Are you ready for the GDPR?
The EU General Data Protection Regulation 2016 (GDPR) will come into effect on 25 May 2018. The GDPR aims to protect EU individuals’ data privacy rights and targets organisations located both within and outside the EU. If your organisation, despite not having an establishment in the EU, offers goods or services to or monitors the behaviour of individuals in the EU, you may need to comply with the GDPR.
The most eye-catching feature of the GDPR is the introduction of maximum fines of up to the higher of 4% of a data controller's worldwide turnover and €20m. Technology has transformed the way business is being done now. Companies can easily provide goods or services to customers with little geographical limitations. It is therefore high time for you to consider if and how the GDPR may apply to your organisation.
As far as Asia is concerned, there are many similarities between the GDPR and national data protection legislation such as the Hong Kong Personal Data (Privacy) Ordinance (PDPO) and Singapore Personal Data Protection Act (PDPA), and your current personal data protection policy (Policy) can be a useful starting point to build from. Yet there are differences between the legislative regimes and you will still need to amend and update your Policy if you are required to comply with the GDPR. For instance, the GDPR – as is the case already for EU data - requires different treatment for certain categories of personal data (Sensitive Personal Data). Processing of Sensitive Personal Data is prohibited unless an exemption applies. However, neither the PDPO nor PDPA designates any personal data as Sensitive Personal Data. The GDPR also introduces a duty on all organisations to report certain types of data breach to the Information Commissioner’s office, but there is no mandatory reporting obligation under the PDPO or PDPA. Finally, like most Asian data protection legislation, the GDPR requires organisations to issue transparent privacy notices, but there are differences in the information that must be provided under each regime meaning a review of customer facing notices and documentation may be required.
We have advised clients from various countries on GDPR issues and, if you are interested in understanding more about how the GDPR may affect you, we will be happy to discuss our experience with you.