What’s GDPR to Asia Pacific and our business today?    Is this an extension of DPA- Data Protection Act? If there’s already DPA that we ...

Is this an extension of DPA- Data Protection Act? 

 

 

What’s GDPR to Asia Pacific and our business today? 

 

Is this an extension of DPA- Data Protection Act? If there’s already DPA that we comply with under the jurisdiction of local or homeland legal systems in Asia, are we still vulnerable or subjected to face any potential sanctions, a fine of up to 4% of annual global turnover or €20 million? 

 

With EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, it will significantly reshape the data protection landscape for organizations that collect and process the data of European residents. 

 

In the nutshell, the Regulation introduces a number of key changes for organizations, and take note that the change from DPA compliance to GDPR compliance can be a complex one. It will be wiser, perhaps now to adopt a high watermark approach to give us an upper hand in Asia as we go into May 2018. 

 

GDPR is not just about where the sensitive data is stored in the computer systems, it has a scale larger than that. It includes manual processes, mechanism, work activities that involve or with touch-points on European residents’ data, regardless of where you are. 

 

Don’t go beyond and get caught up with the imagination. Start small by thinking simple from a technical and organizational point of view. Begin with looking at control objectives with respect to privacy and data protection that is already in your companies or organizations, and expand the thinking process using the followings;

 

- Do we have data controller role, data processor role who can take their respective responsibilities to ensure a level of security appropriate to the risk? 

 

- Are we, today equipped with a robust breach notification in the event of data breaches? 

 

- Besides, the controllers should ensure and be able to demonstrate that processing of personal data is performed in compliance with GDPR requirements. 

 

- Have we considered privacy or data protection by design in our products or services, where users have settings of different options to choose from? Opt in, or Opt out…

 

Take a spin of this control objectives, think of a few areas that you may already today have the controls in place with your business or IT Departments.

 

1. Cybersecurity and data breach notification,

2. Explicit Consent and Options,

3. Handling cross-border data transfer or portability,

4. Any profiling?

 

Last but not the least, look outside our own boundary and examine how our vendors/partners fare today with respect to GDPR compliance if they do carry information transferred from us to them? It’s about covering the entire ecosystems of our business. 

 

This all sounds very familiar. If my organizations have already had an information security framework today, does that mean we are good? Answer will be "two sides of the same coin", and it can be double-edged sword. If you think Risk-based, go for high water-mark compliance approach, you may still want to perform a gap analysis to ensure; your baseline meets the requirements, build out a good plan for the residual risks or leverage any existing mitigating process or controls, or put a budget for remediation that spell your commitment to meet GDPR mandates. You will not be far from GDPR compliance.  

 

Alternatively, jump on the bandwagon  and let the experts think for you, help you out with the journey now. Think GDPR Asia, think iTGRC.Asia - Click here for more