From a regulatory and compliance standpoint, data protection and industry vertical are two essential and interlinked factors when companies in Asia decide to deploy software-as-a-service (SaaS).
Danni Xu, Asia-Pacific research analyst for data center and cloud computing of ICT practice at Frost & Sullivan, said local regulation on data has seen increasing significance across the region with several governments taking "meaningful steps" to adopt the Personal Data Protection Act (PDPA). Coverage and enforcement, though, vary from country to country, she said.
For example, Xu noted that Singapore passed the personal data protection bill in October last year with enforcement slated to begin mid-2014. Its Northern neighbor, Malaysia, passed its Act in 2010 which came into force in January this year.
The main intent behind PDPAs is to govern organizations in the collection, use, and disclosure of customers' personal data, the analyst explained. Hence, before adopting SaaS in Asia, companies must review or establish data protection strategies to ensure compliance, especially if the country where they operate has or is planning to establish such laws.
It also means companies must evaluate SaaS vendors based on their ability to meet the organizations' data requirements in a particular country, she said. This is important since in SaaS, companies are not the ones directly managing the data center or infrastructure, Xu noted.
Minding vertical laws, too
Here is where regulations pertaining to specific industry verticals intersect with data regulation.
Together, the two factors influence how companies assess the abilities and contractual obligations of going SaaS in order to be compliant, said Lyon Poh, partner for management consulting and IT Assurance at KPMG Singapore.
For example, in Singapore, the Banking Act requires banks operating in the country to "ring fence" the location of sensitive customer data and always secure it from unauthorized disclosure, Poh said.
Banks in the country may find ensuring compliance with this rule more challenging than expected, he noted. First, SaaS data could be hosted at a location not always or easily identifiable by the end-user company. Second, this challenge is further complicated by Singapore's recent PDPA which requires companies of any nature to identify and safeguard customers' personal data from misuse, he explained.
Err on the side of data protection
Even in Asian countries where no formal data protection law exists, there will be industry-specific rules associated with data such as data retention time period. These can impact decisions on SaaS adoption and choosing a suitable vendor.
Frost & Sullivan analyst Xu said while PDPA has not been initiated in, for instance, China, there are other types of regulation to consider where SaaS is concerned. "On the regulatory side, it is mandatory that all SaaS vendors obtain an ICP (Internet content provider) license for their business operations," she pointed out.
She added that the State Council and the Ministry of Public Security in China have a set of decrees such as regulations on safety protection of computer information systems.
China may be considered to be less mature in terms of its regulatory infrastructure for personal data protection, but the country has strong emphasis on government-related monitoring and censoring of Web use by citizens and businesses, Xu added.
Ultimately companies have to learn to be savvy on data and industry regulations in Asia, and the particular country where it plans to adopt SaaS, she said.
Poh also advised that regardless of the nature of their business, and whether there are formal personal data protection laws in the country, it is "a matter of good practice" for any company considering SaaS and assessing SaaS vendors to always be mindful of the principle of data protection to ensure good governance.