The territoriality of the new European data protection framework will be significantly extended once the General Data Protection Regulation (GDPR) comes into force on May 25, 2018, potentially impacting Asian companies doing business in the EU. Given the heavy sanctions (up to €20 million or 4 percent of the annual global turnover, whichever is higher) and the risk of reputational damage for non-compliance, businesses in Asia need to get up to speed with the GDPR requirements to adapt their practices and strategy accordingly.
Are you concerned by GDPR?
If you are doing business in the EU, chances are that you are concerned, even though you do not have an establishment there. This is a consequence of the expansion of the territorial scope of the GDPR, which will apply to pretty much any organizations worldwide targeting individuals in the EU. As an Asian business, you can fall under the purview of the GDPR if you offer goods or services to EU customers or if you monitor their behavior in the EU, even without a single establishment in the EU. So, for example, if you have an e-commerce website available in French and Italian, offer deliveries to France and Italy, have a number of marketing activities targeted at the French and Italian markets, then you would have to comply with GDPR when processing French and Italian customer personal data.
Even if you do not target EU customers, but simply work with commercial partners or service providers in the EU, and share personal data with them, there is a risk that such personal data may get “contaminated” by GDPR requirements when flowing back to Asia. We have seen in the past few weeks certain companies starting to move their data bases outside the EU and out of the reach of the GDPR before it comes into force. Asian businesses need to think quickly about this risk and consider implementing data base silos to avoid contaminating their entire customer data set.
Why should you care about GDPR?
GDPR introduces increased sanctions, which may go up to €20 million or 4 percent of the annual global turnover (whichever is higher), while national laws may provide for other penalties, such as pursuant to criminal law. Although we do not have visibility on how EU data protection supervisory authorities will enforce these sanctions, especially to companies outside the EU, you better be prepared.
It is not the first time EU regulators try to apply the EU data protection rules abroad. You may recall the arm-wrestling between Google and the EU data protection authorities a couple of years ago regarding the implementation of the so-called “right to be forgotten”, which ended-up with Google, an American company cherishing the freedom of expression, yet compelled to remove search results on all its domain names worldwide.
Is GDPR good or bad for you?
There are different approaches to GDPR. You can either see it as a business opportunity or a threat. In any case, ignoring it is not an option.
Traditionally, the EU has valued privacy and data protection as a fundamental right and it is important to understand that the protection of personal data is an important concern for individuals in the EU. Hence, their trust in digital environments remains low. The GDPR is notably aimed at providing a general framework to help businesses regain and improve that trust. In that sense, complying with GDPR standards could boost your reputation and goodwill within the EU market. It may also incentivize you to develop new innovative products and services respectful of your customers’ privacy.
On the other hand, the new framework may put a break on some of your most cutting edge innovations, and we have seen businesses give up great ideas because of unyielding data protection requirements. Hence the idea of isolating data bases and markets, to allow you to keep your activities intact in both the EU and the rest of the world. That being said, it might be that the UK will become the new champion for data storage in the region following the Brexit, provided that the British government take this opportunity to build a favorable legal environment for data lakes. To be followed.
What should you do now? Is it too late to take actions?
Needless to say that it might be too late to get fully compliant with the new requirements on time. Certain EU companies have started their GDPR compliance program more than a year ago and are still not ready. Others are only starting now or have not even started yet. In short, the majority of companies will not be ready on time.
That being said, although there will be no "grace" period after May 25 officially, EU regulators will probably take into account effective accountability arrangements taken by organizations when considering any regulatory actions. Besides, Asian businesses might not be their priority in terms of controls.
It is therefore important to get started as soon as possible with GDPR compliance to be in a position to meet regulatory standards, and minimize risk. Be aware that implementing a GDPR compliance programme requires a substantial investment of money, organisational resources and management time.
What challenges will you face?
The purpose of the GDPR is to ensure a consistent and unified application of the requirements for the protection of personal data throughout the EU. However, many articles of the GDPR allow or require specific provisions of national law (57 references to the national laws of EU Member States). In practice, complying with just the GDPR will not be sufficient and it will be necessary to look at the relevant national laws if you want to be fully compliant.
Contrary to the consent-based system that generally exists in Asia, consent is not always required, nor even recommended, for all types of processing activities under GDPR and it is possible to rely on other legal grounds, which will require Asian companies to rethink the way they collect personal data in the EU.
GDPR integrates accountability as a principle which requires organisations to put in place appropriate technical and organizational measures and be able to demonstrate what they did and its effectiveness when requested, which will require Asian businesses to review their internal procedures and start documenting everything.
GDPR imposes more stringent obligations regarding data processing agreements, which means that most contracts with data processors will need to be remediated to take into account these new requirements.
Many other requirements exist in the GDPR, an overview of which you may find in our General Data Protection Regulation Guide.