A global study from Veritas Technologies has revealed that 86% of organizations worldwide are concerned that a failure to adhere to the upcoming General Data Protection Regulation (GDPR) could have a major negative impact on their business.
In Singapore, the numbers are higher than the global average, with 92 percent of all local organizations expressing concerns over the potential GDPR fallout, along with 20 percent who fear that their business could shut down due to non-compliance.
This is in the face of potential fines for non-compliance as high as US$21 million (or S$29.8 million) or four percent of annual turnover – whichever is greater.
“Whether businesses reside in the European Union (EU) or not, local and regional companies that deal with EU consumers or employees will have to comply or risk running into hefty fines as high as 20 million euros or 4% annual turnover, whichever is higher,” said Sheena Chin, Country Manager, Veritas, Singapore, in an email interview with Networks Asia.
The Veritas study found that more than half (56%) of organizations in Singapore, along with Japan (63%) and Korea (61%) feared that they are unable to meet the upcoming deadline to be GDPR-compliant.
“They are simply not ready for the regulation, as compared to the rest of the world – the global average sits at 47%. In Singapore and the wider SEA and APJ region, there is a tendency to assume that GDPR only applies to companies residing within EU borders. However, this is simply not the case today,” added Chin.
Chin stressed that Singapore businesses will also be greatly affected if they do not comply, especially since the country is the EU's largest commercial partner in ASEAN, accounting for slightly under one-third of EU-ASEAN trade in goods and services.
“Businesses will certainly not want to run into situations where they face unnecessary penalties and be forced by regulation to erase data from their database. It can potentially put companies out of business.”
Chin noted that Singapore’s local equivalent of the GDPR is the Personal Data Protection Act (PDPA) – the act stipulates that companies can retain personal data if it is still being used for purposes for which the data was collected. But if data is no longer needed for that particular purpose, it must be deleted.
Chris Bridgland, CTO and Technology Practice lead for Emerging Region in EMEA, Veritas adds that being GDPR compliant will naturally help local governing laws as it helps businesses stay on top of their data hygiene habits. He noted that GDPR is very different when compared to Sarbanes-Oxley in that much of the data that the company is expected to handle in compliance with GDPR is unstructured data in email, not just financial transactions.
“In the world of GDPR, an organization cannot just state they have had a good look at the data – they have to prove that they have done an audit and have gone through all data stores,” said Bridgland.
“This is a huge change from prior regulations. That said, by fulfilling GDPR regulation, it will definitely help businesses comply with PDPA and Sarbanes Oxley.”
In the interview Chin talks about the difference or similarities between the GDPR and PDPA as well as how Singapore companies can comply with the GDPR:
How different is it to the PDPA? Do businesses understand the difference?
The PDPA recognizes both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organizations to collect, use or disclose personal data for legitimate and reasonable purposes.
With PDPA, companies are required to let consumers know why they are asking for personal data and they will have to obtain consent before collecting, using and/or disclosing the information they receive. If an individual willingly provides the information, they are also allowing businesses to collect, use or disclose their data – in other words, deeming consent.
GDPR on the other hand, aims to protect all EU residents from privacy and data breaches. It addresses the export of personal data outside the EU, with the intent to give citizens and residents back control of their personal data, with expanded rights such as breach notification within 72 hours and the “Right to be forgotten”. It also hopes to simplify the regulatory environment for international business by unifying the regulation within the EU.
On top of this, GDPR promises to unify EU data protection requirements, making it easier for businesses to comply, thus ensuring that they know where personal data is stored, who has access to it and who has recently handled it. This provides a proper process and audit trail.
When it comes to GDPR, companies are effectively a GDPR data controller, making them responsible for the data they house when it is given to data processors. Data processors are in turn bound by GDPR rules to make sure companies have the ability to report on data losses, or be able to respond to data access requests.
It is important to note that the GDPR rules apply to both controllers and data processors. In the event where a company chooses to outsource the function to a Cloud Service Provider (Data Processor), it does not mean that it is exempted from the GDPR enforcement. As a data controller, the company is fully liable to ensure the Cloud Service Provider (Data Processor) takes appropriate technical and organizational measures to protect personal data.
A similar principle applies to Singapore as well, although the maximum fine could differ from case to case.
Last year, a local entertainment company that was in breach of the Personal Data Protection Act (PDPA) was ordered by the Personal Data Protection Commission(PDPC) to pay a fine of S$50,000, while its IT vendor was fined S$10,000 for not having adequate data protection measures.
GDPR-readiness – which industries are the most heavily affected? How will it affect cross- border data transfers?
