We are now living in the post-digital era where it’s almost impossible for an individual not to leave digital footprints through their daily transactions and interactions. Businesses, meanwhile, are collecting more data than ever before. A large portion of the data that they gather consists of information on customers, which may include who they are, their lifestyle, behaviour, spending habits, etc.
Customer analytics have become a crucial tool and strategic asset for today’s data-driven organisations. Businesses are now equipped with increasingly powerful technologies that can ingest and derive meaning from massive amounts of data almost instantaneously.
Unfortunately, as the value of data continues to rise, it also becomes liable to misuse and theft, as apparent in the growing number of data breaches that have occurred over the years. Data can even be used by unscrupulous parties to hold individuals and organisations for ransom. There is clearly a greater need to protect these digital assets.
In Europe, the General Data Protection Regulation (GDPR) was introduced to harmonise and enhance data protection laws across the EU with the specific aim of protecting the personal data of its residents. What truly stands out about the GDPR is that while it is an EU initiative, its reach is worldwide.
Article 3 of the GDPR outlines the territorial scope of the regulation, explicitly stating that it applies “to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” As you’d expect, the GDPR applies to data controllers and data processors established in the EU. But what many ASEAN companies may not be aware of is the fact that the GDPR is looking to significantly increase the geographical scope of the European Union’s data protection law.
What does that mean for a business that is physically located all the way in South East Asia? To put it simply, if your business:
a) Is manipulating, monitoring, storing or processing the personal data of data subjects in the EU;
b) Is targeting subjects/customers in the EU;
c) Or offering goods/services to EU citizens;
Then your business must be GDPR-compliant or face the possibility of significant penalties because the GDPR applies to data controllers and data processors regardless of size and industry, even if they’re not located in Europe.
Global companies like Google, Facebook, Instagram and WhatsApp, for example, were hit with privacy complaints within hours of GDPR taking effect for privacy violations. Even now, the companies are still at odds with the regulation, with Google potentially facing fines of up to $4.39 billion (4% of their annual revenue of $109.65 billion); while Facebook, in light of the most recent data breach which impacted roughly 50 million user accounts, could face a $1.63bn fine under the GDPR.
Therefore, the stakes are definitely higher than ever. If you do work with the personal data of European citizens, expect to make significant changes in terms of data governance, processes, IT systems and reporting. This is because in order to comply with GDPR’s stringent requirements, your organisation has to implement appropriate security measures, maintain a record of your data processing activities, prepare data protection impact assessments and if necessary, you even be required to appoint a Data Protection Officer (DPO).
Gathering and processing data may be a pivotal part of your business in order to stay relevant and competitive. But in this day and age, it’s also becoming important for you to know what sort of data you’re working with and ensure that it is safe, secure and doesn’t fall into the wrong hands.
Even if your company doesn’t have a location in EU states, that does not mean it is not affected by the GDPR. If you’re storing or handling any data pertaining to European citizens, you better be ready for GDPR.