How will GDPR impact APAC companies?
GDPR is now law. EU companies have had two years to prepare for it, but what is the cross-continental impact on companies based in APAC? The GDPR is the biggest shift in data protection and privacy in the last 20 years so even an Asia-Pacific -based company may have to comply even if it’s not physically based in Europe. The new rights given to EU citizens means any company who markets, stores or collects PII from an EU citizen based in the EU has to comply with GDPR.
A lot has been discussed what will happen to companies who fail to comply with the new GDPR legislation. For the first time, they face unprecedented risk and sizable penalties for major data breaches – up to 20 Million Euro or 4% of global turnover, whichever is higher. This is only half the story, however.
Companies that operate outside of the EU could find themselves caught out by GDPR with the new reach of the data protection laws. GDPR will apply to your company if you provide services into the EU or you obtain personal sensitive information of an EU citizen and transfer it outside of the EU. There are now rules around consent, how you obtain it and an EU citizen has to give you clear and explicit consent to you use their data for a specific reason.
Fines, fines and more fines! It’s not just the fines you need to be wary of. The reputational damage to your brand could ultimately far outweigh any penalty. Understanding how the 72-hour breach notification procedure to the regulator and the EU data subject works, along with the additional effect it will have on your business, has to be taken into consideration.
Some key features of GDPR for APAC companies to consider
How personal data is collected
If you are an Asia Pacific-based company without a physical presence in the EU, you can still be affected by the new GDPR if you target EU citizens and collect their personal data online. Your collection points through your website, apps or forms need to be GDPR compliant.
With the increased risk of regulatory scrutiny and possible fines, businesses need to have higher data security provisions set out and procedures in place to support GDPR compliance. More importantly, if you fail to convince your customers of your GDPR compliance, you may lose business to competitors.
72-hour breach notification
All personal data breaches must now be reported to the regulator and the data subjects within 72-hours of suffering the breach. In order to prepare for this, your business will need to re-evaluate the processes, procedures and put new systems in place to develop a strategy to meet the new requirements.
Data transfers to a non-EU country
Under GDPR, data controllers are no longer allowed to use their own views on if the security transfer protocols currently in place are adequate. In particular, they need to address Article 46, where personal data is transferred from the EU to a third-party country or to an international organisation, the data subject shall have the right to be informed or the appropriate safeguards relating to the transfer.
Security by design
Under GDPR, companies need to build privacy-by-design into their systems and data processing activities. Specific impact assessments will need to be carried out for all new technology. It must be able to comply with GDPR, for example, the Right to Access, Rectify and Erase their data.
Reputation is key
The financial and reputational impact of GDPR has to be a board level issue. The new requirements for reporting breaches and updating the regulator creates a new element of risk. Delay in reporting and providing notice has created significant negative publicity in recent breaches.
What does the current data privacy legislation look like in APAC?
There is no similar agreement on data protection in the Asia Pacific region that unifies the laws across the region. However, some countries such as Australia, New Zealand and Hong Kong, have laws in place that cover both the private and public sectors. China, Vietnam, Singapore and Malaysia have laws that exempt the public sector and the Philippines has laws specific to the handling of citizens and non-citizen data. In general, laws are territorial and not extrajudicial as is the GDPR.
Could we see something similar to GDPR in APAC?
The Asia-Pacific Economic Cooperation (APEC) Cross-Border Rules System (CPBRS) requires businesses to implement data privacy policies consistent with the APEC Privacy framework. This is a clear attempt to harmonise rules of data privacy. It hopes to build consumer and business trust in cross-border flows of personal information.
In February this year, the Singapore Personal Data Protection Commission published its publicly collected feedback which is going to align the regulations with the provisions set out under the new GDPR legislation, including the data breach notification requirement.
It could be some time before we see a unified law across APAC, but steps are certainly being taken to improve privacy laws across the region.