GDPR is right around the corner – following years of debate and discussion, negotiation and preparation, the General Data Protection Regulation will go into effect on May 25th.
In short, GDPR is a new policy regulation on data privacy and protection for all individuals under the European Union – as well as those who are doing business with EU citizens.
Here is a roundup of industry leaders with their insights and opinions on how GDPR will affect Asia and Singapore businesses moving forward.
How will GDPR impact the region and business in Singapore?
Managing Director – AdNovum Singapore
The GDPR requires organizations to responsibly handle and protect the personal data and privacy of EU citizens. Its extra-territorial reach involves all businesses that operate outside of Europe, including those located in Singapore. Companies that conduct business in Europe, deal with European companies and/or handle the personal data of EU citizens are affected by the GDPR.
While its rigorous requirements can seem burdensome at first, the GDPR will significantly advance the advocacy of data privacy and re-establish customer trust.
The pressure on Singapore businesses may or may not be directly from EU regulators, but from the EU organizations they are working with, as the GDPR requires that all suppliers and vendors also commit to the proper management and handling of personal data. Singapore businesses can therefore expect stringent reviews of their sub-contractors by their European counterparts, or be subjected to rigorous reviews if they cannot demonstrate their compliance.
While its rigorous requirements can seem burdensome at first, the GDPR will significantly advance the advocacy of data privacy and re-establish customer trust. Recent high-profile cyberattacks and incidences of data misuse have made consumers cautious of sharing their data. Provisions in the GDPR such as the right to data erasure and correction, explicit consent and data minimization will help customers regain a measure of control over their data and how it is used. This will renew consumers’ confidence in sharing their personal information with businesses.
Vice President Data Policy and Governance- MediaMath Singapore
As marketers in Singapore are looking to deliver more customer-centric, relevant and meaningful marketing experiences, data-driven marketing (through the use of programmatic technology) has risen in prominence. Brands can now leverage data to understand what their customers are interested in, when they are most willing to buy, the likelihood of a purchase decision and the right time and place to deliver an ad.
The reality is that the majority of businesses will not be 100 percent GDPR-ready on 25th of May, when the legislation comes into force. However, companies should at least focus on being as compliant as possible.
There is no doubt that the upcoming GDPR implementation will now prompt questions globally on how the digital advertising ecosystem is using data and will challenge the industry to evolve and adapt to the regulation.
As Singapore is the European Union’s largest trading partner in ASEAN, we started preparing advertisers here early for the GDPR enforcement. Singapore brands need to understand that they, too, need to comply with the regulation as long as they are dealing with data of EU citizens.
Executive Vice President and Managing Director – Sage Asia Pacific
In Singapore, EU is Singapore’s third largest trading partner and Singapore’s largest investor. With both parties expected to ratify their free trade agreement by the end of the year, the relationship is only set to grow further, which obviously means more companies here in Singapore will also be impacted by GDPR.
Three main ways that businesses in Singapore and the region will be affected are:
- Potential heavy fines – the regulation imposes hefty fines for violations. At the higher tier, organizations could be liable for up to 4% of global annual turnover, or €40M, whichever is greater.
- Risks to brand reputation – with cybercriminals’ growing sophistication, data breaches and leaks are becoming more common in the digital economy. There will definitely be risks to brand reputation if companies are found to not have taken the necessary precautions against data breaches. Compliance with the GDPR is one key way that organizations can demonstrate a commitment to customers’ sensitive data.
- High cost of compliance – costs for activities including data audits, IT system updates and hiring of Data Protection Officers (DPOs) can range from 700,000 SGD for medium-sized firms, to more than 20 million SGD for FTSE100 firms. Companies that start now will have more runway to plan a phased approach to compliance, which can help cut costs associated with full GDPR compliance.
What can businesses do to get ready for the regulation?
The reality is that the majority of businesses will not be 100 percent GDPR-ready on 25th of May, when the legislation comes into force. However, companies should at least focus on being as compliant as possible. They must carefully consider security and data privacy and modify all customer touchpoints, from web to mobile, and ensure they are compliant with these new requirements.
Data has often been compared to currency, but people have never had the same degree of control over their data as they do their money. However, GDPR could rebalance the power struggle to some degree.
Organizations need to translate legal requirements into simpler step-by-step instructions, helping them create appropriate documentation for upcoming GDPR compliance assessments. One way to accelerate this process is by employing customer identity and access management tools. Such tools will ensure compliance, security and privacy while maintaining a seamless experience for customers. In addition, organisations should exercise the same degree of security and privacy when handling personal data of their employees and partners.
Senior Director and General Manager, SE Asia and Taiwan – Aruba, a Hewlett Packard Enterprise company
More than half of the world’s six billion mobile connections are in Asia Pacific and the region is at the forefront of next-generation mobile broadband technologies, driving up data volume and network traffic. It is crucial for enterprises in this region to take a holistic approach involving people, process and technology to successfully navigate GDPR.
Organizations need to acknowledge that compliance is no longer simply an IT or technology issue. Instead, it must be handled across the business – from the board and legal, to sales and beyond.
Proper network access must go beyond simply validating credentials. The fundamental security of underlying network infrastructure must also be robust to minimize the chances of a breach. Solutions with a strong focus on security will be the ones that successfully support organisations in their GDPR compliance programs.
Area Vice President, ASEAN & Korea – Commvault
Data has often been compared to currency, but people have never had the same degree of control over their data as they do their money. However, GDPR could rebalance the power struggle to some degree. At the heart of this legislation is the onus for businesses to protect data, and to notify the subject if data pertaining to them is compromised.
