The impact of GDPR on Asia Pacific and its data centres

The impact of GDPR on Asia Pacific and its data centres

The General Data Protection Regulation (GDPR) is the biggest data shake-up in years.

While it’s EU-enacted, its influence extends across the world. Any company providing services into the EU must comply. Compliance also extends to any company which gathers personal data from within the EU and processes it elsewhere.

Naturally, GDPR will have far-reaching impact on APAC, a region home to around half the world’s internet users.

GDPR at a glance

Your inbox has no doubt experienced an influx of GDPR-related emails. For users, that’s probably the most visible sign that times are changing.

For data centre operators, one of the biggest changes will be around data accessibility. A user has ‘the right to be forgotten’, which means data has to be deleted after it’s served its purpose. What’s more, companies have to know where all their data is at all times. Because in the event of a breach, all those potentially affected must be notified within 72 hours.

This all means new pressures for availability and uptime. Also for visibility (of what’s on the network). And for security (around SLAs and auditing).

APAC readiness

Back in February, EY reported that only 12% of APAC firms had GDPR compliance plans. However, the diversity within the region means EY’s findings only tell part of the story.

Singapore already has its own version of the GDPR – the Personal Data Protection Act (PDPA). This regulates collection, disclosure and use of personal data by private individuals. This is vital – the city-state is the EU’s largest trading partner in the Association of South-East Nations (ASEAN).

The Japanese Act on the Protection of Personal Information came into force during 2017. The legislation meant the EU added Japan to its ‘whitelist’ of compliance-approved countries. An action which gave the green light to ‘transfers of personal data between the EU and Japan without the need for instruments such as standard contractual clauses, binding corporate rules or privacy certifications’.

On 22 February, Australia introduced the Notifiable Data Breaches Scheme. This placed requirements on government agencies and organisations to notify affected individuals in the event of a data hack. From launch data until 4 May, there were 63 breaches. ‘Human error’ accounted for 51%, ‘malicious or criminal attacks’ followed with 44%.

Hong Kong’s GDPR equivalent is the Personal Data Privacy Ordinance. This was enacted in 1995, so the Hong Kong Privacy Commissioner has issued guidance for businesses which shows how this relates to GDPR.

The price of data

APAC companies and data centres can expect EU customers to expect some sort of equivalent standards be put in place. After all, fines are up to EUR20 million or 4% of annual turnover, whichever the higher. This poses plenty of questions around APAC compliance procedures. Alongside the prospect of potential damage to brand reputation.

From now on, APAC companies wanting to succeed internationally will require IT infrastructure that comes with baked-in GDPR compliance. APAC companies and data centres simply can’t afford to ignore this regulation.