Data security and privacy management with Carol Lee, VP of ISACA China, Hong Kong

Joe Kornik:

Welcome to the VISION by Protiviti interview. I'm Joe Kornik, Editor-in-Chief of VISION by Protiviti, our global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, we're exploring the Future of Privacy, and I'm happy to welcome in Carol Lee, Vice President of OSAKA China, Hong Kong chapter, as well as the Deputy GM, cybersecurity and risk management of Hang Long Properties. For more than 25 years, Carol has been well known in the cybersecurity field, and her accolades include the 2021 global 100 Certified Ethical Hacker Hall of Fame, as well as the 2023 Women in IT Asia award. Carol will be sitting down today with my colleague, Michael Pang, APAC lead for productivity technology consulting. Michael, I'll turn it over to you to begin.

Michael Pang:

Thanks, Joe. Carol, thank you for your time and thank you for joining us today.

Carol Lee:

Nice to meet all of you guys.

Michael Pang:

First of all, just to kick start the in terms of talking about privacy, how can companies balance the needs of personalising customer experience with actually growing demands and regulatory controls in privacy and data protection?

Carol Lee:

Well, in fact, this is a very relevant question. Personally, I think companies implementing the privacy-by-design principle within their implementation system life cycle is the best answer. Companies can benefit from it naturally. Let's dive into a few examples that illustrate the power of privacy by design. Firstly, customer experience and privacy-by-design both have a common goal of forming a customer data link, or data dictionary. With a customer’s personal information dictionary built and maintained across the life cycle, the company can easily visualise the types of customer personal data collected, stored and processed and further use it to align their customer data analytics strategies, tailor their services, minimise and imitate entry efforts of customer while improving customer experience without compromising on privacy protection. Another aspect of privacy-by-design approach is its proactive nature that will benefit the company by integrating privacy consideration into design systems and processes so a company can address privacy issues at an early stage, rather than retrofitting privacy protection after the fact. When personal information is adequately and normalised or de-identified, this not only enhances data protection, but also fosters digital trust and customer confidence, which is invaluable in today's business environment.

Michael Pang:

Interesting, a lot of the things that you mentioned, could be considered best practices while we have different regulations in Asia Pacific or in Hong Kong with the PDPO (Personal Data Privacy Ordinance). Do you think the government or regulatory body needs to embed some of this into the regulations, and how do you think those bodies in the government will actually play a role in shaping or regulating the data privacy in the future?

Carol Lee:

Yeah, sure. The government and regulatory bodies certainly play a pivotal role in shaping the future of data privacy. Their inferences can be crucial to introduce technical frameworks and guidelines and adoption and assist compliance. This framework is essential as they provide clear direction for business to protect individual privacy rights, while enabling responsible data use. Regulatory reporting can also incentivise business to focus on privacy by requiring privacy engineering professional qualifications for companies that handle massive personal information. Similarly, we have seen like qualification requirements for security professionals in critical infrastructure, right? Unfortunately, unlike cybersecurity, privacy-by-design has only a few global professional qualifications as of now. We, ISACA, is an organisation dedicated to promoting digital trust and offering the certified data privacy solution engineer, CDPSE certification. This certification is tailored for IT professionals responsible for integrating data privacy into a technology platform. It encourages the adoption of privacy-by-design principles and privacy-enhanced technologies in managing data privacy program. As far as I'm aware, IAPP is another organisation also providing privacy certification for legal and other professional people. If qualification requirements can be mandated, personally, I believe there's more educational players that can join the market to shape the culture of privacy. By then, data privacy and protection mindsets can be ingrained into every aspect of business and different job functions.

Michael Pang:

No, that's a very valid. I think it's very important to actually create a sort of a professional pool of resources for data privacy, similar to the one that the industry created earlier.

Carol Lee:

Yeah.

Michael Pang:

In terms of key challenges facing business today or your future a lot of organisations of having global presence, global operations. What do you think is a challenge now in the future in terms of complying with global data privacy regulations, because just within Asia Pacific, we have very different mindset, or even set of approach in data privacy regulations. How can business have you seen your time to comply with this regulation?

