EU Data Protection Rules - The impact on Asia

To read the original article, click here http://ow.ly/tdl830hIx1F but please note that a subscription is required or you can read the article in this blog below.

EU GDPR, the Impact on Asia

The EU’s General Data Protection Regulation (GDPR for short) comes into enforcement on May 25th, 2018, but whilst firms in Europe have had access to information about what it means for their country or industry sector, firms in Asia have not had the luxury.

Some readers may well be thinking, this is an EU regulation, “I’m in Asia, I don’t need to worry about it”. That, unfortunately, is not true. If you have staff or policyholders based in Europe for whom you hold personal data (name, address, email address, telephone number, passport number, bank account number etc.) there is a good chance that your organisation will need to comply, even if it does not have a physical presence in the EU.

The consequences for not complying can be punitive; with maximum fines (these are unlikely to be applied, except in the most serious of cases) of the higher of either 4% of your organisation’s global revenue or €20m (approximately 23.5m USD). This has organisations around the world looking at the EU personal data and the EU business they do to understand their exposure to this new regulation.

What are the likely effects on organisations based in Asia?

Many Asian countries have their own data protection and data privacy regulation. Many more have outlined their approach, but have not passed it into law yet). For some organisations, it may be as simple as looking at the requirements of GDPR, along with understanding the scope, and where appropriate extending existing governance controls to ensure that compliance with GDPR is in place, and can be demonstrated. For others, it will be a case of starting from the ground up to create the controls and protections required.

It is possible for countries to have a GDPR equivalent regime, unfortunately, in the Asia-Pac region, New Zealand is the only country who appears on the list currently. If you do happen to be based in New Zealand then your path to equivalence will be much shorter.

How should an Asian based organisation approach GDPR?

The following 5 steps should be used to help organisations assess their need to comply and to get them on the path to compliance.

1. Understand where the personal data comes from

If the data is from European residents the organisation will need to comply with the GDPR. If your organisation processes the information for another part of the group there may also be contractual arrangements that will need to be implemented between the different groups.

2. Review Policies, Processes and Procedures

Any organisation that has to comply with the GDPR will likely need to update their policies, processes and procedures if only to incorporate the rights of the data subjects, to ensure that compliance can be demonstrated, and that the timescales for responding to data subjects can be met.

3. Review your Computer Systems' Compliance

Computer systems may need to be updated to ensure that they comply with the GDPR. Common areas where updates need to be applied are in enabling the rights of the data subject (particularly the right to erasure, the right of access, and the right to data portability). Many policy administration systems will need to be updated or at the very least configured to be compliant.

4. Create or Update You Data Breach Incident Response Plan

It is a good idea to ensure that your data breach plan is up to date, irrespective of GDPR.

Any breach, loss or misuse of personal data that is within the scope of the GDPR must be reported within 72 hours of it being discovered. This initial report must include key information, such as the number of people whose personal data is involved in the breach, the details of the types of personal data, the likely impact on those individuals, the action taken within the time from discovery to notification, and the high-level plan.

5. Raise Awareness and Support

Implement GDPR awareness training for those staff that have access to personal data. The GDPR requires that organisations have a point of contact for data protection authorities, and someone responsible for managing data breaches. This person is known as the Data Protection Officer (DPO). In smaller organisations, this can be a part-time role, but in all cases, the person must be suitably skilled and experienced. Ensuring that your staff and DPO have the right resources is an important part of GDPR compliance.

The DPO can also be provided by another organisation, such as Fifth Step's Virtual Data Protection Officer service.

Darren Wray is the CEO of Fifth Step, as well as the author of books on Data Protection and IT Leadership. He can be contacted at darren.wray@fifthstep.com and www.fifthstep.com.