COVID-19 and data governance: how the rush to digitally transform led to misuse of data

By Kevin Shepherdson

At the outset of the Covid-19 pandemic, businesses were primarily focused on continuity and survival, eventually leading to change that embraced digital transformation as a means of swiftly adopting new business models, writes Kevin Shepherdson, CEO and Founder of Straits Interactive

Before the pandemic, modern advances in technology, such as the Internet of Things, cloud computing, smart sensors, and the collection and processing of big data, for use by computer algorithms and in machine learning, had already been driving a digital revolution that brought about greater automation and fresh new products and services.

In a post-pandemic landscape, with more than two years having passed since Covid-19 first paralysed then upended business norms worldwide, DPEX Centre, the research arm of Straits Interactive, has identified several key trends and considerations for organisations.

These trends include an emphasis on governance and dealing with dispersed workforces. In 2020, once it became clear that businesses worldwide had to cope with pandemic requirements, such as lockdowns and social distancing measures, organisations rushed to enable work-from-home arrangements without adequate safeguards for their back-end infrastructure.

The costs of digital transformation

Such was the rush that one forecast about global spending on digital transformation had to be revised nearly threefold, from USD2.3 trillion to USD6.8 trillion in 2023, just eight months into the pandemic.

Another trend noted by DPEX Centre was the growing need to cope with potential data breaches and other crises. A remote workforce has introduced greater insecurity and exposed more vulnerabilities in organisations’ systems and networks, and heightened risk of data breaches and difficulty in complying with data protection regulations.

Some organisations invited even more risk by commencing or increasing surveillance of their remote workers, or by developing apps without sufficiently considering the impact of excessive permissions and overcollection of personal data of users. There have even been cases whereby the very applications that are employed to grapple with Covid-19, such as contact-tracing apps, were themselves the sources of highly sensitive data leaks.

As more data privacy and data protection breaches occur, are reported and get investigated for possible enforcement action, organisations have realised the need to comply with data management and protection requirements, with many taking the first step to appoint or hire a data protection officer and implementing the necessary plans, policies and processes.

However, as vulnerabilities remain undiscovered or not dealt with, such as poor management of third parties that have business systems intertwined with their clients’, organisations remain at risk of betraying their stakeholders’ trust, falling victim to data breaches, and ultimately having to pay in terms of financial penalties and loss of reputation and revenues.

The business landscape in the post-pandemic period

Digital transformation is now here to stay and many businesses are learning to better cope with the attendant risks, even as they begin to rethink their business continuity planning.

When it comes to data privacy and data protection laws, regulators are also very active. China’s Personal Information Protection Law (PIPL), effective in November 2021, has already been enforced, while Thailand’s Personal Data Protection Act (PDPA) came into full force on 1 June 2022. Data protection laws are also on the horizon in Indonesia and Brunei, while a new decree is being issued in Vietnam.

Laws are also being clarified and amended. In the Philippines, to promote organisational accountability and compliance with the Data Privacy Act (DPA), data privacy violators may be imposed fines of up to 3% of annual gross income for “major” or “grave” violations. In Singapore, fines for violators of the country’s own PDPA will be increased on 1 October 2022 to SGD1 million or 10% of an organisation’s local annual turnover if that turnover is upwards of SGD10 million.

With these developments, more companies will have to take data privacy and data protection more seriously as the demand for accountability, from customers and business partners, grows. Many are advertising for governance and data protection roles where they either require or strongly prefer candidates to have completed formal training, such as international certification.

It would thus be wise for organisations to have staff educated in relevant data privacy and data protection laws and principles and on how to operationalise such principles. Adapting data protection principles into tangible day-to-day practices is a “whole of organisation” endeavour and not something that can be left to legal, compliance, audit, or other professionals.

It takes some time and effort, but integrating data privacy and data protection into your business processes is an investment that pays dividends, in growing revenues and anchoring stakeholder trust, over time; it is a journey where a trusted consultant or advisor can be an invaluable resource.

What’s next for data privacy and data protection?

Even though basic data protection practices are not yet widely adopted, digital transformation is causing many organisations to shift their stance from data protection to data governance.

While data protection is about decreasing risks in handling personal data, data governance takes a broader view on decreasing risk and increasing the value of data, to enable the organisation to better achieve its business goals. Ultimately, it is a recalibration from risk management and compliance to value creation and innovation.

In the “new normal”, identifying new opportunities and going all-in with the accelerated pace of digital transformation and innovation will lead to a renewed focus on investments that will truly generate value in the short, medium and long terms.

About Straits Interactive:

Straits Interactive is the leading authority in data protection and privacy in the ASEAN region, offering innovative privacy solutions to facilitate responsible marketing by trusted businesses. Founded in 2013 by Kevin Shepherdson, Straits Interactive delivers end-to-end governance, risk management, and compliance solutions that enable responsible marketing in the area of data privacy and protection. Straits Interactive helps businesses achieve operational compliance and manage risk through a combination of cloud technologies and professional services. With employees all across ASEAN, Straits Interactive offers hands-on training, advisory, and software in a single offering to their clients, allowing them to win many high-profile projects and deliver services faster, more affordably, and more efficiently. Straits Interactive can be found at