Why the GDPR will affect businesses across Asia-Pacific
Ahead of the implementation of the General Data Protection Regulation (GDPR) on May 25 across European Union (EU) countries, a new whitepaper has found that businesses in Asia-Pacific will also be affected by the ruling.
For those unfamiliar with the measure, the GDPR is a new legislation adopted by the European Parliament and council to bring greater strength and consistency to those residing in EU countries regarding their personal data.
Who will be affected?
Organisations based in Asia-Pacific impacted by the new legislation include businesses with branches in the EU, organisations offering services to or employing those who reside in the EU, and anyone who handles, processes or stores data of EU residents or has equipment such as their servers located in the EU.
In Singapore, for example, some 1.8 million tourists from the EU visited the country in 2017, and as a top trading partner of Singapore, a significant number of organisations are likely required to put measures in place to comply with this new legislation.
Organisations will require an overhaul of their existing data governance and management policies, involving in-depth changes to current workflows and technology.
But data protection company Shred-It Singapore, which produced the whitepaper, found that small and medium organisations in Singapore are less likely to be prepared to comply with the GDPR than multinationals.
Many multinational corporations would have sounded their alarm bells months in advance and implemented processes to ensure that they are compliant. Smaller entities would have been doing the exact opposite, the study revealed.
Believing that their impact is too small to matter in the grand scheme of things, small and medium business owners may prioritise day-to-day operations and neglect implementing data protection protocols. With their customer’s personal data left unprotected, these companies are more likely to suffer a data breach and eventually be fined by the ever vigilant Personal Data Protection Commission (PDPC).
Moreover, if smaller companies provide services to individuals living in the EU, they would most likely possess the personal data of EU residents and be subject to GDPR ruling.
Under the GDPR, consumers will have the right “to be forgotten” and request for the deletion or removal of their personal data from company records at any time. Organisations will not be allowed to retain personal information beyond the stated purpose for which they obtained the data.
In the event of a data breach, organisations need to notify their data subjects within 72 hours of the discovery of the breach. The removal of “implied consent” and “opt out” models of marketing will give individuals additional reassurance on the security of their personal information as organisations must ensure data is purged in a timely manner.
“With potential fines of the higher of 20 million Euros – that’s about S$32 million! – and 4% of global turnover, the GDPR will become the global standard for data protection for any organisation with an international outlook,” says Singapore-based lawyer Lyn Boxall.
Duncan Brown, General Manager Singapore & Regional Market Development EMEA/APAC at Shred-it strongly encourages that small and medium enterprises “review their data protection practices immediately and implement new ones to become GDPR compliant”.