How important is data privacy? Consider that Facebook’s value dropped more than US$100 billion last week after questions arose about its handling of user data. And it isn’t even clear that the company actually did anything wrong.
The stakes are obviously high for companies such as Facebook, which tread a fine line between respecting their users’ privacy and, at the same time, selling their users’ data to third-party companies. But data privacy is also becoming a very significant issue for all types of companies, even in Asian jurisdictions where regulation or enforcement is lacking.
In May, Europe’s new General Data Protection Regulation (GDPR) will require companies all over the world to comply with EU data privacy laws if they handle the personal data of citizens from the EU.
So how seriously should Asian companies take the new EU rules? “GDPR should appear high on the company’s risk and planning registers, particularly if you consider the potential level of punitive measures available if a breach occurs,” according to Alex Milner-Smith, a managing associate at Lewis Silkin in London.
A serious breach of the rules could result in a fine of up to 4% of annual global turnover or €20 million (whichever is greater). However, companies can be fined up to 2% for not having their records in order, not notifying about a data breach or not conducting an impact assessment.
Any Asian company actively selling goods or services into the EU, even with no staff and no websites hosted locally, will fall under GDPR and be required to apply those standards to how they treat EU consumer data. The same obviously applies to any company with staff or subsidiaries in Europe.
“Bearing this in mind, the territorial reach is theoretically enormous and EU regulators have shown the willingness in the past to take on companies all over the world,” says Milner-Smith, who warns that compliance cannot be achieved through a quick-fix exercise, but is a long-term change that requires a significant commitment of resources.
The EU rules call for “privacy by design”, which means the inclusion of data protection from the onset of system design, rather than as an addition.
However, the extent of the compliance obligation depends on how deep a company’s nexus to the EU actually is. If a company only has a few staff in the EU, the vast majority of its customers are outside the region and the type of data being processed is low volume or low risk, there might not be too much to worry about.
“Whilst under the letter of the regulation as it stands full compliance is required, such a company can take the decision to adopt a more measured risk-based approach,” says Milner-Smith. “They need to do the major things such as map what EU data they process, ensure privacy notices are up to date, qualify that security meets or surpasses expectations, but it may be an acceptable risk for these company’s not to do full granular compliance immediately. This should still be the aim over the next two to five years, however.”
It is a different story for companies with significant EU operations or which process huge volumes of personal or sensitive data, such as anything related to health. For such companies, they have two months to get up to speed.