Strong Need for GDPR Compliance in Asia

Enze Han, SEA TMT Business Opportunity Director, shares some thoughts on the impact of GDPR in Asia.

Since the enforcement of the European GDPR came into effect in late May, businesses in Asia are still catching up with the implications of this wide-range data privacy legislation for them. Because of the extraterritorial nature of the GDPR, as long as a business has any sort of footprint in the EU, or offers any goods services
to individuals in the EU, or utilizes any form of monitoring which would include individuals in the EU, they might be subject to the regulations of the GDPR, and non-compliances would carry hefty fines: four percent of annual global turnover, or €20 million – whichever is greater. Thus it is crucial for businesses in Asia to figure out whether and how GDPR affects them.

There are reasons to believe that many Asian businesses are not yet aware of the exact details. For example, in a survey of US, UK and Japanese companies conducted in January 2018, PWC found that more than one-quarter (28%) of US companies say their organizations have only started operationalizing preparations. In the UK, more than one-third of respondents have only begun making preparations, and 7% have finished. In Japan, just 13% say they have begun, and 6% have finished. In the Japanese case, the same survey found that 40% of Japanese companies had not even finished conducting impact assessments related to the GDPR, let alone made preparations for compliance.

According to another NTT Security’s report Risk:Value 2017, just 29% of firms in Hong Kong were aware of it, with 26% awareness in Australia and 33% in Singapore. Thus, in East and Southeast Asia, there is urgent need to push for more awareness among businesses of the GDPR implications. At the same time, the general public in the region also lack enough awareness of online privacy and data protection, or at least not to the extent as in the EU. Thus the silver lining of the GDPR for Asia is that it might stimulate regional governments to follow suit and compel businesses and the general public to take online privacy and data protection more seriously.

Obviously, Asian Businesses need to act immediately. They not only need to have a clear assessment of the GDPR’s implications for their businesses, but they also should be more proactive toward data protection. It is advised that a data protection officer should be appointed who would supervise protection of personal data privacy. Technically, businesses should also implement programs to guarantee personal data privacy in accordance with the principles laid out in the GDPR such as the right to transparency and data minimization. Here it seems there are ample business opportunities for such new technical solutions for Asia-based businesses to prove their capacity for data processing without violating users’ privacy. There is an area that Scentrics, as a leading privacy solution company, would help Asian businesses to improve their compliance with GDPR but also open more opportunities that embed data protection in their business models.