The privacy conundrum: Tackling the issue of the century

Crypto.com executive and HKB Management Awards winner Jason Lau answers some serious questions on data privacy.

With the increased digitisation and reliance on technology brought by the pandemic to industries and societies, making sure that these systems are secure became the top priority. 

Being an established industry figure for cybersecurity, Crypto.com’s Jason Lau led the company into becoming the first company to achieve new Data Privacy Certifications ISO 27701, NIST Privacy Framework, Singapore’s Data Protection Trust Mark (DPTM), Hong Kong’s Gold Award from the Privacy Commissioner for Personal Data (PCPD), and one of the first to obtain a crypto license in Malta, and most recently obtaining an in-principle approval for a Major Payment Institution License in Singapore. These are just some of the accolades contributing to winning him the Data Privacy - Executive Of The Year Award at the HKB Management Excellence Awards. 

Working as the current Chief Information Security Officer (CISO) at Crypto.com, Jason has been overseeing the company’s global cybersecurity and data privacy strategy. He is aided by his responsibility as the Regional Lead, Co-Chair, Advisory Board Member for the International Association of Privacy Professionals and Adjunct Professor for Cybersecurity and Data Privacy at the HKBU School of Business.

“I am extremely humbled to have won the Executive of the Year in the Cybersecurity category at the HKB Management Excellence Award last 2020, and to follow this up last year in 2021 in the Data Privacy category is a privilege and honour given the calibre of the other nominees. I have been lucky that my dedication and commitment at Crypto.com and also within the broader community is being recognised by peers and industry,” said Jason.

A top issue
Jason’s award is a testament to how he is taking data privacy seriously. For him, privacy concerns impact corporate multinationals from all industries big and small, through to the user and consumer, as digital transformation drives greater adoption of technology in everyday lives, with accelerated growth being seen from the effects of the pandemic. 

Even Apple’s CEO Tim Cook recently said that privacy is one of the top issues of the century. 

“From contract tracing apps to individuals and workplaces that are adopting video conferencing and working from home, the world has been thrown into the deep end and organisations are now playing a catch-up game in order to meet the data privacy standards and regulations in order to uphold the privacy rights of the individuals,” Jason said. 

What set the tone for corporates to meet data privacy standards is the General Data Protection Regulation (GDPR), when it became effective in 2018, providing one of the most comprehensive privacy regulations to date. Over the last few years, more and more regions around the world follow suit with their own respective regional cybersecurity and data privacy regulations and laws. 

“When we look at it from a data security perspective, research has shown that there is one ransomware attack every 11 seconds, and there is a growth of over 20% compared to previous years and this issue will continue to grow as personal data is the new currency for hackers. On top of ransomware, industry data shows that there are 92% of breaches just in Q1 2022 due to external targeted cyber-attacks, so when you look at it from this perspective, prioritising privacy and security data needs to be board-level responsibilities at all organisations.”, Jason said.

Ensuring data protection
Jason says that data protection starts with having cybersecurity and privacy strategies supported by those from the top of their organisations.

“Whilst from a very high-level perspective, security is more about the safeguarding of assets, whereas privacy is more concerned with upholding the rights of the individuals, both functions have to work hand in hand in order to achieve this – and it is much harder than you think,” Jason said. He added that different organisations have very different organisational structures, and this is often the first challenge of how to drive a data privacy strategy, and whilst there is no set way to go about this, data privacy in some companies has fallen within the legal team, some have it within the risk management teams, through to some organisations having data privacy being run out of their human resources operation. 

Jason pointed out that the key success factor is the existence of a Data Protection Officer (DPO), who helps provide oversight to ensure the organisation processes personal data in compliance with the applicable data protection rules and regulations, and accountability, as well as having a Steering Committee at the top to ensure that the privacy team has transparency of the different projects. 

An example of an initiative is their Privacy Impact Assessments for all projects and integrated into Vendor Risk Assessments due to the growing security concerns with 3rd party supplies and maturation of their privacy programme over time, through to contractual Data Processing Agreements to ensure there are clear responsibilities with respect to data protection in a contractual manner and much more. 

Jason suggested that companies should also need to be closely connected with their local privacy regulator, where Jason sits on the official Standing Committee on Technological Developments for the HK Privacy Commissioner’s Office. This helps to be up to date with the everchanging rules and regulations, and with one of the biggest challenges to come globally being the new EU Standard Contractual Clauses (SCC) requirement, which come into force December 2022, where all old SCCs would need to have to be transitioned and replaced with new ones which may pose to be a tough deadline for many companies to meet. This will also pose a challenge and a large undertaking for multinational organisations that have complex entity structures operating in multiple jurisdictions, that also have a significant number of vendors which they may be using, making close connections with industry and regulators an essential part of any privacy programme. 

Whilst it is a challenging task to drive global cybersecurity and privacy programmes, they are just a very small portion of what goes into the strategy covering people, processes, and technology throughout an organisation. 

“If companies want to make the most of their resources to improve their data protection posture, they need to ensure they align and orchestrate their teams to include data privacy in all processes and not just an afterthought at the end and thus bringing in a greater focus on corporate data privacy accountability where DPOs need to be a must-have and not a nice-to-have in order to drive a successful privacy programme in any organisation,” Jason added. 

Metaverse and Web3 

Looking forward, Jason also identified some of the would-be key privacy issues with rising trends such as Web3 and the metaverse. Jason’s view on it is that Web 3.0’s immersive experience is going to take privacy concerns to a whole new level. This is in stark contrast with the transition from the physical world to the earliest forms of Web 1.0 with mainly static websites and personal sites to broadcast information and limited interactivity. 

Having faced challenges over the last years, such as excessive personal data collection for profiling which in turn leads to targeted marketing, based mainly on what users click on when browsing or using a website or app, the Metaverse potentially poses new issues where companies could be measuring everything from users’ behaviour, pupil dilation, and eye movement in reaction to different visual ads and much more whilst wearing immersive VR goggles, something which is not possible whilst you are browsing websites on your laptop. 

Other concerns include the treatment of one’s Metaverse personal profile and identity once the unfortunate death of the real-life person happens, as there are no clear rules yet governing personal data in a centralised or decentralised metaverse, and many more issues such as cross-border privacy rules and whether there will even be concepts of Controllers and Processors. 

For Lau, the emergence of the Metaverse poses many new challenges that are difficult to answer at the moment due to the lack of precedence and its scale in terms of technology utilisation, with all of this needing to be properly debated and challenged before the large tech companies start to develop the technologies. 

“In my opinion, at the core of the development of the metaverse, should be ethics; and data ethics should be the common underlying theme for any feature or function in the metaverse. I look forward to more industry sharing on these topics in the future,” Jason said.