Organizations today have copious amounts of data and must comply with GDPR, and the myriad of national and international regulations that govern it. It’s a complicated business, but companies must not be deterred. Instead, they need to switch their mindsets when it comes to compliance.
At the end of the day, companies right now are merely looking at GDPR from a legal standpoint, but we must all work together to educate organizations to start viewing this from an operational compliance perspective
Organizations need to acknowledge that compliance is no longer simply an IT or technology issue. Instead, it must be handled across the business – from the board and legal, to sales and beyond. This means that a holistic ‘People, Process and Technology’ mantra is still the way to achieve Zen amidst the chaos of complying with the GDPR. With the 25 May deadline only getting closer, its high time for businesses to overcome complexity with proactivity and confidently meet today’s compliance obligations, starting with a proper data management strategy.
There is a lot more to be done by individual companies, through working with their legal counsel, partners, providers and others. Industry bodies such as the IAB Europe have worked to provide mechanisms which advertisers can adopt to strengthen their compliance with GDPR.
For instance, the IAB EU Transparency & Consent Framework offers the entire advertising ecosystem a common language to communicate consumer choices around the processing of their data. The Framework also offers the sell side new tools to provide transparency around the digital advertising ecosystem. This helps consumers to understand how their data is used by publishers and trusted partners. At the same time, we encourage advertisers and publishers to adopt The Framework to help them come into compliance with GDPR.
- Conduct a GDPR audit from a legal (including update existing agreements) and technological standpoint. An audit will help identify where a company’s data, especially personal, identifiable customer data, sit within the organization
- Ensure employees and partners (since companies are also liable for third parties that process customer data on your behalf) are aware of the GDPR and ensure they are adequately prepared to comply with the regulation
- Ensure there is a robust reporting structure, one which supports Data Breach notifications to the relevant authorities
- Seek professional advice to better understand the implications of the GDPR on your business
What is your company doing to ensure that it complies with the regulation?
AdNovum set up a project taskforce comprising of team members from different aspects of the business, to ensure compliance before the May deadline. The taskforce reviews the various processes, personnel and systems that are involved in personal data, including employee data.
A Data Protection Officer (DPO) has also been appointed across our offices, and reports directly to their respective senior management. These individuals are empowered to oversee relevant processes so as to detect or identify potential non-compliance. One area where such stringent measures can be observed is in our job application process. We have put in place systems that only collect data that is required for a specific purpose, and this data may be deleted upon request. We have implemented contractual agreements with employees and recruiters regarding the handling and protection of that data, which are made transparent to the individuals involved. We have also taken steps to ensure that our partners are compliant with the Personal Data Protections Act.
As MediaMath powers digital advertising for more than 40 advertisers in Singapore, we are actively preparing to be compliant with the GDPR when it comes into force at the end of this month. We believe GDPR is a force for good that (among other benefits) gives consumers greater transparency and control over the use of their personal data.
Our Data Policy & Governance and Legal teams are working with external counsel, industry groups and other companies to assess the GDPR’s requirements and design the right mix of administrative and technical solutions to support our clients in Singapore and across the globe.
We have also taken on an industry leadership role as chair of the Interactive Advertising Bureau (IAB) Europe Working Group on Consent, to bring together advertisers, publishers and technology providers to develop effective compliance solutions for the entire digital marketing industry. The result is the IAB EU Transparency & Consent Framework which helps website operators become GDPR-ready. In addition, we have designed, built and deployed our products and services to help all clients and partners comply with applicable European regulations while achieving successful marketing and business outcomes.
At Sage, we are offering our customers support and the information they need to help them prepare for the GDPR, through;
- a.) Knowledge hub: Sage has created a repository of GDPR-related resources, ranging from white papers, blogs and infographics to videos and webinars, that our customers can tap on. We have also created a checklist for companies to run through with their vendors to ascertain if they are GDPR-compliant:
- b.) Learning Services: We have face to face training sessions which cover the pertinent issues faced by businesses, such as managing data in your software to what GDPR could mean for your business.
- c.) Products: Sage is proud to be a trusted custodian of our customers’ data and will continually enhance the functionality of our products and processes in preparation for GDPR. Product enhancements may include;
I. Solutions to identify data as personal
II. Solutions to purge personal data (enabling the right to be forgotten)
III. Simplified solutions to respond to Subject Access Requests (SARs) and Data Portability Requests (DPRs)
At the end of the day, companies right now are merely looking at GDPR from a legal standpoint, but we must all work together to educate organizations to start viewing this from an operational compliance perspective. Only then will we see widespread acceptance and implementation of such data privacy laws.
Christopher Strand Senior Director
Compliance and Governance Programs – Carbon Black
The significance of the date 25 May is not just tied to the impending deadline of the GDPR, but it also marks the dawn of the cyber-regulatory market of 2018. While it is not new, we will start to see the maturity of the cyber-regulatory market, one that is well-defined, addressable, and with metrics showing its impact in relation to other associated sectors, such as cybersecurity and data security.
Businesses will and must start to look for robust, unified solutions that address the entirety of challenges in complying with the GDPR. This increases the impetus for security and regulatory professionals to band together like never before and help businesses to build actionable intelligence while solving security problems and gaining insight on the risk to cyber-regulatory requirements. The GDPR and all other upcoming cyber-regulatory laws will set a new benchmark for companies to prove they have awareness and control over the security regulations that govern their respective industries.
This was put together with Finn Partners.