WHAT HAS THE IMPACT BEEN ON MIDDLE MARKET BUSINESSES IN THE AFTERMATH OF ‘STORM GDPR?
Whilst the GDPR has been well communicated by the advisory profession in the Asia Pacific region, there has been only a small number of organisations that one could consider, to be GDPR ready. In the Asia Pacific region, we are seeing a wide variety of entities, both public and private sector, having varied maturity levels of compliance with the GDPR requirements.
When the GDPR came into effect on the 25 May 2018, only a small minority of organisations in the region could be considered to be fully compliant. In fact, it was reported by CIO NZ that with the GDPR compliance deadline being a week away, only 29 percent of companies in the Asia Pacific region were ready, according to a new global survey by ISACA.
Companies residing in countries with greater focus on privacy and data protection, for example Australia, New Zealand and Singapore, have a higher level of readiness and compliance.
However, the region as a whole is moving towards a slow but progressive compliance with the GDPR requirements. We have seen larger international companies in the region are requiring their subsidiaries to engage consultants to perform independent compliance audits, with the aim of assessing readiness and compliance against the GDPR requirements. We see this as an increasing trend moving forward.
In all instances we see there being significant reliance on legal advice to determine the level of regulatory and legal exposure in having to comply with the GDPR requirements. This is particularly because many of the entities may not be dealing directly with EU citizens or doing business in the EU. Therefore, it appears that a risk-based approach has been adopted as to whether there is merit in investing in projects to determine compliance levels.
WHICH OF THE GDPR PRINCIPLES HAVE BEEN MOST CHALLENGING FOR BUSINESSES?
All principles have their own challenges within the Asia Pacific region, some more than others. The one key challenge the region is facing is keeping personal data secure.
When keeping personal data secure, we are unable to segregate them into countries and/or regions. Data is valuable, and it crosses the digital eco-system readily. This has seen an increased amount of activities around cyber breaches in the region.
The World Economic Forum 2019 global risk report has named cyber-attacks and data breaches as the fourth and fifth most serious risks facing the world today. This is the second year in the row that these risks have been presented on the top 5 list of risks. In order to combat these risks, in September 2018, 10 members of the ASEAN block have agreed to 11 voluntary, non-binding norms of behaviour to strengthen cybersecurity.
Many SME clients have yet to conduct any testing of their cyber resilience or identify areas of exposure. Yet, these enterprises have a material level of reliance on security to protect their operations and its data.
Another challenging principle includes not keeping data for longer than required. This is a result of the integration of data across multiple systems used for various purposes. Given that the majority of systems have not been developed with the GDPR compliance in mind, this results in data retention structures that are drilled into business-critical applications. Consequently, the effort and expense to remediate this principle, is costly and complex.
GDPR AND FINDING OPPORTUNITY IN CHANGE
The intention of the GDPR is to harmonise and enhance data protection across the EU. This has obviously had a knock-on effect worldwide, including the Asia Pacific region.
When compared with local Asia Pacific privacy requirements (legislative/regulatory/guidance), the GDPR requires a significantly higher level of compliance activity. This means that organisational processes and controls, are in fact strengthened to consider not only European citizen rights, but actually shift the focus to become more data centric. So why is this positive? Every organisation across the globe is working out how to improve the resilience and security of their information to protect their customers and users. Focusing on data to meet a higher governance and security standard can only improve the security posture of any organisation.
With the GDPR shining a spotlight on data governance, security and breach management, businesses are being motivated to re-think the concept of ‘privacy by design’.
WHAT IS ON THE HORIZON FOR DATA PROTECTION?
It would be unrealistic to expect a dilution or simplification of data privacy and governance requirements. Data security, control and ownership are not challenging issues for one region of the world more so than others. Rather, we see that as the business world grows smaller because of data connectivity and technological advancements, harmonisation is the common-sense expectation.
Considering the critical need for increased security of data, privacy and data ownership, higher standards for data governance become an imperative rather than a luxury.
To work in a globally collaborative economy, organisations need to be able to synthesise the requirements of data management and control from one region to another. Hence, it may be strategically and operationally worthwhile to benchmark the systems and processes currently in place against the higher benchmarks such as complying with the GDPR.
For more information on the GDPR legislation, and advice on any relevant GDPR training, please contact us.