What are the obligations under the GPDR?
A company is required to comply with several conditions in order to lawfully process personal data pursuant to the GDPR provisions. The processing should be lawful and transparent, for a specified purpose, limited to the relevant data necessary in relation to this purpose, and appropriately secured. At a glance, businesses must have a valid legal basis in order to process personal data, must adequately uphold the rights of data subjects, along with being responsible for and clearly demonstrating compliance with GDPR principles.
Particularly noteworthy is that specific provisions apply to certain categories of ‘sensitive’ persona data, such as political opinions, racial or ethnic origin, or those relating to criminal convictions and offences.
Having a lawful basis for processing activities
According to the GDPR, processing personal data is only permissible if there is a lawful basis to do so as listed under its provisions. All businesses must then identify the most appropriate grounds, clearly document their choice, and directly inform individuals about the lawful basis for processing their personal data. Such processing must be based on one of the following grounds:
Consent: the individual has expressly consented to the processing of their personal data for a specific purpose;
Contract: the data processing is necessary to fulfill an obligation arising from a contract with the individual;
Legal obligation: the data processing is necessary to comply with a legal obligation;
Vital interests: the data processing is necessary to protect an individual’s vital interests;
Public task: the data processing is necessary to perform a task in the public interest; and
Legitimate interests: the data processing is necessary for legitimate business interests, but only to the extent that the individual’s rights are not seriously impacted or overridden by such business interests.
The appropriate legal basis for your business will hinge upon the specific purposes and context for processing personal data. In most cases, companies are likely to have a choice in electing between consent or legitimate interests as the basis for processing their customers’ personal data. Concerning the employees of a business, data processing may be necessary to fulfill certain obligations stipulated in their employment contracts for instance.
On the issue of a data subject’s consent, the GPDR lays down stringent rules. The request for consent should be distinct from other terms and conditions, and should employ “clear and plain language,” and provide the data subjects with sufficient information regarding the processing of their data. Such consent must therefore be free, specific (i.e. only provided for the purposes explicitly stated in the request), informed and unambiguous. It must also result from an affirmative act, implying a positive opt-in by checking a box online or signing a form, and not inferred from silence or pre-ticked boxes. Furthermore, the opportunity to easily withdraw consent must be granted to all data subjects. Additional specific conditions also apply to child’s consent. In conclusion, obtaining consent that satisfies the GDPR’s standards may be laborious – it would be wise to look for a different legal basis for data processing where possible.
In any event, the legal basis applicable to your business must be determined before beginning to process personal data. This will necessitate a thorough assessment, as it may become more complex and cumbersome to subsequently switch from one set of legal grounds to another.
Ensuring data subject’s rights
Under the GDPR, data subjects are given wide-ranging rights to have control over their personal data. The numerous obligations incumbent on businesses processing such data are geared towards the protection of EU individual rights including, among others:
Information and transparency: individuals have the right to be informed about the collection and use of their personal data. Data subjects must be provided with a minimum level of information at the time that their personal data is obtained, including but not limited to the identity and contact details of your company, the purposes of the processing, the legal basis for doing so, retention periods for the data to be stored, and how consent may be withdrawn.
Data accessibility and portability: upon request by any data subject, confirmation must be provided as to whether their personal data is being processed by the relevant company. If this is the case, he or she must be duly notified about the processing and provided with a free electronic copy of the personal data that is being processed. Additionally, data subjects have the right to demand that their personal data be returned or transmitted to another company in a commonly use and machine-readable format.
Data clearing: also known as the right to be forgotten, it entitles the data subject to request that their personal data be erased, if the data is no longer relevant to the processing purpose and/or the data subject withdraws its consent. Nonetheless, a small number of scenarios remain where a business may refuse to comply with such a request.
Automated decision making and profiling: in some circumstances, individuals have the right not to be subject to a decision that is based solely on automated processing, e.g. an online decision to award a loan, and can request human intervention and contest the automated decision.
In addition, if a company receives a request from a data subject that wants to exercise his or her rights, the company must respond without undue delay, i.e. within one month of receiving the request in most cases.
Accountability for compliance with the GDPR
Pursuant to the accountability principle of the GDPR, all businesses are responsible for, and must be able to demonstrate, compliance with the other principles of the Regulation. This means that companies have to be proactive and systematic in their approach to data protection and must be able to supply evidence of the steps they take to satisfy their obligations and protect individuals’ rights.
While there is no exhaustive list of measures to be put in place to comply with this principle, the GDPR provisions state that a company has a duty to implement technical and organizational measures which are to be risk-based and proportionate, and updated as necessary. However, some risk-based measures are specifically required by the Regulation, including the following:
Data protection by design and by default: the GDPR calls for businesses to implement appropriate technical and organizational measures to protect the rights of data subjects by including data protection mechanisms at the early stages of designing new systems to process personal data, using pseudonymization for instance, but also by having the most privacy friendly setting as the default setting.
Record processing activities: Most businesses are required to maintain a record of their processing activities, containing information on the purposes of the processing, data sharing, retention, consent where relevant, and personal data breaches if applicable.
Notification of breach: If a data breach occurs, i.e. personal data is disclosed to unauthorized recipients or altered and is likely to result in a risk to an individual’ rights and freedoms, the relevant authority must be notified within 72 hours of becoming aware of such a breach. In certain circumstances, an enterprise may also be required to inform all individuals affected by a data breach.
Data Protection Officer (DPO): in addition to internal record keeping requirements, an enterprise may be required to appoint a DPO, if the core business activities involve regularly and systematically monitoring data subjects or processing special categories of data on a large scale (i.e. sensitive data). This DPO, who may be a staff member or an external service provider, must comprehensively monitor compliance.