As long as businesses deal with EU consumers or employees, they will have to comply or risk being fined regardless of whichever industry they are in. A company that hires citizens or residents from the EU has to ensure that they have met the regulation. If not, they may face dire consequences.
The ecommerce industry is booming in Asia. It is a straightforward example of a business that could house data from someone residing in the EU. Therefore, online stores which sell to global customers, including those from the EU, will have to handle their personal data according to the new regulation.
Small and medium business (SMBs) also need to be more vigilant, and due to the current competitive economic landscape, they will have a steeper hill to climb, especially if they are not on the road to being compliant. However, there are steps SMBs can take to safeguard themselves. Adopting a more pragmatic approach – such as doing research on what it takes to be more transparent with their data – could be helpful for them in the long run. On top of this, accountability for their actions and the data they store will definitely be useful, especially if they are faced with a data subject request from the relevant authorities.
Are there new cyber security and data breach notification obligations? Should businesses think about creating a permanent role for a data protection officer?
While there doesn’t seem to be any new cyber security and data breach notification obligations, businesses need to be on their toes as breaches and cyber attacks are constantly evolving. Over retention of data is usually one of the pain points businesses will face, especially when it comes to ransomware and hacking, thus putting them in the firing range for cyber attacks.
Appointing individuals or creating a permanent roles for employees who can do good data housekeeping – such as ensuring employees practice good data habits on top of monitoring data – is useful to ensure that the organization is kept in check. However, if this is not feasible for whatever reason, external help is always available to assist business with meeting compliance objectives. The most important consideration is whether the creation of a permanent role for a data protection officer will provide meaningful outcomes for the organization when it comes to being compliant and keeping up with good data hygiene.
What kind of advisory services are being offered to businesses out there who are looking to be GDPR-compliant? What are the consequences for violations?
Being compliant will take vast amounts of efforts from working together with the right partners. At Veritas, we provide our customers with an integrated solution that will help them directly address the forthcoming GDPR. This solution gives enterprises around the world the ability to understand what personally identifiable information (PII) they hold on European Union (EU) residents and access that information quickly when requested by employees or consumers. It also provides a systematic way for organizations to protect PII from breach, loss or damage. These elements are critical mandates required by the new regulation.
The solution comes at a time when many businesses around the world either don’t know how to prepare for the new regulation or are underestimating the effort needed to become compliant. Our research shows that less than one-third (31 percent) of organizations worldwide meet the minimum GDPR requirements today, despite the fact that the regulation will take effect in just over a year’s time.
With maximum fines set at the greater amount of €20 million or four percent of annual turnover, the penalties for non-compliance are severe. Also, this is not just an issue for companies based in the EU. It applies to any business around the world that interacts with EU residents and holds their personal data. On top of this, business could suffer losses far greater than they can afford. This could include potential layoffs due to high financial penalties, brand damage, potential lawsuits, loss of market shares and/or loss of customers.
With this in mind, Veritas has launched 360 Data Management for GDPR. It includes an array of comprehensive advisory services and integrated software technologies. These not only help companies jump-start their compliance journey, but help maintain compliance at every turn moving forward.
Good data protection hygiene habits – why GDPR will help with this? Is GDPR helping organizations to de-clutter data?
Yes, GDPR will eventually help organizations de-clutter their data by making them more vigilant of what data to keep and what to delete or should be deleted. With governments around the world tightening on data protection for consumers, the risk of exposure is driving many organizations to make sure they comply with any regulation that may adversely impact them.
This includes avoiding over retention of data – not only to ensure good habits – but also to prevent potential breaches from occurring. At the same time, it also good to analyze the data on hand to provide better visibility. Lastly, having a good data protection hygiene habits also instil confidence in companies to be able to provide the necessary data or stay compliant when stricter regulations come into play.
What the future would look like in a GDPR compliant world?
Based on our recent Databerg Report, we have seen the implications of increasing data growth for businesses. With the large volume of data stored on-premise or in the cloud, visibility has had a drastic impact on the reaction time in pin-pointing and rectifying loopholes. Already, 82 percent of respondents surveyed in the Data Hoarders report admitted to storing data potentially harmful to their organizations. At the same time, companies could also likely be storing personal data from consumers (such as personal information) that they do not necessarily need or have the rights to.
A GDPR-compliant world (or even a data transparent one) hopes to reduce all the above. By being compliant, companies will provide more transparency to the regulators and to their customers when it comes to data they are storing. This will help customers feel that their data are secured and put them at ease, thus instilling trust and brand loyalty.