What the EU’s new data protection regime means for ASEAN
A large proportion of businesses in the regional economic grouping will be affected by Europe’s General Data Protection Regulation, but awareness of the new rules remains low, even in countries with existing data protection laws
At Singapore’s York Hotel, customers and guests are required to provide clear consent if they wish to be contacted about promotions and upcoming events.
In its guest rooms, the hotel has also placed comment cards through which consent is sought before it contacts guests to find out more about their visit.
Such measures, among others, have enabled the hotel to build trust with its customers, who come from all over the world – even before the enactment of data protection laws such as Singapore’s Personal Data Protection Act (PDPA) over the past few years.
In May 2018, organisations across the ASEAN region, including the York Hotel, will have to comply with another piece of data protection legislation – the General Data Protection Regulation (GDPR), which will apply to any company that collects the personal data of European Union (EU) residents.
Rajnesh Singh, regional bureau director for Asia-Pacific at the Internet Society, said the companies affected range from e-commerce firms that gather a large amount of personal data, such as physical addresses, emails and names, to bricks-and-mortar stores that collect data for advertisement targeting or shipping of goods.
They could also be ASEAN businesses operating in Europe, as well as European companies that are already doing business in the region through local subsidiaries and branches. Local startups, especially those that develop mobile apps for a global audience, including those from the EU, are also subject to the GDPR.
“Many companies will be affected because the GDPR extends to subjects beyond the EU’s geographical boundaries,” said Singh. “This means local companies can also expect their European partners to request data audits to be carried out in order to ensure compliance with the new regulations.”
“Many companies will be affected because the GDPR extends to subjects beyond the EU’s geographical boundaries”
Rajnesh Singh, Internet Society
Despite the law coming into force soon, overall awareness of the GDPR in Singapore remains very low, said Kevin Shepherdson, CEO and founder of data protection consultancy Straits Interactive.
“What is missing is the business culture of ensuring data privacy and protection in everyday business functions that process personal data, such as HR, finance, marketing and procurement,” said Shepherdson. “Even with the PDPA, companies are just looking at it from a legal rather than an operational compliance perspective.”
Simon Piff, vice-president of security practice at IDC Asia-Pacific, notes that even in markets like Singapore, where companies “stand out as probably the most educated” on data protection, there are organisations that have done little, and have not fully understood the potential impact of the GDPR.
Shepherdson reckoned that until a big data breach occurs in Singapore, resulting in a financial penalty of more than $100,000, organisations will not take data protection laws seriously – let alone the GDPR. Companies that run foul of the GDPR could face fines of up to 4% of their annual global turnover.
“If at all, we are seeing demand from local multinational companies, and branches and subsidiaries of European companies headquartered in the EU, but even that is muted,” said Shepherdson. “Our prediction is that there will be more urgency when we reach the 25 May 2018 deadline.”
GDPR and Singapore’s PDPA
Manjunath Bhat, research director at Gartner, said it will be easier for companies to achieve GDPR compliance if they have been following local data protection rules such as the PDPA – especially after a proposed amendment that will require organisations to notify regulators and affected individuals when a data breach occurs.
According to Shepherdson, other data protection requirements common to both the GDPR and PDPA include consent obligations, the appointment of a data protection officer, access to and correction of personal data, and being responsible for an outsourced supplier that fails to meet requirements.
But there are differences between the two laws, such as the grounds of consent, according to the Internet Society’s Singh.
Although the PDPA requires organisations to seek clear consent for the collection and use of personal data, an individual’s consent can be gained if he or she provides the data voluntarily, and if it can be justified that the individual would share the data within the context of the situation, without consent needing to be expressed in any form. Such “deemed consent” is not allowed under the GDPR.
“Our prediction is that there will be more urgency when we reach the 25 May 2018 deadline”
Kevin Shepherdson, Straits Interactive
Under the GDPR, consent must be freely given, specific, informed and should provide an “unambiguous indication of the data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Singh said one key feature of the GDPR that could affect businesses more extensively is the data adequacy and data minimisation principle. This means that companies can no longer collect all the data they think they will need or use, and then decide on the actual use later.
