Businesses still unaware of new EU data regulation

With the implementation of data protection obligations under the General Data Protection Regulation (GDPR) set to commence in May, a report has revealed that many companies are not prepared.

A second Data Privacy Snapshot report released by DLA Piper found that the average alignment score with all key international data privacy principles for respondents was a dismal 34.4%.

The report also found that more than 200 organizations responding to the firm’s online survey tool in 2017 still had gaps in meeting increasingly demanding global privacy principles, with most of the respondents falling short of date protection obligations under the GDPR, which will take effect from 25 May 2018.

“GDPR will not just affect businesses that have on the ground operations within the EU, but will affect any business located outside of the EU that offers their services or products to EU data subjects,” Scott Thiel, a partner at DLA Piper in Hong Kong, told China Business Law Journal. “For example, businesses that operate a worldwide website offering services/products which target EU customers would be subject to GDPR regulations.”

The online survey was first launched in January 2016 and respondents are asked a number of questions on areas such as storage of data, use of data and customers’ rights. They are then provided with a report based on a percentage score system and recommendations.

Apart from the fact that the exterritorial effect of GDPR has been neglected by most of the respondents, including Asia-based companies, Thiel added that the latest report also revealed that the companies lacked “appropriate classification of personal data and they generally treat all types of date in the same way”.

The companies surveyed also lacked in personnel “who have the appropriate qualifications and necessary resources to undertake responsibility for GDPR compliance”.

Thiel said that proper categorization of data allows businesses to stratify and manage risk for different categories of data. He said that under the GDPR, it is vital to identify special categories of personal data – for example, financial data, health data, judicial data, information on an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal history, trade union membership, etc.

“Many businesses make cross-border transfers without ensuring that the transfers comply with specific rules that regulate the transfer of data out of the EU,” he said.

In order to ensure compliance with GDPR, Thiel suggested that businesses undertake strict processes when mapping out the basis on which personal data are collected, along with formal procedures to handle data subjects’ requests to access, rectify, delete or object to the handling of their personal data.

He said companies should also take comprehensive privacy policies covering all business functions that routinely process personal data, and take appropriate notification and approvals prior to collection of personal data.

If companies breach core compliance responsibilities under GDPR, Thiel warned they could be fined up to €20 million (US$24.7 million) or 4% of total annual global turnover – whichever
is higher.

In addition to GDPR, Thiel said Asian companies with overseas business activities should also pay attention to the following data protection regulations: (1) China’s Cybersecurity Law; (2) Australia’s Privacy Amendment (Notifiable Data Breaches) Act 2017; and (3) Singapore’s Cybersecurity Bill.