Report warns companies on EU data privacy rules


With the implementation of data protection obligations under the General Data Protection Regulation (GDPR) set to commence in May, a report has revealed that many companies are not prepared.

Scott ThielPartnerDLA Piper
Scott Thiel
DLA Piper

A second Data Privacy Snapshot report released by DLA Piper found that the average alignment score with all key international data privacy principles for respondents was a dismal 34.4%.

The report also found that more than 200 organizations responding to the firm’s online survey tool in 2017 still had gaps in meeting increasingly demanding global privacy principles, with most of the respondents falling short of date protection obligations under the GDPR, which will take effect from 25 May 2018.

“GDPR will not just affect businesses who have on the ground operations within the EU, but will affect any business located outside of the EU that offers their services or products to EU data subjects,” Scott Thiel, a partner at DLA Piper in Hong Kong, told Asia Law Business Journal. “For example, businesses that operate a worldwide website offering services/products that target EU customers would be subject to GDPR regulations.”

Apart from the fact that the exterritorial effect of GDPR has been neglected by most of the respondents, including Asia-based companies, Thiel added that the latest report also revealed that the companies lacked “appropriate classification of personal data and they generally treat all types of date in the same way”.

The companies that were surveyed also lacked in personnel “who have the appropriate qualifications and necessary resources to undertake responsibility for GDPR compliance”.

Thiel said that proper categorization of data allows businesses to stratify and manage risk for different categories of data. He said that under the GDPR, it is vital to identify special categories of personal data – for example, financial data, health data, judicial data, information on an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal history, trade union membership, etc.

“Many businesses make cross-border transfers without ensuring that they comply with specific rules that regulate the transfer of data out of the EU,” he said.

In order to ensure compliance with GDPR, Thiel suggested that businesses undertake strict processes when mapping out the basis on which personal data are collected, along with formal procedures to handle data subjects’ requests to access, rectify, delete or object to the handling of their personal data.

In addition to GDPR, Thiel said Asian companies with overseas business activities should also pay attention to the following data protection regulations: (1) China’s Cybersecurity Law; (2) Australia’s Privacy Amendment (Notifiable Data Breaches) Act 2017; and (3) Singapore’s Cybersecurity Bill. Subscription