“Companies would have to examine and decide what data they require and for what purposes before they commence collection,” he said. “These purposes have to be communicated to data subjects, which differs from the PDPA’s clauses. Also, data should be kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
“The GDPR, unlike the PDPA, also allows for data subjects to access, correct, block and even the right to erase their personal data, as in Article 17, titled ‘Right to erasure/right to be forgotten’. Data that is not in use by companies must also be deleted immediately.”
Straits Interactive’s Shepherdson also pointed out the GDPR’s stricter definition of personal data. Under the GDPR, business contact information is considered personal data, but this is not so under the PDPA.
Cost impact on businesses
A survey by global law firm Paul Hastings shows that compliance with the GDPR is expected to cost Fortune 500 companies about $1m just for the technology.
Because ASEAN markets are generally open to foreign investments with the EU, a large proportion of businesses will be affected, said Singh, adding that some companies may not have budgeted fully for GDPR compliance costs. “Having to do so in a short period of time will generally cost far more than having a phased, planned approach to compliance,” he said. “Changes to IT systems may also be required.”
To continue doing business with European subjects, companies, no matter where they are located, will have to make the necessary investments to comply with the GDPR, such as appointing an EU representative. This comes along with protection against the reputational risks a company is bound to incur should personal data be compromised.
“The true cost of reputational risks is hard to estimate due to the unpredictability of its impact for businesses and the duration of reputational damage, but in today’s digital economy, it is likely to be significant,” said Singh.
IDC’s Piff warned that compliance costs could be higher in the long term if organisations do not include provision for new processes to establish good data governance.
“This is not just about securing information, but managing its lifecycle and ensuring that the ‘right to be forgotten’ is actionable,” he said. “Even if it [the deletion of a single record] cannot be achieved, organisations need to be able to show that they have tried to do so. Merely throwing up their hands and saying ‘it’s too difficult’ will incur penalties.”
The road to compliance
Straits Interactive’s Shepherdson advised companies to approach GDPR compliance not only from a legal perspective, but also in terms of rules that need to be followed if they collect, use, disclose and store personal data.
“Regulators are not looking at passive compliance,” he said. “If there is a complaint or breach, you will need to demonstrate accountability and compliance – which means that you need ownership, responsibility and, most importantly, evidence of compliance.”
Sheena Chin, country manager for Veritas Singapore, said companies can start their compliance journey by instilling data hygiene practices, such as knowing what data they hold, where it is held, and who has access to it, though a data audit. “If you store data in the cloud, the responsibility for ensuring data governance lies with the data controller, not the cloud provider or data processor,” she said.
Read more about GDPR and data protection
If you approach GDPR as if compliance is all that matters, then you’re bound to fail – data protection should be at the heart of business strategy.
Faced with the double whammy of complying with Australia’s upcoming data breach notification requirement and Europe’s new data protection regime, Australian firms are behind where they need to be in their compliance efforts.
The ransom demanded for stolen or encrypted data is likely to rise after the General Data Protection Regulation compliance deadline in May 2018, according to a cyber security researcher.
Singapore organisations are among the least prepared in the world for GDPR, which will impose restrictions on any organisation that deals with the personal data of EU residents.
Australia has introduced a communications data retention law along the same lines proposed for UK legislation, despite opposition from citizens.
The Internet Society’s Singh said a chief data officer or data protection personnel can be appointed to carry out the data audit, which will also help companies understand better what data is necessary to them and what datasets are redundant.
“Mapping out data is useful in the event that a company faces hacking of high-risk personal data that they do not even use,” he said. “Once redundant datasets are mapped out, they should be discarded.”
After the data audit is completed, companies can then revise their privacy policies, said Singh. “There is no one size fits all for data policies and so tailoring and designing a policy that best suits your organisation, and the environment it operates in, is key.”
IDC’s Piff said GDPR compliance should not be onerous for organisations with a robust data governance strategy – but very few have one. “Certainly, organisations in markets that already have data privacy laws should be well on the way to being compliant, but organisations in a market such as Thailand, where no such laws exist, will have the steepest learning curve,” he said.
Read more on Regulatory compliance and standard requirements
