The European Union’s General Data Protection Regulation (GDPR) will undoubtedly have a huge impact on any business concerned with data.
Failure to comply means heavy financial penalties – up to 4% of annual worldwide turnover, or up to EUR20 million, whichever is the greater. The EU describes it as ‘the most important change in data privacy regulation in 20 years’. Hang on, you might say. This is an EU regulation. What does this have to do with APAC? The answer: a lot. Launch data is 28 May 2018. So with less than a year until GDPR comes into force, let’s look at what APAC needs to do.
The importance of being GDPR-compliant
If an organisation processes any personal data from European citizens or residents, relating to selling goods/services, the GDPR applies. No matter where it’s based. ‘Personal data’ is defined as any information ‘that can be used to directly or indirectly identify the person’.
What’s more, the conditions for getting consent to process data will also change. Piles of dense terms and conditions text will no longer suffice. Instead, requests will need to be ‘given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent – meaning it must be unambiguous’.
How organisations must take action
Below is a summary showing some of the areas GDPR will have an impact:
- Data infrastructure
Organisations will need to set up a data governance system that demonstrates the necessary levels of auditing, sharing and control.
- Data specialists
Organisations will be required to appoint a Data Protection Officer if they ‘engage in large scale systemic monitoring’ or ‘large scale processing of sensitive personal data’.
- Data portability
Organisations will need to make it easy for people to transfer their own data, if the data can identify them. The data will also need to be structured and presented in the Open Standard format.
- Data breaches
Once an organisation is aware of a breach the relevant supervisory authority must be notified within 72 hours. This will require setting up a formal data breach reporting process.
- Data access
Employees working with data will be expected to have the necessary permission levels to access what they need… but nothing more.
- Data deletion
GDPR builds on the ‘right to be forgotten’, which has long been the subject of court-based challenges between Google and France. Organisations will need to prepare robust and compliant procedures for deleting data if requested to by the user.
GDPR readiness among APAC organisations
A survey found 93% of APAC companies don’t have a plan in place for GDPR. Of course, preparing for GDPR is a huge undertaking in its own right. However, it comes at a time when data volumes are at unprecedented levels (44 zettabytes by 2020). Demand for next-generation technology is showing similarly dramatic growth (APAC spending on robotics will more than double by 2020, to more than $133 billion).
Together these all mean that when it comes to GDPR, APAC has no choice but to act now. The clock is ticking.