What ASEAN CIOs need to know about GDPR

The General Data Protection Regulation applies to any organisation with data processing activities in the EU.

Thomas Macaulay Sep 12th 2018 A-A+

The General Data Protection Regulation may have originated in the European Union, but it’s not only companies in the EU that need to follow the data protection legislation, which came into force in May.

GDPR applies to any organisations that offer goods or services to EU data subjects or monitor their behaviour, so many ASEAN businesses will also need to follow the rules or risk severe penalties.

Breaches of the regulation can lead to fines of up to €20 million or 4% of global revenue, whichever figure is higher.

The potential punishments may have made the headlines, but there could also be rewards for compliance.

Data protection authorities have been keen to emphasise the positives of the regulation, such as the business opportunity to stand out from competitors and gain trust from customers and employees.

How does GDPR impact the ASEAN region?

Current ASEAN data protection regulations don’t offer the same level of protection as GDPR. 

ASEAN nations may choose to mirror the GDPR standards, as Japan recently did by agreeing to set up “adequacy” on data transfers with the EU.

The deal makes it easier for companies to transfer data between Japan and the EU, helping companies in both geographies market their products between the trading partners.

Before such deals are made in ASEAN, CIOs in the region will have to follow the EU rules if they process data in the region.

Ensuring GDPR compliance

ASEAN organisations whose work involves EU data subjects should draw a GDPR compliance plan based on legal advice and the input of staff from IT, HR and other departments.

The plan should establish a system to identify, document and track data, whether it’s processed internally or by subcontractors.

The record should include the purpose of its use, the location where it’s stored, and the name of all the people who have access to it.

CIOs need to understand the implications of GDPR’s new set of data subject rights:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erase
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

“CIOs need to understand how ready their organisation is, because being an executive of a company today means that they're responsible for the security and privacy of their organisation, and we know that the consequences of breaching these rules, or in general of privacy and security breaches, are enormous for these executives,” says Enza Iannopollo, a Forrester analyst on the security and risk team and a Certified Information Privacy Professional. “It's not just the fine; it's the reputation and the profitability of the company."

They need to ensure that they have the legal grounds for processing personal data. GDPR only permits this in the following circumstances.

  • with the consent of the individuals concerned;
  • where there is a contractual obligation (a contract between your company/organisation  and a client);
  • to meet a legal obligation under EU or national legislation;
  • where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation;
  • to protect the vital interests of an individual;
  • for your organisation’s legitimate interests, but only after having checked that the fundamental rights and freedoms of the person whose data you’re processing aren’t seriously impacted. If the person’s rights override your interests, then processing cannot be carried out based on legitimate interest. The assessment as to whether your company/organisation has a legitimate interest for processing override those of the persons concerned depends on the individual circumstances of the case. Particular care must be taken over sensitive data.

Sensitive data requires particular attention. If the processing will likely generate a high risk to the rights and freedoms of individuals, the organisation must complete a Data Protection Impact Assessment (DPIA), which helps identify and minimise any danger.

Any changes made to data practices should be reflected in an update privacy policy. If a data breach occurs that poses a risk to an individual’s rights and freedoms, the organisations must notify the supervisory authority within 72 hours of it becoming aware.

If the organisation is a data processor it must notify every data breach to the data controller.