In less than a month from today, the EU General Data Protection Regulation (GDPR) will be in effect. Despite this short grace period left to get compliant, surveys continue to suggest that a large number of Asian companies are struggling to both understand and meet their compliance obligations.
Why does GDPR matter to Asian Companies?
Whilst the GDPR may be an EU regulatory framework, it applies to all organisations that accept or process personal data of EU residents, whether or not domiciled outside the EU.
With its expanding extraterritorial reach, it is thus pertinent for Asian organisations to assess if they would fall under the the remit of GDPR. Any contact with entities within the EU, whether they are selling into the EU or using EU data as part of a global business operators, will inevitably have GDPR implications.
One of the most alarming aspect of the GDPR is the potential for significant financial consequences with fines of up to EUR20 million (approximately USD23.5million) or 4% of the organisations global turnover, whichever is higher.
A study from Veritas Technologies has revealed that 86% of organisations worldwide are concerned that a failure to adhere to the upcoming GDPR could have a major negative impact on their business. In Singapore, about 92% of all local organisations have expressed concerns over the potential GDPR fallout, along with 20% who fear that their business could suffer a huge financial impact due to non-compliance.
Mitigate the risk
With the impending GDPR, we have experienced an increase in demand for cyber insurance as many companies are turning into cyber insurance as a solution to mitigate the impact of any financial loss.
One of the key focuses for many of our clients is on the insurability of fines for a GDPR breach. Standalone cyber insurance will cover fines and penalties to the extent that they are insurable by law. However, the extent to which insurance proceeds can be used to recoup the costs of regulator penalties under the GDPR is still a grey area and will need to be tested in courts.
There is also a new breach notification regime under the GDPR where companies have a legal obligation to report a data breach to the data protection regulator. This will include any breach of security measures or if you find that personal data that you held have been unlawfully accessed. In such instances, the data controller must report such a breach to the supervisory authority without undue delay, and in any event within 72 hours and possibly to the affected data subjects as well. These notification requirements have also been extended to data processors where under the GDPR; processors must inform their respective data controllers when they become aware of any personal data breach.
The repercussions of having a data breach or getting GDPR wrong would undoubtedly be a board-level issue. With the corresponding exposure of regulatory investigations, fines and reputational risk, it is now even more important for companies to be prepared and to start considering measures to mitigate any financial loss.
For further information, please contact FLG@jltasia.com.