GDPR: What it means for your business in the APAC
DATA privacy is a hot topic across the globe right now, especially in light of the Facebook-Cambridge Analytica scandal. It’s also the perfect time for the European Union’s General Data Protection Regulation (GDPR) to come into effect.
Adopted on April 27, 2016, the law will replace the existing 1995 Data Protection Directive and come into effect on May 25 this year.
Unlike Facebook who recently said that they would be unable to promise GDPR style privacy protection outside the EU – businesses established outside the EU will have to take stock of the new regulation and find a way to comply with it appropriately.
The cost of non-compliance? EUR20 million (US$24.6 million) or 4 percent of global turnover – whichever is higher.
For companies based in the Asia Pacific (APAC) region, the key thing to remember is that the GDPR doesn’t only target companies based in the EU or companies with subsidiaries based in the EU, but also companies that target EU customers or “their behavior”.
Further, the GDPR puts tighter requirements in place, to obtain valid consent from individuals to process data. It also expands the list of mandatory information that must be provided to individuals about how their data is being used and how it will be stored and handled.
Another important aspect of the new law that significantly impact businesses in the APAC is the fact that the GDPR not only applies to data controllers but also data processors.
The former is the organization that decides how to use data while the latter is the organization that processes personal data at the direction of the data controllers.
Finally, the GDPR places significant emphasis on cybersecurity. It requires that personal data breaches are reported to the data protection regulator within 72 hours.
It also requires that data subjects of all high-risk breaches are also notification immediately. In addition, data processors must, according to the GDPR, inform appropriate data controllers when they become aware of any personal data breach.
Consider the Equifax case in the US – executives claim that they didn’t know about the data breach for weeks, even months. The public, the people whose data was stolen weren’t notified about this until much later.
In light of the GDPR, if the company was based in the EU or dealt with EU customers in any way, just the time it took to reveal and report the data breach would be a “breach of the law”.
According to Squire Patton Boggs, to comply with the law, firms must first conduct a preliminary due diligence and map their data to understand how data flows within and outside their organization.
Next, it recommends evaluating consent based usage of data, automatic processing, and profiling systems in play to ensure all activities are in compliance with the law.
Next, the firm suggests revisiting the privacy notices and the type of consent obtained and evaluating them in light of the individual rights conferred by the GDPR and embedding ‘privacy by design’ and ‘privacy by default’ as key features of your data management system.
Finally, the law firm suggests that businesses pay more attention to data sharing and international data transfers, put in place appropriate data protection impact assessments, and make sure that both, the company’s data protection and breach management processes and its privacy governance mechanisms are robust.
The bottom line is, if your business has any ties to the EU, you’re going to have to evaluate how you manage the data and comply with the GDPR. To avoid failure, you must start preparing now.