Yinson navigates through the global privacy landscape

Privacy laws around the world are taking shape slowly but surely. The European Union has passed the General Data Protection Regulation (GDPR) made effective on 25 May 2018, the Singapore Personal Data Protection Act 2012 (SG PDPA) has been in force since 2014, and Malaysia is currently enforcing the Personal Data Protection Act 2010 (MY PDPA).

However, the global privacy landscape is dynamic. Several countries are either passing privacy and data protection laws for the first time or updating their current regimes. For example, China enacted its first national privacy law last year, the Personal Information Protection Law (PIPL) and will work together with China's existing Cybersecurity Law (CSL) and Data Security Law (DSL) to establish a broader framework governing cybersecurity and data privacy protection in China; Japan and Korea recently amended their data protection rules; and Australia is conducting a comprehensive review of its 34-year Privacy Act. 2021 also saw Brazil’s comprehensive privacy law come into enforcement. Brazil’s General Personal Data Protection Law (the Lei Geral de Prote??o de Dados Pessoais or LGPD) is Brazil’s first comprehensive privacy and data protection regulation, and it is also modelled heavily on the EU’s GDPR. It originally came into force in September 2020, but enforcement was delayed until 1 August 2021. What’s driving this activity is governments’ recognition of the need to keep up with developments in technology, especially given the pace of digital transformation over the last two years.

As such, it is vital that multinational corporations align themselves to comply with the various privacy laws cropping across the globe. We are no longer an organisation that deals with B2B services but B2C services as well. One example is our Green Technologies Division, Yinson GreenTech that deals with subscribers to our chargEV charging network. Thus, privacy law compliance is a vital aspect of compliance with these business models.

One of the key issues discussed at the Global Data Privacy, Cybersecurity & GRC ConfEx was GDPR compliance with non-EU vendors. I had a differing view: GDPR is one of the key privacy legislations in force, but not the only major force to deal with. As an organisation that spans across multiple continents, Yinson is bound by various privacy laws. Our compliance should align with these various privacy laws, rather than focus on a GDPR-centric approach. Our FPSO business involves vendors from non-EU regions such as China and Brazil, which are governed by regional privacy heavyweight legislations, i.e. PIPL and LGPD. As such, it is crucial for us to adapt and adopt processes that are cross-jurisdictional compliant, rather than focus on a GDPR centric compliance approach. That is what I proposed at the conference which was well received by the various organisations’ legal and privacy heads present.

One of the key measures that I, in my capacity as Chief Privacy Officer, intend to roll out is privacy compliance not only through our offices, but all our projects as well, including the Offshore Production, Renewables, Green Technologies and Offshore Marine divisions. Awareness and education sessions shall be rolled out to all project management staff at the project level to ensure that we are updated on all privacy-related matters.

Written by: Rishi Ganiswaran, Senior Counsel & Chief Privacy Officer, Yinson