The General Data Protection Regulation: What businesses in Asia Pacific need to know
20 March 2018
Alexander Milner-Smith discusses key issues about the upcoming General Data Protection Regulations that businesses in Asia Pacific need to know.
Businesses in Asia Pacific are taking note of GDPR as the global ramifications of the new legislation become more apparent.
The European General Data Protection Regulation (GDPR) comes into effect in May of this year. While many firms in Europe have been working on preparing for this for a couple of years, many businesses in Asia Pacific (APAC) have lagged behind.
Alex Milner-Smith, a data protection partner was in Hong Kong and Singapore recently to lead GDPR breakfast discussions hosted by Lewis Silkin. Over 130 representatives from a wide range of corporates participated in these discussions, demonstrating the growing level of interest in the region.
Below, Alex shares his thoughts on the implications for the region and his advice for businesses in APAC to ensure compliance with GDPR.
Why was GDPR implemented, and what is it looking to achieve?
The reason why it is being implemented is probably two-fold.
Firstly, the current Data Protection Directive was implemented in 1995. At that time, the landscape in terms of data processing was completely different.
Smart phones and Google didn’t exist. There was no meaningful internet usage. Compared to this paradigm, the speed at which data transfers around the world and the volume of data created, much of this being personal data of course, has completely shifted in that time period.
So, this new reality meant that legislation needed to be changed.
Secondly, the European Commission was very keen on, as far as possible, harmonising terms across Europe. The current Data Protection Directive needed to be implemented in each Member State. As a Regulation, GDPR automatically comes into law in each Member State. Theoretically, all data protection laws should be the same across every European Union Member State. However, complete harmonisation hasn’t quite happened. With 28 countries negotiating, a number of countries wanted to practice data protection in their own way in their own jurisdiction.
While 80% of the law will be the same across Europe, each country will have its own nuances. For an international company, this poses challenges. The business can’t just look at what happens in Germany, for example, and assume the same applies across every single Member State in which it operates.
Why is this a significant issue for businesses in APAC? Why should APAC businesses pay attention?
As with most EU legislation, although it is primarily focused on the European Union and the European Economic Area in part, most European legislation seeks to have extraterritorial effect, especially in the context of data processing. In the current world, data processing doesn’t just happen within borders.
Data processing happens across borders very easily and in the blink of an eye. Just in the last few minutes, millions of bits of data have been transferred from the United Kingdom to Germany, from Germany to China, from China to Australia.
As such, GDPR has been framed to have as wide as possible jurisdictional and territorial application.
What is the territorial reach for GDPR and what is the degree of enforceability? How might the European Commission go about taking businesses in APAC to task about any breaches?
Enforceability is always difficult and cross-border enforceability is a particularly difficult issue.
For instance, a Hong Kong company that operates as a local entity with a Hong Kong website hosted in Hong Kong will technically be required to comply with GDPR if it sells to EU consumers. Even so, it is hard to see how there wouldn’t be difficulties for the European Commission in enforcing sanctions.
However, that example is probably not the norm. Most companies now have international operations with entities based in Europe. Those European entities would be targeted by the various regulators around Europe in relation to a breach in Hong Kong.
The fine profiles are one of the biggest pieces of news about GDPR. From 25 May 2018, the maximum potential fine will be EUR20 million or up to 4% of worldwide revenue, whichever is larger.
Of course, that is not to say on 26 May, every company will be fined 4% of worldwide revenue, but the potential is for significantly higher levels of fines than there are currently.
Are standards to which firms need to comply going to continue to evolve? What will drive this?
Evolution of GDPR will happen in three ways. Firstly, there will be decisions from the European Court of Justice and the European Commission in relation to fines. These decisions will influence how the risk profile is viewed by companies.
A decision a company might take now to accept an 80-20 risk profile may actually look far riskier once the European Court of Justice has made a decision to fine a company EUR50 million for a similar sort of practice.
Secondly, the Article 29 Working Party (a group representing all the European regulators) regularly releases commentary on GDPR.
They have been doing so for the last year, they will continue to do so. The Working Party may interpret GDPR differently over the next five to ten years, depending on the decisions of the European Court of Justice and also depending on technological change.
Thirdly, although the intention is for GDPR to be harmonious across Europe, every Member State is putting in place its own implementing legislation. Most of that should be in place by 25 May, but there is nothing to stop Germany releasing further legislation on 25 May 2019, 2020, 2021. As a result, in all likelihood, things will change.
Businesses can’t just ensure compliance on 25 May 2018 and then do nothing. The data protection landscape will very much be an evolving process.
What particular sectors or particular activities might businesses in APAC not have spent enough time thinking about?
Firstly, in terms of the types of data that businesses in APAC might process, workplace data is a risk. If an APAC business funnels all their European workplace data through APAC servers and people in Head Office have to look at that data to undertake remuneration decisions and so on, European workers involved in litigation against their employing entity in Europe may well contact European regulators about that processing.
Secondly, in relation to consumer data, the risk depends on the volume and the nature of the data. If a business-to-consumer business is processing large volumes of consumer data, there is always a risk from a breach, because the breach necessarily will be much larger.
If a business has a hundred million consumers on their books and there is a potential breach, that could breach could affect millions of people. Further, if a business is in the market processing special data or sensitive data this poses an even greater risk.
The biggest area of risk will be security, as it is now. There has been a significant amount of focus on two things: unsolicited marketing and security breaches. This latter source can come from a loss of unencrypted laptops, USB sticks being removed from buildings, people not using VPNs properly. Security is likely to remain the major issue under GDPR.
What is the general level of awareness and readiness of GDPR in APAC?
In the context of our GDPR breakfast discussions, our observations are that businesses are clearly worried about GDPR, but they are not panicking.
There were very sensible questions being asked, showing an understanding of the GDPR, an understanding of what their businesses need to do, both at a technical level, what does the GDPR mean, what’s its territorial reach, what do we need to do, but also from a practical level.
A number of perspectives were shared on the impact of GDPR on businesses, with a number of businesses looking beyond compliance to identify opportunities in a proactive and positive manner.
For instance, consumers who know a business takes GDPR security seriously are likely to use that business more than one that doesn’t. And again, for producers of software and apps for other companies, their customers are likely to prefer that they take GDPR seriously, and have complied with their obligations.
What are the first three steps businesses in APAC should take to start assessing their readiness?
The three things are: scoping; auditing; and remediative implementation.
In terms of scoping, businesses need to brainstorm exactly how the GDPR applies to them from a territorial perspective, and at a higher level, if it does apply, identify what data they process.
From an audit perspective, businesses then need to delve deeper into those data flows and try to produce a data flow map, setting out the why, what, how, where, when of their data processing.
The final stage is the analysis of GDPR compliance, identifying gaps and what remediative measures are needed.