Buoyant cross-border trade, as well as advances in technology, have led to businesses in Asia holding personal data of those living in European Union member countries. However, Europe’s new General Data Protection Regulation (GDPR) empowers these individuals to determine how their data is used. Now, “data subjects”—who may be EU citizens or simply EU residents—have new rights under the GDPR, placing important obligations on organizations that process user data. What does this entail for businesses in the Asia-Pacific region?
In this digital age, personal data is precious and coveted by myriad organizations for many different intents and purposes. Be it an online retailer, a social media platform, or a heavily regulated financial services firm, everyone seeks to obtain personal data for both operational and commercial reasons.
In 2015, Asia was responsible for 36 percent of exports from the EU and 45 percent of imports to the EU, making it an important trading partner of Europe. As of 2014, more than 10,000 European companies operated in Southeast Asia. This puts those whose personal data has been obtained at risk: Its use may not have been explicitly understood and agreed upon, and weak information security may result in a data breach.
GDPR Goes Live
The extra-territorial nature of the GDPR means that non-EEA-based* organizations must not assume they will not be impacted by it. Even organizations that may only have a very small number of EU data processing in scope will risk falling foul of the regulation if they do not explicitly assess the nature of the data held and processing performed on the data.
Organizations will need to consider the adequacy of internal governance and control frameworks in order to demonstrate compliance.
Only recently, in the run up to the implementation date (May 25, 2018), particularly in Asia and the U.S., has the extra-territorial nature of this regulation been widely acknowledged. Some of this has been driven by contractual obligations of third parties who may be acting on behalf of, or under instruction from, these organizations to process personal data.
Such recognition is an important first step. The rest is to ensure that an action-oriented program is in place to evidentially demonstrate compliance. The focus needs to be on good governance, a robust control environment, clear communications, and sound IT infrastructure.
A lot of focus has been placed on the extent of fines and penalties: These can have a devastating effect on many firms. While this may be an effective deterrent, the principles under which the GDPR operates forces firms to revisit the purposes for which personal data is obtained and processed in order to gain assurance. They also provide data subjects transparency regarding how their personal data is being processed.
How Can Firms in Asia Prepare?
It is essential for firms to understand the scope and complexity of their business activities first and have a good understanding of their internal processes in order to comply with the GDPR. Compliance with existing data protection laws of their own countries is likely to provide a good starting point.
Here are some typical steps that will help Asian firms prepare:
- A clear data mapping of the types of personal data gathered and processed, whether as a controller or a processor
- A gap analysis to assist in understanding what additional processes might need to be put in place, extending beyond compliance with regulation
- An assessment of the existing IT infrastructure and cybersecurity arrangements to determine if there are any gaps (with a credible, time-bound plan to resolve them)
- Issuing relevant privacy notices to all the different types of data subjects and obtaining consent where appropriate
- Establishing contractual obligations with outsourced processors
- Training all staff to ensure they understand their respective roles and responsibilities regarding data protection
- Keeping evidential, auditable records
- Having adequate processes in place to identify, analyze and report any data breaches
- Appointing an EEA representative as the liaison with EU supervisory authorities and data subjects, where applicable
The above actions will demonstrate that the firm takes governance seriously and is acting responsibly.
The GDPR is a “principles-based” regulation. It allows flexibility to firms to apply their own standards and internal practices to demonstrate compliance. Although it may appear to create an extra layer of compliance requirements, it raises the bar internationally on how personal data is processed in a world where personal data is so commoditized. Importantly, it also enables potential victims to take charge of who uses their data and in what manner, allowing a greater level of transparency and legitimacy without compromising the rights and freedoms of EU individuals.
Looking ahead, the GDPR presents a good opportunity for organizations to consider and review their own data management processes (including cybersecurity arrangements and third-party interactions) to ensure that they have confidence in their internal control environments and that they are putting their customers’ interests at the heart of their business development practices.
*EEA refers to the European Economic Area. It includes all EU countries and also Iceland, Liechtenstein and Norway.
This article first appeared on BRINK Asia on June 24, 2018