How does data protection regulation affect businesses in Asia?

In recent years, progressive effort on protecting data and safeguarding privacy has been seen across Asia. In consideration of increasing global cyber threats, and regional and global data protection trends, Asian countries are initiating more and stricter privacy and data protection laws. Gartner (opens a new window) predicted that over 80% of organisations will face modern privacy and data protection requirements by 2024.

The EU General Data Protection Regulation (GDPR), described as the toughest privacy and security law in the world, is influential to the development of Asia’s data protection regimes. While it states that the rules apply to EU citizens, GDPR will also have an impact on entities operating outside of European jurisdictions as long as they are managing EU citizens’ data. For instance, GDPR will apply to companies which manage EU citizens’ personal information when they work as expats in Asia.

In addition, GDPR has marked out many of the ground rules on how to handle privacy laws for Asian countries, for reference, when introducing amendments and reforms to their data protection regimes. Despite sharing the same core data protection elements, countries across Asia each have their own specific rules that differ from each other and from those in other regions. Companies must therefore keep up-to-date with global and regional data protection regulations to avoid non-compliance and significant penalties.

Key features in data protection regulations

Extraterritorial scope. Some Asian countries require foreign entities to adhere to their rules when handling local citizens’ data, which is similar to the EU’s GDPR. These countries include China (opens a new window), Japan, the Philippines, Thailand and Indonesia.

Breach notification. In the event of a data breach, the company is required to notify the affected parties. While some countries only require notice to be provided “promptly” or “without delay”, others set a more specific reporting deadline. For example, notification is required within 72 hours for Singapore, the Philippines and Thailand, and within 5 days for South Korea.

Individual rights. The laws in most Asian countries provide data access, correction and erasure rights. However, data portability right is only mandated in four jurisdictions, namely, China, Singapore, the Philippines and Thailand. The timeframes for responding to individual rights requests also vary widely, with some countries requiring companies to respond within 1-7 days, while some require it to be within 30 days.

Data Protection Officer. In some countries, such as China, South Korea, Singapore and the Philippines, the appointment of a data protection officer (DPO) is required. The DPO will be responsible for managing data-oriented projects, overseeing data management and protection, and deploying data privacy policies.

Benefits of complying with data protection regulations

Build trust and credibility

Research conducted by GroupM (opens a new window) shows that 67% of people were “concerned” about the issue of privacy. According to Didomi (opens a new window), around 70% of consumers have decided not to go through with a purchase as they feel uncomfortable about the way their personal data is used. As customers become increasingly aware of data privacy, companies should be more transparent about their collection and processing of personal information, for example, by informing customers about how their data is collected, used and kept, and the purpose for which it is collected. This will help build customer loyalty.

Better database management

By regulating the collection of personal information, data protection regulations motivate companies to conduct a regular internal data audit, which will give them a clear view of what data they should continue collecting and what information to cease collecting. Ultimately, companies will be collecting less but better-quality data, resulting in a ‘cleaner’ and more valuable database.

Improved corporate image

Efforts to protect data and privacy can be integrated into the company’s corporate image. This shows customers that not only does the company comply with the law, but it also cares about the privacy of its customers.

What if you haven’t complied?

Companies which do not comply with data protection regulations may face serious penalties. Non-compliance with GDPR can cost a potential maximum fine of the higher of €20,000,000 (USD 20,400,000) or 4% of global turnover. In China, violators of the Personal Information Protection Law are liable to a maximum fine of RMB 50,000,000 (USD 7,400,000) or 5% of their annual turnover of the preceding year. In Singapore, companies that breach their Personal Data Protection Act can be fined up to SGD 1 million (USD 700,000), or 10% of the organisation’s Singapore turnover.

In addition to monetary penalties, companies may also face heavy costs to their reputation. As the public becomes more concerned about privacy issues, non-compliance with data protection regulations can bring negative publicity and reputation damage, which is costly to handle and may be irreversible.

Implications for small businesses

Many small businesses are undergoing digital transformation, as they see benefits such as increased agility and data-driven insights. For instance, with digitalisation, local businesses can now go global and physical stores can shift to online shops.

However, this also means that small businesses are exposed to greater risks from hackers, malware and other security threats. Hackers tend to target small businesses who may be less protected, in order to steal sensitive data. According to Ponemon (opens a new window), 56% of SMEs have experienced data breaches involving customer and employee information, losing an average of over 9,350 individual records.

Unlike large companies which have a dedicated team to work on data protection, small companies have fewer IT resources. Complex and constantly changing data protection laws and regulatory procedures can be overwhelming to small businesses. However, they must still comply with the laws, and find ways mitigate and transfer risks as they cannot afford the cost and damage brought by non-compliance.

Mitigate and transfer risk

To align businesses with the stringent data protection regulations from around the globe, companies of all sizes are undertaking reviews and rigorous reorganisation. It is never too early to conduct assessment and evaluation to mitigate risks.

Insurance can play critical role in the transferring part of the risk associated with potential data breaches under the respective data protection laws. Cyber insurance can provide cover for firms’ legal liability to pay costs as a result of a civil regulatory action. This may include compensation awarded by the regulator, civil penalties or fines, to the extent insurable by law. This may arise from a breach of privacy caused by the insured or the outsourcers of the insured.

A well-designed cyber policy can provide valuable coverage for many of the exposures. But it’s important to work with the right advisor, who can help you evaluate your unique cyber exposures and help you design an insurance program to meet your specific needs while finding the best risk transfer solution given the current state of the insurance market.

For further information, please contact:

Rob Russell, Regional Head of Global Professional & Financial Risks (GPFR), Asia | +66 (0) 2 635 5000 (Ext. 2801) | (opens a new window)