Carol Lee:

Across most data privacy professionals that I talked to before, businesses with operation in multiple countries face a significant challenge, which is the resolution of personal information, normalisation and re-identification definitions in different data privacy regulation. Let's take patient information as an example to illustrate: patient information usually refers to patient’s name, address, government ID, card numbers, personal particulars and medical history. If we assign each patient with a patient ID, remove all direct identifiers like names, address ID, card number, and also remove the indirect identifier, like date of birth, it can be considered as a normalised status in some countries, but not in EU and mainland China. EU and mainland China regulation has explicitly stated re-identification and relatability with additional information does not meet a normalisation requirement. So, looking ahead, I think similar regulation variation challenges will keep evolving as more and more countries around the world introduce and update their data privacy regulations as new technologies emerge. Businesses will need to stay agile and adaptive to ensure the compliance with all different regulations.

Michael Pang:

So I think that one of the biggest challenge would be having the data privacy team to really keep up to date and actually fully aware of the slight differences between different regulations, so that they know, OK, what I can do here and what I can do here, so that the difference can be very small, so keeping up to speed and even sort of giving into the details, I think that's going to be a big challenge.

Carol Lee:

Yeah, definitely.

Michael Pang:

Carol, you mentioned new technologies, and I'm sure that this new technology interview cannot avoid talking about AI. So, with the rise of AI and big data, how do you think the landscape of differences will change in the next five to 10 years? I know 10 years a big time in the AI space.

Carol Lee:

Although I don't have a crystal ball, but in the next five to 10 years, I see digital trust will undoubtedly take centre stage in the landscape of data privacy. With the increasing inference of AI and big data. As AI systems and big data rely on vast amount of information, the possibility of re-identification and re-linkability with additional information that we just talked about in the back data and AI environment will be much, much higher. And most countries will also enact AI law in the next few years, and this AI law will definitely intercept with data privacy as AI basically is one type of automated decision making, right? However, unlike general personal information regulation that emphasises legitimate use, AI regulation may also prohibit some of the use of like biometric data, if this biometric data in the AI system may introduce societal bias—if it can infer immersive emotion, categorise individuals based on face, based on voice recording. When AI becomes more deeply integrated into our daily life, ensuring data privacy will be paramount in preserving human rights, preventing unauthorised surveillance and also preventing identity theft. Another pressing issue that I observe in the age of AI is the personal information for AI model training data without proper consent. If we use personal information as the training data for AI systems, we’ll face a digital trust concern, especially when data subjects exercise their rights. And we all know retraining AI model by updating and removing certain personal information is not a small investment.

Michael Pang:

Yeah, it's definitely a part from training, even the usage of AI in terms of serving the customers. Customers may actually say a lot of their personal information tell the AI chatbot the names and information, capturing and destroying and ensuring ways data is being shared and so forth is going to be quite difficult.

Carol Lee:

Yeah, exactly.

Michael Pang:

Last but not least, with technology continuing to evolve, as well as the data privacy law being sort of increased or strengthened, what do you think are the proactive steps organisations should take to future proof their data privacy practice across different technology and different platforms?

Carol Lee:

I think firstly, enterprises must embrace a proactive and continuous approach to clarify their data privacy accountability and responsibility, so that they can ensure data collection transparency and secure data and protect against cyber threats, and also empower individuals with control over their own personal information.

Michael Pang:

Yes, I think that's going to be very important. With that, thank you Carol and thank you very much for your time. You're very generous for your insights. And, on behalf of all the viewers, thank you very much.

Carol Lee:

Yeah, thank you so much. Thank you for the invitation. Nice to talk to you.

Michael Pang:

Thank you. Back to you, Joe.

Joe Kornik:

Thanks Michael and thanks Carol. And thank you for watching the VISION by Protiviti interview. On behalf of Michael Pang and Carol Lee, I'm Joe Kornik, we'll see you next time.