Are You Ready for GDPR?

At more than $125 million worth of exports, the EU is ASEAN’s second largest trading partner after China.

Though the General Data Protection Regulation (GDPR) only comes into force on May 25, 2018, regionally based businesses should not be too quick to dismiss the regulations as irrelevant to their operations.

The GDPR stipulates rules and penalties compelling businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The new regulations include an overview of where and how personal data - including credit card details, banking and health records - are stored and transferred.

According to a Veritas1 report on GDPR, 56 percent of Singapore companies are concerned they will not meet the new EU requirements, and only 18 per cent feel confident they are GDPR-compliant. More than a third of those surveyed don’t have the right technology in place to cope with GDPR compliance.

With just four months to go before the rules take effect, organisations should look to establish a clearly defined governance strategy and be aware of the prosecution risks for violating GDPR. Non-compliant companies can expect huge penalties of up to four per cent of global turnover or 20 million euros, whichever is greater.

But it doesn’t end with penalties. Being non-compliant will have a damaging impact on the company’s reputation and brand, lead to higher compliance costs and loss of customers if the GDPR governing authorities go public about the violations.

If your organisation is trading with the EU, here are several steps to start your compliance journey today. 

You must set up a cross discipline team to manage the GDPR compliance process. This is a wide-ranging effort that should include IT, legal and marketing teams as well as board-level sponsorship. If your organisation lacks the expertise or confidence to undertake the process, consider external consultants for help.

Build a data map to establish where personal data is stored, access rights, data retention policies, and where the data is moved as it is processed during transactions. This is critical so you can determine where the data resides at any point.

If your organisation is trading with the EU, residents of member states can request to correct, delete and port all their personal data with a Subject Access Request (SAR). The SAR ensure EU citizens have full visibility to how their personal data is managed. Full GDPR compliance requires the capacity to service these requests in a timely manner to avoid penalties.

A key provision of GDPR is to reduce the overall amount of stored personal data. Data retention policies must provide for automatic expiration once the transaction is over and the personal data has exhausted its original purpose.

Seeking the assistance of an advisory service is essential to demonstrate your organisation’s capacity to integrate data protection into all data collection and processing activities. Advice in the areas of knowledge transfer, global legal compliance and addressing privacy laws pertaining to GDPR will be critical.

GDPR requires companies to investigate and report data breaches to the supervisory authority within 72 hours, and even to the individuals affected. While this does not apply to all types of breaches, your organisation should have sufficient monitoring capacity for possible breaches that will quickly trigger reporting procedures.

Taken together, these best practices will assist organisations to comply with GDPR and set in place robust data management protocols to ensure they are on the right side of the law. Following these steps now reduces the risk of a data breach and protects your organisation from huge fines and considerable reputational damage.

Get advice on GDPR compliance or data protection concerns today.

1 The Veritas 2017 GDPR Report