A global study from Veritas Technologies has showed that 86% of organizations worldwide are concerned that a failure to adhere to the upcoming General Data Protection Regulation (GDPR) could have a major negative impact on their business.
In Singapore, the numbers are higher than the global average, with 92 percent of all local organizations expressing concerns over the potential GDPR fallout, along with 20 percent who fear that their business could shut down due to non-compliance.
This is in the face of potential fines for non-compliance as high as US$21 million (or S$29.8 million) or four percent of annual turnover – whichever is greater.
“Whether businesses reside in the European Union (EU) or not, local and regional companies that deal with EU consumers or employees will have to comply or risk running into hefty fines as high as 20 million euros or 4% annual turnover, whichever is higher,” said Sheena Chin, Country Manager, Veritas, Singapore, in an email interview with Networks Asia.
The Veritas study found that more than half (56%) of organizations in Singapore, along with Japan (63%) and Korea (61%) feared that they are unable to meet the upcoming deadline to be GDPR-compliant.
Chin stressed that Singapore businesses will also be greatly affected if they do not comply, especially since the country is the EU’s largest commercial partner in ASEAN, accounting for slightly under one-third of EU-ASEAN trade in goods and services.
“Businesses will certainly not want to run into situations where they face unnecessary penalties and be forced by regulation to erase data from their database. It can potentially put companies out of business.”
Chin noted that Singapore’s local equivalent of the GDPR is the Personal Data Protection Act (PDPA) – the act stipulates that companies can retain personal data if it is still being used for purposes for which the data was collected. But if data is no longer needed for that particular purpose, it must be deleted.
“This is a huge change from prior regulations. That said, by fulfilling GDPR regulation, it will definitely help businesses comply with PDPA.”
How different is it to the PDPA? Do businesses understand the difference?
The PDPA recognizes both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organizations to collect, use or disclose personal data for legitimate and reasonable purposes.
With PDPA, companies are required to let consumers know why they are asking for personal data and they will have to obtain consent before collecting, using and/or disclosing the information they receive. If an individual willingly provides the information, they are also allowing businesses to collect, use or disclose their data – in other words, deeming consent.
GDPR on the other hand, aims to protect all EU residents from privacy and data breaches. It addresses the export of personal data outside the EU, with the intent to give citizens and residents back control of their personal data, with expanded rights such as breach notification within 72 hours and the “Right to be forgotten”. It also hopes to simplify the regulatory environment for international business by unifying the regulation within the EU.
When it comes to GDPR, companies are effectively a GDPR data controller, making them responsible for the data they house when it is given to data processors. Data processors are in turn bound by GDPR rules to make sure companies have the ability to report on data losses, or be able to respond to data access requests.
It is important to note that the GDPR rules apply to both controllers and data processors. In the event where a company chooses to outsource the function to a Cloud Service Provider (Data Processor), it does not mean that it is exempted from the GDPR enforcement. As a data controller, the company is fully liable to ensure the Cloud Service Provider (Data Processor) takes appropriate technical and organizational measures to protect personal data.
A similar principle applies to Singapore as well, although the maximum fine could differ from case to case.
The ecommerce industry is booming in Asia. It is a straightforward example of a business that could house data from someone residing in the EU. Therefore, online stores which sell to global customers, including those from the EU, will have to handle their personal data according to the new regulation.
While there doesn’t seem to be any new cyber security and data breach notification obligations, businesses need to be on their toes as breaches and cyber attacks are constantly evolving. Over retention of data is usually one of the pain points businesses will face, especially when it comes to ransomware and hacking, thus putting them in the firing range for cyber attacks.
What kind of advisory services are being offered to businesses out there who are looking to be GDPR-compliant? What are the consequences for violations?
Being compliant will take vast amounts of efforts from working together with the right partners. At Veritas, we provide our customers with an integrated solution that will help them directly address the forthcoming GDPR. This solution gives enterprises around the world the ability to understand what personally identifiable information (PII) they hold on European Union (EU) residents and access that information quickly when requested by employees or consumers. It also provides a systematic way for organizations to protect PII from breach, loss or damage. These elements are critical mandates required by the new regulation.
The solution comes at a time when many businesses around the world either don’t know how to prepare for the new regulation or are underestimating the effort needed to become compliant. Our research shows that less than one-third (31 percent) of organizations worldwide meet the minimum GDPR requirements today, despite the fact that the regulation will take effect in just over a year’s time.
This includes avoiding over retention of data – not only to ensure good habits – but also to prevent potential breaches from occurring. At the same time, it also good to analyze the data on hand to provide better visibility. Lastly, having a good data protection hygiene habits also instil confidence in companies to be able to provide the necessary data or stay compliant when stricter regulations come into play.
If you like us to do a quick website audit for your existing website and how we can help you avoid getting into trouble with this new ruling, you may contact us directly with our contact form.