APAC firms ill-prepared for new EU data protection laws

Effective from May 2018, European Union's General Data Protection Regulation remains largely unfamiliar among Asia-Pacific businesses, which face hefty fines if they lack compliance.
Written by Eileen Yu, Senior Contributing Editor

Nearly 90 percent of businesses in Asia-Pacific know little or nothing about the European Union's upcoming General Data Protection Regulation (GDPR), which will come into effect in less than two years.

Another 93 percent did not have any plan in place for when the GDPR regime commenced from May 2018, according to survey findings released by Dell Technologies. Only 7 percent said they had a plan to prepare their organisation for the change.

Conducted by Dimensional Research, the global study polled 821 IT and business professionals responsible for data privacy and working at companies with customers in the EU region. Among Asia-Pacific markets in the study were respondents from Singapore, India, Australia, New Zealand, and Hong Kong.

The legislation was approved in April 2016 and would provide 500 million EU citizens rights to control their data. This meant they could instruct businesses to not build user profiles on them or migrate their data from one provider to another. They also would have the "right to be forgotten", compelling search engines to remove certain links from search results on the individuals' names if the URLs pointed to data that were outdated or irrelevant.

Companies that failed to comply with the new laws would face hefty fines, which could range from up to 4 percent of the organisation's annual global revenue or 20 million euros (US$22.34 million), whichever amount was greater.

The Dell study revealed that while 76 percent of Asia-Pacific respondents were concerned about GDPR compliance, most lacked awareness of what was required for their organisation to stay in compliance and the impact on their business if they breached any of the new laws.

Some 85 percent were unaware of whether their company would face fines for their existing data privacy policies when the GDPR regime began in 2018, while 15 percent said they would face repercussion if the new laws were currently effective.

And 95 percent said their organisation's existing practices would not meet the new GDPR requirements.

Dell provided several recommendations for organisations here to ensure compliance, including hiring a data protection officer--which was a requirement under GDPR--deploy control access management, and safeguard network perimeters.

Editorial standards