There are several other measures that may be pursued with regard to the accountability principle, such as adopting and implementing data protection policies, adhering to relevant codes of conduct, signing certification schemes or even carrying out data protection impact assessments (DPIA). It is essential to understand that accountability is an opportunity to conspicuously demonstrate and affirm that your business respects individual privacy, and therefore cultivate and maintain the trust of customers or clients.
Non-EU businesses subject to the application of the GDPR will need to appoint a representative in the EU – any private company offering such services- as a point of contact for EU data subjects and data protection authorities. This representative may face enforcement actions in the event of your company’s failure to comply with the GDPR. It is thus unlikely that it would represent you without strong contractual indemnities first being in place.
Given the nature and extent of the obligations provided for under the GDPR, any business in Asia coming under its scope needs to pay close attention to these compliance obligations, particularly since any failure to do so could result in heavy fines.
What sanctions may apply?
The risks associated with failing to comply with the GDPR are steep: it can expose businesses to substantial penalties, ranging from corrective measures to administrative fines.
There is a tiered approach to fines. On the lower end, companies can be fined up to EUR 10 million or 2% of their annual global revenue, whichever is higher, for infringements related to data protection by design and by default, records of the processing activities, and security of processing for instance. On the upper level, companies that are in breach may be fined by up to 4% of their annual global turnover or EUR 20 million, whichever is greater, for the most serious infringements, namely those related to the issue of consent and data subjects’ rights.
A range of corrective measures may also be imposed, such as ordering a temporary or permanent ban on processing, a restriction on erasing data, or suspending data transfers to third countries.25 Furthermore, one must consider the reputational damage and loss of consumer trust along with compensation claims for damages suffered that may result from a single breach.
In any event, the costs of falling foul of the GDPR are much more onerous than any investment made to abide by it. If your Asian business falls within its scope, it is recommended to immediately map out your current data processing activities and begin preparing for the imminent enforcement of the GDPR.
How to ensure compliance?
In order to prepare suitable measures to ensure compliance with the GDPR, businesses must at the very least take the following steps to re-evaluate their internal processes:
- Ensure that key in-house people are aware of the coming shift,
- Identify the relevant legal basis for data processing,
- Document and record the current processing of personal data,
- Assess the IT, organizational, and data protection measures in place,
- Review the current procedures regarding data subjects’ rights,
- Address the potential need to appoint a Data Protection Officer.
Some provisions of the Regulation will have more effect on some businesses than others, depending on their role, or the quantity of data being processed for instance. It is therefore crucial for every company to properly assess the impact of the GDPR and understand the resulting obligations in order to set sufficient safeguards and specific measures into place.
Unlike the EU, Asia does not yet have a harmonized approach towards data privacy, and local legislation is far from comprehensive in many jurisdictions. In the Philippines for instance, strong data protection policies have already been implemented with the 2012 Data Privacy Act (“DPA”). Through proper compliance with the DPA’s high standards, Filipino businesses will already meet many of the GDPR requirements, and this will serve as a solid starting point to build from. However, new obligations under the Regulation need to be carefully addressed, making it critical that all companies subject to the GDPR in the Philippines also prepare for its entry into force. At the other end of the spectrum, there are many Asian countries where data protection rules are very limited, and occasionally non-existent.
In Thailand for instance, the lack of regulation has led to unfortunate incidents of misuse of consumer data, and the fast-growing development of online and mobile banking and E-commerce calls for swift action in the country. In light of the looming passage into law of the GDPR, and the ripple effects it will have on Thailand’s digital economy, the Ministry of Digital Economy and Society has prepared a new draft legislation to comprehensively address data privacy issues. It is expected to be finalized by the end of the year for Cabinet approval prior to enactment.
In nations where no data protection rules exist, such as Cambodia, the learning curve will be even more challenging. The GDPR should serve as a wakeup call for all local governments to put data privacy at the forefront of their legislative efforts, especially in light of the exponential and pervasive rise of E-commerce and fintech services. This European Regulation is likely to serve as a model for best practices regarding data privacy around the world and in Asia.
In summary, while your business may not yet be subject to the GDPR rules today, their entry into force is approaching, with numerous nations fast at work on drafting similar legislation in response to the growing demands for greater consumer data protection. This is especially pointed in light of a multiplicity of privacy related scandals(such as the Facebook-Cambridge Analytica Scandal) around the world that have mobilized citizens to pressure their government leaders to take matters of individual privacy seriously.
Complying with the GDPR data standards will resolutely demonstrate your company’s desire to protect customers’ interests. On the contrary, by falling short of the heightened expectations that consumers now place on companies dealing with their personal data, you run the risk of forever losing your consumers’ trust, which in the current global context of people concerned by data privacy, could be detrimental to your business.
Need legal advice?
If you are in need of legal advice, you can request a quote with DFDL lawyers or get a Quick consult with experienced lawyers. With Quick Consult, from a transparent, flat fee of $49, the lawyers will call you back on the phone within 1-2 days to answer your questions and give you legal advice.
This article is written by DFDL Lawyers and edited by Rishika Pundrik of Asia Law Network.
This article was first published on the DFDL website.
This article does not constitute legal advice or a legal opinion on any matter discussed and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and practice in this area. If you require any advice or information, please speak to practicing lawyer in your jurisdiction. No individual who is a member, partner, shareholder or consultant of, in or to any constituent part of Interstellar Group Pte. Ltd. accepts or assumes responsibility, or has any liability, to any person in respect of this article.