The aftermath of Storm GDPR in Asia-Pacific


Whilst the GDPR has been well communicated by the advisory profession in the Asia-Pacific region, there has been only a small number of organisations that one could consider to be GDPR-ready. In the Asia-Pacific region, we are seeing a wide variety of entities, both public and private sector, having varied maturity levels of compliance with the GDPR requirements.

When the GDPR came into effect on 25 May 2018, only a small minority of organisations in the region could be considered to be fully compliant. In fact, it was reported by CIO NZ that with the GDPR compliance deadline being a week away, only 29 per cent of companies in the Asia-Pacific region were ready, according to a new global survey by ISACA.

Companies residing in countries with a greater focus on privacy and data protection, for example, Australia, New Zealand and Singapore, have a higher level of readiness and compliance.

However, the region as a whole is moving towards a slow but progressive compliance with the GDPR requirements. We have seen larger international companies in the region requiring their subsidiaries to engage consultants to perform independent compliance audits, with the aim of assessing readiness and compliance against the GDPR requirements. We see this as an increasing trend moving forward.

In all instances, we see a significant reliance on legal advice to determine the level of regulatory and legal exposure in having to comply with the GDPR requirements. This is particularly because many of the entities may not be dealing directly with EU citizens or doing business in the EU. Therefore, it appears that a risk-based approach has been adopted as to whether there is merit in investing in projects to determine compliance levels.


All principles have their own challenges within the Asia-Pacific region, some more than others. The one key challenge that the region faces is keeping personal data secure.

When keeping personal data secure, we are unable to segregate them into countries and/or regions. Data is valuable, and it crosses the digital ecosystem readily. This has seen an increased amount of activities around cyber breaches in the region.

The World Economic Forum 2019 global risk report has named cyberattacks and data breaches as the fourth and fifth most serious risks facing the world today. This is the second year in the row that these risks have been presented on the top 5 list of risks. In order to combat these risks, in September 2018, 10 members of the ASEAN bloc agreed to 11 voluntary, non-binding norms of behaviour to strengthen cybersecurity.

Many SME clients have yet to conduct any testing of their cyber resilience or identify areas of exposure. Yet, these enterprises have a material level of reliance on security to protect their operations and data.

Another challenging principle includes not keeping data for longer than required. This is a result of the integration of data across multiple systems used for various purposes. Given that the majority of systems have not been developed with the GDPR compliance in mind, this results in data retention structures that are drilled into business-critical applications. Consequently, the effort and expense to remediate this principle is costly and complex.


The intention of the GDPR is to harmonise and enhance data protection across the EU. This has obviously had a knock-on effect worldwide, including the Asia-Pacific region.

When compared with local Asia-Pacific privacy requirements (legislative/regulatory/guidance), the GDPR requires a significantly higher level of compliance activity. This means that organisational processes and controls, are in fact strengthened to consider not only European citizen rights, but actually shift the focus to become more data centric. So why is this positive? Every organisation across the globe is working out how to improve the resilience and security of its information to protect its customers and users. Focusing on data to meet a higher governance and security standard can only improve the security posture of any organisation.

With the GDPR shining a spotlight on data governance, security and breach management, businesses are being motivated to rethink the concept of ‘privacy by design’.


It would be unrealistic to expect a dilution or simplification of data privacy and governance requirements. Data security, control and ownership are not challenging issues for one region of the world more so than others. Rather, we see that as the business world grows smaller because of data connectivity and technological advancements, harmonisation is the common-sense expectation.

Considering the critical need for increased security of data, privacy and data ownership, higher standards for data governance become an imperative rather than a luxury.

To work in a globally collaborative economy, organisations need to be able to synthesise the requirements of data management and control from one region to another. Hence, it may be strategically and operationally worthwhile to benchmark the systems and processes currently in place against the higher benchmarks, such as complying with the GDPR.

Source: RSM International