The CIPP/Asia accreditation from the International Association of Privacy Professionals certifies competency in the key data privacy practices of major Asian economies. CIPP/A
holders are noted for their ability to apply relevant information and a nuanced grasp of privacy standards to the demands of Asian and international organizations.
The Certified Information Privacy Professional/Asia (CIPP/A) is the first publicly available privacy certification that covers multiple jurisdictions in the Asia region. It addresses the data protection laws in Hong Kong, India, and Singapore and the regional privacy concerns in this rapidly growing landscape. The credential is designed for any person, regardless of location, whose work as a privacy professional involves Asian data protection regulations.
The CIPP certification is one of the most well-recognized qualifications for recruiting privacy professionals in the market. The IAPP’s popularity can be seen in the increase of certificates and membership numbers. In 2019, the IAPP reached milestones of 25000 certifications and 50000 members. They increased by 15000 in the next seven years after taking 12 years to reach their initial 10,000 credentials. While the exact figures are unknown at this time, it is extremely possible that they will reach their next milestone considerably sooner. Given the salaries of experts with the Certified Information Privacy Professional (CIPP) certification, this is not surprising. This is what happens when the demand for certain skills exceeds the supply.
The data privacy landscape in Asia (East, Central, and South) and the Pacific has changed dramatically in the last decade, and all signs point to the region’s privacy policies continuing to develop at a similar rate until 2021 and beyond. Only six governments had complete data privacy laws before 2010, with two of them enacting them before 2000: New Zealand in 1993 and Hong Kong in 1995. Thirteen more governments passed new data privacy laws between 2010 and 2020, while seven altered their existing rules (four of the seven jurisdictions amended their laws twice during this 10-year period).
Most of the laws in this region apply to processing in-country only. However, five have extraterritorial provisions that are similar to or exceed the scope of the EU’s General Data Protection Regulation (GDPR) extraterritorial provisions: Australia, Japan, New Zealand, Philippines, and Thailand.
Similarly, three-quarters (15) impose restrictions on cross-border transfers for personal data. However, the similarities end there, because the legal bases for transfers vary from adequacy, consent (or another legal basis like legal requirements), and/or contacts (or binding corporate rules). No jurisdiction in the region yet has issued a list of jurisdictions that provide adequate protection or, with the exception of New Zealand, model contractual clauses.
Moreover, New Zealand and Japan are the only countries in the region to be found adequate by the EU. South Korea and Taiwan are currently seeking to obtain an EU adequacy decision.
The laws in Hong Kong, Indonesia, Nepal, and Taiwan do not restrict cross-border transfers of personal data.
Slightly more than half (10) require notification in the event of a data breach. While a number of laws only require that notice be provided to individuals and/or to the data protection authority “promptly” or “without delay,” others require notification within 72 hours (Philippines, Singapore, and Thailand) or, in one case, within 14 days.
Two-thirds of the laws (12) do not permit processing on the basis of legitimate interests. The range of available legal bases varies widely from one jurisdiction to another.
Access and correction rights must be provided in all countries except Nepal. Almost half of the laws (9) provide erasure rights but only four countries provide data portability rights: China (under the Privacy Standard), the Philippines, Singapore, and Thailand.
The timeframes for responding to Individual Rights requests also vary widely: four countries require responses to rights requests within 30 days or more; two within 20–21 days; two within 10–15 days; and three within 1–7 days. Seven do not specify a specific time period.
Eight laws require the appointment of a DPO: China (under the Privacy Standard), Japan, Kazakhstan, Korea, New Zealand, Philippines, Singapore, and Thailand.
Only two jurisdictions impose data localization requirements: Kazakhstan’s privacy law requires companies to store their data locally and China’s Cybersecurity Law requires operators of critical infrastructure to store within China both personal information and “important data” collected and produced in the course of their business operations.
While the trend around the world is to minimize registration requirements, five laws in the region require organizations to register processing activities with a data protection authority: Kyrgyzstan; Macao; Malaysia; Philippines; and Uzbekistan.
Most laws in the region do not require organizations to carry out DPIAs. DPIAs are required only in Singapore, South Korea, and the Philippines.
In the wake of large data breaches in the region over the past few years, data protection authorities (DPAs) in South Korea, Japan, and Australia have focused on enhancing private sector security practices.
The DPAs in Korea, Japan, and Australia have been the most aggressive in carrying out inspections and prosecuting organizations that fail to implement proper security measures, often resulting in fines and/or corrective orders. Enforcement of privacy rules in China, Hong Kong, and Singapore have focused more on other types of privacy violations.
For this reason, CIPP/A certified practitioner is required. It is always appreciated when the Asian jurisdictions are constantly going to evolve in data privacy laws in that space a knowledgable person in this field who can maneuver in expertise. It brings more confidence in clients and potential employers if the privacy folks hold CIPP/A.
DPOs additionally administer the data security and data protection approaches to guarantee the operationalisation of those strategies through every authoritative unit and ensure the organisation agrees to process individual data. Your DPO ought to work freely, with full help from upper administration and the Board, and approach all required assets to do the occupation as best practices.