Asian companies conducting business in Europe and subject to the General Data Protection Regulation (GDPR) should ensure they are using appropriate methods for transferring data out of that region, a legal expert from London told Asia Business Law Journal.
“Asian companies with operations in Europe should already be complying with existing privacy laws,” said Kolvin Stone, a partner of Orrick in London.
“Of particular relevance to Asian companies will be the restrictions on transferring data outside of the EU, which will require careful consideration of an appropriate lawful transfer method,” he said.
Stone said the main factors that Asian companies should consider when determining appropriate transfer methods are the nature of the data, how they are being used, who they are being shared with, the transferee, whether it is an individual or a company, or whether the data are part of a customer supplier relationship, or an inter-group arrangement.
“All of those factors will really determine the most appropriate transfer method for an Asian company,” he said. “A company’s approach to GDPR is not dictated by their geographical location. What is more important is the industry focus, and obviously certain countries in Asia have an industry focus like, for example, Singapore focuses on financial services,” he said.
Stone said the main difference between GDPR and existing privacy laws is the level of enforcement powers that regulators now have. “The reality is that the level of compliance is not that high,” he added.
“The increased sanctions under GDPR, including fines of up to €20 million (US$23.5 million) and 4% of annual global turnover means non-compliance is not an option. Asian companies with operations in Europe need to pay closer attention to privacy compliance than may have been previously the case, as their operations will be subject to the GDPR,” he said.
The GDPR is different to existing privacy law in that Asian companies with no physical operations in Europe may still be subject to the GDPR where they are conducting business in Europe by, for example, selling goods and services to EU residents via the web, or making an app available to EU residents and collecting data in the process, said Stone.
“Similarly, Asian service providers who do business with European customers will need to consider the implications of the GDPR if they are collecting their customer data when providing services,” he said. “This will be particularly relevant to Asian technology companies.”
Stone said that the emphasis should be on being able to demonstrate compliance to a regulator or other stakeholders, which is a challenge for every organization.
“This requires businesses to have a developed privacy compliance programme that is documented and available for inspection,” he said. “The enhanced user rights and, for example, being able to effectively delete data when requested by an individual exercising their ‘right to be forgotten’ can present technical and operational challenges as systems may not be designed to support such requests.”