Since January last year a total of EUR 158.5 million (US$ 191.4 million) of fines have been imposed, a 39% increase on the previous 20-month period since the application of GDPR. There was double-digit growth for breach notifications for the second year running with 121,165 breaches notified since January 2020 compared to 101,403 breaches the previous year.
While we are seeing a slow progression and varied maturity levels of compliance, governments around the region are starting to impose steep fines for data breaches.
iTNews Asia speaks with Carolyn Bigg, global law firm DLA Piper’s Head of Privacy Asia, to discuss the challenges from the lack of harmonisation from governments and enforcement, the potential risks and repercussions organisations in Asia Pacific face from a failure to act and steps they can take to ensure they meet the growing data governance standards.
iTNews Asia: What are the notable trends of how data privacy risks and compliance are managed in APAC?
In my experience, businesses in APAC are now generally confident in managing the basics of data protection compliance. But the current round of upgrades to data privacy laws in APAC – from New Zealand to Korea, India to Singapore and Thailand to Japan, and with further updates proposed in China, Australia and Hong Kong – means that the risks are growing. This is especially true as mandatory breach notification and much higher sanctions (including fines by reference to a % of annual turnover) are introduced.
APAC data privacy compliance programmes have always had to be agile, given the lack of harmonisation in data protection laws across APAC.
The rapidly evolving laws – and growing enforcement appetite and powers of the data protection authorities – means that these compliance programmes must be carefully planned and kept under constant review.
iTNews Asia: Do you think there is sufficient awareness with regards to data protection compliance by APAC companies, particularly across smaller organisations?
Data protection authorities in APAC have in the last decade been very focused on education, and have generally given businesses (and especially SMEs) time to implement compliance programmes and some leniency in enforcement as new laws have been introduced. There are plenty of helpful resources (including those aimed at SMEs) available on many data protection authorities’ websites.
Data protection is no longer a new topic across most of APAC, and regulators are no longer sympathetic to organisations who haven’t addressed their data protection compliance obligations.
iTNews Asia: How would the oncoming wave of GDPR-style fines across APAC affect companies in the technology industry?
APAC technology businesses are facing a two-headed challenge from GDPR now:
Firstly, the risk of GDPR-level fines, both from European regulators or customers (if handling GDPR data) and now from local APAC data protection regulators.
Managing these risks require, first and foremost, an understanding of data inventories and data flows, designing an appropriate compliance programme to manage that data, and managing data protection clauses in customer contracts in a nuanced and structured way.
Secondly, perhaps the greater challenge for APAC technology businesses comes from the Schrems II decision in Europe last year, which now requires those organisations exporting GDPR data to locations outside of Europe using EU standard contractual clauses to undertake an additional transfer “adequacy” impact assessment.
This assessment should take into account the data privacy and surveillance laws in the country in which the data is stored or processed, and additional measures need to be put in place to address gaps between those and protections under European laws.
We are seeing this increase compliance burden and corresponding increased costs affect both customers and their vendors, and in some cases, even lead to repatriation of GDPR data to servers in Europe.
iTNews Asia: What is the impact of the increasing number of APAC countries having introduced or introducing GDPR-like fines on those countries who haven’t? Does the difference in enforcement across the region create issues and challenges for companies operating in more than one country in Asia?
APAC data privacy compliance programmes have always had to be agile, given the lack of harmonisation in data protection laws across APAC. The rapidly evolving laws – and growing enforcement appetite and powers of the data protection authorities – mean that these compliance programmes must be carefully planned and kept under constant review.
A lack of consistency in fines and enforcement across the different APAC jurisdictions in some ways makes compliance easier to navigate – enabling organisations to help prioritise their compliance activities and resources.
Develop a strategic data privacy compliance programme that focuses on what data the organisation has and what it wants to do with it first, and then consider what compliance steps must be taken
iTNews Asia: In the longer term, how can companies manage the scope and challenges of compliance? What are the steps that can be taken to avoid being implicated by the GDPR-like risks and fines? What advice do you have for those affected by the fines?
APAC is such an exciting region for data rich businesses. The predominantly consent-based data privacy frameworks in APAC allow businesses – transparently and within a compliant governance framework – to do much more with their personal data than is available under, say, GDPR; and consumers in APAC are more enthusiastic to embrace the tailored, more personalised products and services that this approach brings.
A regional rather than a global approach to data protection can be very helpful in this regard. But key to unlocking this is investing time to develop a strategic data privacy compliance programme that focuses on what data the organisation has and what it wants to do with it first, and then consider what compliance steps must be taken to enable this.
Data incidents are a reality for businesses, and so are higher fines if they are not handled timely or properly. Key to managing these risks is having a clear incident response procedure, and training the whole business on what to do if an incident happens.
Greater investment in data privacy compliance in APAC is now a necessity. A real challenge that businesses will face in 2021 is the talent shortage of experienced data privacy professionals, who are familiar with the APAC data privacy culture and environment.