Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 7
Asia-Pacific Data Privacy and Cybersecurity Guide 2025
varying importance, such as “important data”
and “core data”, with different obligations
attached to such data categories.
We expect to see these tensions continue
through 2025, with data policy becoming
increasingly intertwined with geopolitics and
trade policy.
Data protection 2.0: the reference point
for APAC
The recent developments in APAC data
protection laws noted above suggest there is
significant cross-region movement towards
GDPR standards, but in a way that leaves room
for important local variations in data protection
policy, reflecting individual jurisdictions’
specific policy goals across a wide range of
areas, including consumer protection,
human rights, national security, and
economic development.
It is now clear, however, that organisations’
data protection compliance programmes
should take their strategic direction from the
“accountability-driven” model championed
under the GDPR. The points of compliance
organisations are required to manage under the
disparate laws, including data subject consents
and notifications, the exercise of data subject
rights and the satisfaction of mandatory breach
notification obligations, are now so numerous
that a piecemeal approach to compliance is
becoming increasingly risky. The overlay of
data governance through various measures,
such as the documentation of data protection
policies, the conducting of privacy impact
assessments and the implementation of privacy
by design, means that a holistic,
organisation-wide approach to compliance
is needed. The compliance response
demanded under these laws is increasingly
sophisticated and complex, linked to a range
of corporate functions and to organisationwide considerations of branding and corporate
ethics. At present, the appointment of a data
protection officer (DPO) is only required under
7
