company, working through COVID-19, and the future of the Data Protection landscape. 

It all started with Do-Not-Call Rules in Singapore

The genesis of Straits Interactive began when a Managing Director of a real estate company sought help to comply with Singapore’s impending Do-Not-Call (DNC) Registry rules back in 2013. Complying with these new rules, and later with the Personal Data Protection Act (PDPA) of Singapore, presented a challenge for most companies unaccustomed to the culture of personal Data Protection. A decade ago, spurred by the desire to create a solution that made compliance simple, easy-to-use, and operational, I joined forces with my former colleague from Sun Microsystems, Alvin Toh, and together we started Straits Interactive.

We developed the country’s first DNC app, Spidergate, which automated the process of cross-checking Singapore’s Infocomm Media Development Authority’s (IMDA) DNC registry, something that previously had to be done manually. This DNC app gained momentum and led our foray into broader Data Protection solutions. In 2014, our company launched Singapore’s first Privacy Management Software – Data Protection Management System (DPMS) – and Data Protection Officer (DPO) Hands-on Training, which equipped DPOs with a practical approach and industry best practices to draft policies and implement processes, reducing an organisation’s risk and helping it comply with the PDPA.

Operational Compliance as a Call-to-Action

At that time, only Singapore, Malaysia, and the Philippines had Data Protection laws, and we predicted that all of ASEAN would eventually pass Data Protection laws as part of the ASEAN Economic Community (AEC) regional blueprint. Many companies were approaching Data Privacy law from a legal perspective, but our software solutions, consultancy, and training targeted at DPOs, and we advocated for “operational compliance”. This approach appealed to clients who wanted to understand “how to comply” at the operational level.

To bolster the competencies of Data Protection professionals, we introduced the now-popular professional certification from the International Association of Privacy Professionals (IAPP) to the region. We also promoted the DPO role as a viable profession, predicting the impending shortage of Data Protection expertise in the area.

The Call from the Philippines…

Soon after, we were invited by the then Deputy Commissioner of the National Privacy Commission (NPC), Dondi Mappa, to train his team. This led to the local introduction of the IAPP Certified Information Privacy Manager (CIPM) Certification, and Data Protection Hands-on Training to aid organizations in complying with the Data Privacy Act.

We have since worked closely with the NPC, sharing regional best practices and proudly serving as trainers for the Accountability, Compliance, and Ethics (ACE) program.

Responding to the Regional Call for Personal Data Protection

Since our inception a decade ago, we have grown from strength to strength, pushing frontiers in Singapore and the region. Like many companies and industries, the COVID-19 outbreak did impact our progress, but it also underscored the importance of protecting personal privacy and addressing concerns about surveillance. To continue serving our clients and graduates during safe-distancing measures, we created the Data Protection Excellence (DPEX) Network, which has now become Asia’s largest community of Data Protection, Privacy, and Governance professionals. Over the two-year outbreak, we created a knowledge resource where job listings, articles, and videos were shared among members. Additionally, the DPEX Network organized monthly webinars and in-person events, covering a range of Data Protection, Privacy, Governance, and related topics.

Today, regulators have a vested interest in Data Protection and Privacy. It's no longer a “nice-to-have”, but an urgent necessity, especially in light of high-profile data breaches. The ASEAN region is waking up quickly to this fact, and Indonesia, Thailand, and Vietnam have all passed their laws. Without a doubt, ASEAN has become the hotspot for Data Protection laws.

Straits Interactive is proud to have contributed to the regional privacy landscape, and we continue to grow the DPEX Network while providing a community platform for data protection professionals. With more than 40 courses in Data Protection and Data Governance, our industry partners include Singapore Management University (SMU), the University of Thai Chamber of Commerce (UTCC), and the Asian Institute of Management (AIM).

Our leadership in the Data Protection, Privacy, and Governance industry in the region – culminating in national recognition in Singapore, and Straits Interactive being named as one of the 10 winners of the “Outstanding and Promising Startups” award this year – makes our 10th-anniversary celebrations even more meaningful.

Addressing the Challenges of Generative AI:  Roadmap towards Data Governance

As digital transformation continues, driven now by Generative AI (the buzzword of the day), Straits Interactive recognizes the need to educate practitioners, not only about the benefits but also the privacy and ethical risks of this exciting new tool.

Serving as a reminder of the necessity to govern the use of generative AI within organizations, Straits Interactive’s research team surveyed 100 apps, analyzing their privacy policies and terms of use. The findings, which revealed questionable privacy practices, particularly among startups, were presented at Straits Interactive’s recent Masterclass titled "Generative AI and its Implications on Data Protection". The event, held on July 21, 2023, attracted more than 150 participants.

The Masterclass also brought together a collection of industry practitioners: AI experts from Microsoft, advisors at the IMDA, and regional guests Dr Prapanpong Khumon (Advisor to the Secretary-General of the Personal Data Protection Commission in Thailand), and Leandro Angelo Y. Aguirre (Deputy Privacy Commissioner at the National Privacy Commission) of the Philippines. Discussed also at the Masterclass was the EU’s laws on AI and Data. This was very well-received, and looked upon as a roadmap of what we can expect in the region.  

The Data Protection landscape today is both challenging and exciting as more players enter the market. As data forms the backbone of every company today, the focus should now be on Data Governance within the context of digital transformation, in addition to just complying with Data Protection laws. Practitioners should upskill themselves in AI governance, and participation in knowledge resources such as the DPEX Network will help practitioners stay up-to-date while providing a roadmap towards Data Governance.

This article was first published in The Manila Times on 20 August 2023.