On 25 May 2018, the General Data Protection Regulation (GDPR) becomes enforceable under law in the European Union (EU).
It fundamentally changes how businesses (and the public sector) must handle information relating to their customers, giving greater protection to individuals and harmonizing the laws for data handling across the EU.
GDPR has a different focus to previous data protection laws, and ensures the protection of Personally Identifiable Information (PII) related to an EU individual, regardless of where it is stored anywhere across the world.
If you are a small business which has never dealt with, or shipped to anywhere outside of your home country, it is possible that GDPR will not be a concern. However, even if you have a single regular EU-based customer, you will need to become compliant.
Compliance with GDPR is essential for any business doing business inside the EU, but it is also just as important for any business globally that wants to do business with the EU.
So with that in mind, what steps should businesses in APAC look to consider?
The first requirement would be to put someone in charge of data compliance. Under GDPR this person is known as the Data Protection Officer (DPO), and is responsible for ensuring that your company is securing their data correctly, while also holding overall responsibility for the compliance process. Without a DPO, companies might risk failing to comply, with internal battles preventing effective decisions from being made.
With a DPO in place, you can then start to look at areas where data protection best practices will help. It is worth bearing in mind that the full current documentation contains 99 GDPR articles, hence I’m proposing three important areas to pay particular focus on.
1. Encryption of data. This may seem obvious, but it’s worth taking the time to review what you encrypt and where it is. This will likely mean running a full data audit, but as we know since data does change value over its lifecycle – an audit will have benefits beyond just knowing ‘what’ to encrypt, you will also learn what data is being held and whether it can be archived or even deleted. This is also not just about encrypting data at-rest, also consider data in-motion and network data protection methods. The latest encryption and cloud access security broker (CASB) tools will greatly help here.
2. Access controls. Make sure you know who is accessing data, from where, and when. With demands for 24x7 any-device access, it is very important to put these controls in place, and reduce the risk for unauthorised access. At the same time make sure that employee access methods are strong with good, regularly changed, passwords and multi-factor authentication in place. However, this only covers user access to data. You will also need to look at what is accessing data. Many organisations have third party connections in place with partners or other applications. These will similarly need to be continuously monitored, for ongoing GDPR compliance.
3. Establish an incident response process. Under GDPR, if data is breached, you need to notify that this has happened – and in most circumstances, the notification has to happen within 72 hours of detecting the breach. Effective incident response processes will put you in a stronger position should a breach occur, to understand what happened, the impact of the breach and the mitigation measures required. The breach will still need to be reported, and you may have to contact individual customers to let them know – but an efficient response process will allow for better mitigation of potential damage, while also greatly reducing the risk of negative long-term brand or financial impact.
In summary, ensuring the safe protection of your customers’ data should always be a priority, and is fundamentally sound business sense.
The imminent roll-out of GDPR however, as a significantly broad set of regulations with potential legal implications globally – should serve as fresh impetus for your company to relook the way it approaches data protection, and plug gaps which might otherwise pose issues in the long run.
While GDPR details how data relating to EU citizens must be protected, does it not make sense to simultaneously consider and adopt the best practices being rolled out, and protect ALL citizen data that you process globally?
Various countries in the region are already creating and updating their respective data protection laws. Singapore, Hong Kong, Japan and the Philippines for example all already have plans in the works, with Australia having recently already amended their existing privacy acts – but the GDPR is cross-border legislation, and becomes legally enforceable from the 25th of May this year.
With regulation comes opportunity, and GDPR is perhaps the perfect catalyst for companies across the region (and beyond) to relook the way they approach data protection. Better data protection will not only ensure compliance with the new regulations, but also ultimately provide confidence to your customers in the long run – this is your chance to stay ahead of the game.