by Thomas Macaulay

What ASEAN CIOs need to know about GDPR

Apr 30, 2019
Data ManagementRegulationTechnology Industry

The General Data Protection Regulation applies to any organisation with data processing activities in the EU, even if it’s based outside of its territory

vulnerable gdpr breach security cyber attack 100747296 orig
Credit: Getty Images

Almost one year on from coming into force, the European Union’s General Data Protection Regulation (GDPR) is still a hot topic for organisations and businesses handling personal data – which is virtually all of them.

Although it originated in the EU, GDPR applies to any organisations that offer goods or services to EU data subjects or monitor their behaviour, even if they are headquartered outside of the EU. This means that ASEAN businesses are also liable to follow the legislation if they are dealing with EU data subjects.

Failure to comply with GDPR can lead to fines of up to €20 million or 4% of global revenue, whichever figure is higher. The most sounded cases to date involve Google and Facebook, each fined US$57 million (€50 million) and £500,000 (€581,000) respectively, for serious breaches of data protection law.

However, there are also rewards for those companies that make sure that they handle data properly and legally. Data protection authorities have been keen to emphasise the positives of the regulation, such as the business opportunity to stand out from competitors and gain trust from customers and employees.

As the EU’s second largest trading partner and the largest direct investments provider, ASEAN is directly affected by GDPR. Here we review what CIOs in the region need to know about it.

How does GDPR impact the ASEAN region?

Although big steps have been taken in recent years to improve data protection legislation across Southeast Asia, current ASEAN data regulations don’t offer the same level of protection as GDPR.

In November 2016, the countries in the bloc adopted an ASEAN Framework on Personal Data Protection, which established a set of principles to guide the implementation of measures at both national and regional levels to promote and strengthen personal data protection in the region.

A few months afterwards, in April 2017, ASEAN leaders issued a statement on cybersecurity cooperation in addition to ongoing efforts to foster regional cybersecurity cooperation, including the ASEAN Telecommunications and Information Technology Ministers’ Meeting (TELMIN), the ASEAN Ministerial Conference on Cybersecurity (AMCC) and the ASEAN Cyber Capacity Programme (ACCP).

The closest regulation to GDPR in the region is Singapore’s Personal Data Protection Act 2012 (PDPA), which has been in force since 2014. However, the PDPA has limited scope and does not apply to all personal data processing activities. Most notably, it does not apply to the activities of the public sector or any organisation acting as an agent of a public agency in processing personal data.

ASEAN nations may choose to mirror the GDPR standards, as Japan recently did by agreeing to set up “adequacy” on data transfers with the EU.

The deal makes it easier for companies to transfer data between Japan and the EU, helping companies in both geographies market their products between the trading partners.

Before such deals are made in ASEAN, CIOs in the region will have to follow the EU rules if they process data in the region.

Ensuring GDPR compliance

ASEAN organisations whose work involves EU data subjects should draw a GDPR compliance plan based on legal advice and the input of staff from IT, HR and other departments.

The plan should establish a system to identify, document and track data, whether it’s processed internally or by subcontractors.

The record should include the purpose of its use, the location where it’s stored, and the name of all the people who have access to it.

CIOs need to understand the implications of GDPR’s new set of data subject rights:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erase
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

“CIOs need to understand how ready their organisation is, because being an executive of a company today means that they’re responsible for the security and privacy of their organisation, and we know that the consequences of breaching these rules, or in general of privacy and security breaches, are enormous for these executives,” says Enza Iannopollo, a Forrester analyst on the security and risk team and a Certified Information Privacy Professional. “It’s not just the fine; it’s the reputation and the profitability of the company.”

They need to ensure that they have the legal grounds for processing personal data. GDPR only permits this in the following circumstances.

  • with the consent of the individuals concerned;
  • where there is a contractual obligation (a contract between your company/organisation  and a client);
  • to meet a legal obligation under EU or national legislation;
  • where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation;
  • to protect the vital interests of an individual;
  • for your organisation’s legitimate interests, but only after having checked that the fundamental rights and freedoms of the person whose data you’re processing aren’t seriously impacted. If the person’s rights override your interests, then processing cannot be carried out based on legitimate interest. The assessment as to whether your company/organisation has a legitimate interest for processing override those of the persons concerned depends on the individual circumstances of the case. Particular care must be taken over sensitive data.

Sensitive data requires particular attention. If the processing will likely generate a high risk to the rights and freedoms of individuals, the organisation must complete a Data Protection Impact Assessment (DPIA), which helps identify and minimise any danger.

Any changes made to data practices should be reflected in an update privacy policy. If a data breach occurs that poses a risk to an individual’s rights and freedoms, the organisations must notify the supervisory authority within 72 hours of it becoming aware.

If the organisation is a data processor it must notify every data breach to the data controller.

Additional reporting by Cristina Lago