Asia
Select regional store:

The General Data Protection Regulation (GDPR)

What is the GDPR?

The EU GDPR (General Data Protection Regulation) is a pan-European data protection law, which superseded the EU’s 1995 Data Protection Directive and all member state law based on it, including the UK’s DPA 1998 (Data Protection Act 1998), on 25 May 2018.

The EU GDPR extends the data rights of individuals (data subjects) and places a range of new obligations on organisations that process EU residents’ personal data.

It also applies a “broadly equivalent regime” – known as “the applied GDPR” – to certain types of processing that are outside the EU GDPR’s scope, including processing by public authorities, and sets out data processing regimes for law enforcement processing and intelligence processes.


Who does the EU GDPR apply to?

The EU GDPR applies to:

  • EU organisations that collect, store or otherwise process the personal data of individuals residing in the EU, even if they’re not EU citizens.
  • Organisations based outside the EU that offer goods or services to EU residents, monitor their behaviour, or process their personal data.

It distinguishes between ‘data controllers’ and ‘data processors’:

  • A data controller is the natural or legal person, public authority, agency or any other body that determines how and why personal data is processed.
  • A data processor is the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller.

Your compliance requirements differ depending on whether you are a controller or processor – or both.


The GDPR – what it means for companies in the Asia-Pacific region

The GDPR applies to any organisation collecting, storing or processing EU residents’ personal data, irrespective of the organisation’s location or where the data is processed. Asia-Pacific companies with any connection to Europe – whether through subsidiaries, customers or suppliers – stand to be affected. Organisations should therefore take steps to determine whether the GDPR is applicable, and to consider revising their information handling processes to ensure compliance.

GDPR compliance is not just a matter of ticking a few boxes, though: the Regulation also demands that you be able to demonstrate compliance with the data processing principles. Compliance involves taking a risk-based approach to data protection, ensuring appropriate policies and procedures are in place to deal with the requirements for transparency and accountability, and to protect individuals’ rights, as well as building a workplace culture of data privacy and security.

In some cases, GDPR compliance will build on existing measures that many organisations adopt as a matter of good practice or to comply with national laws, such as the Privacy Act 1988 (Australia), the Personal Data Protection Act (Singapore), the Personal Data (Privacy) Ordinance (Hong Kong) and the Cybersecurity Law (Mainland China).

With the appropriate data protection compliance framework in place, not only will you be able to avoid significant fines and reputational damage but you will also be able to show customers that you are trustworthy and responsible, and derive added value from the data you hold.


GDPR overview

Click to expand some key changes introduced by the Regulation:

  • Establishing a governance structure with roles and responsibilities.
  • Keeping a detailed record of all data processing operations.
  • Documenting data protection policies and procedures. Read our blog, How to write a GDPR data protection policy >>
  • Carrying out DPIAs (data protection impact assessments) for high-risk processing operations. Read our blog, Why every organisation needs data protection impact assessments >>
  • Implementing appropriate technical and organisational measures to secure personal data.
  • Conducting GDPR staff awareness training.
  • Where necessary, appoint a data protection officer.

Read our EU GDPR compliance checklist >>

  • Processed lawfully, fairly and transparently.
  • Collected only for specific legitimate purposes.
  • Adequate, relevant and limited to what is necessary.
  • Accurate and, where necessary, kept up to date.
  • Stored only as long as is necessary.
  • Processed in a manner that ensures appropriate security.

  • If the data subject has given their consent.
  • To meet contractual obligations.
  • To comply with legal obligations.
  • To protect the data subject’s vital interests.
  • For tasks in the public interest.
  • For the legitimate interests of the organisation.

Read our blog, GDPR: lawful bases for processing, with examples >>

  • Consent must be freely given, specific, informed and unambiguous.
  • A request for consent must be intelligible and in clear, plain language.
  • Silence, pre-ticked boxes and inactivity will no longer suffice as consent.
  • Consent can be withdrawn at any time.
  • Consent for online services from a child under 13 is only valid with parental authorisation.
  • Organisations must be able to evidence consent.

  • Appropriate safeguards should be integrated into the processing.
  • Data protection must be considered at the design stage of any new process, system or technology.
  • A DPIA (data protection impact assessment is an integral part of privacy by design

Read our blog, The GDPR’s requirements for encryption >>

  • When personal data is collected directly from data subjects, data controllers must provide a privacy notice at the time of collection.
  • When personal data is not obtained direct from data subjects, data controllers must provide a privacy notice without undue delay, and within a month. This must be done the first time they communicate with the data subject.
  • For all processing activities, data controllers must decide how the data subjects will be informed and design privacy notices accordingly. Notices can be issued in stages.
  • Privacy notices must be provided to data subjects in a concise, transparent and easily accessible form, using clear and plain language.

  • Where the EU has designated a country as providing an adequate level of data protection;
  • Through standard contractual clauses or binding corporate rules; or
  • By complying with an approved certification mechanism, e.g. EU-US Privacy Shield.

Many non-EU organisations that process EU residents’ personal data will also need to appoint an EU representative.

  • Data processors are required to report all breaches of personal data to data controllers.
  • Data controllers are required to report breaches to the supervisory authority within 72 hours of becoming aware of them if there is a risk to data subjects’ rights and freedoms.
  • Data subjects themselves must be notified without undue delay if there is a high risk to their rights and freedoms.

Read our blog, GDPR data breach notification A quick guide >>

  • Public authorities;
  • Organisations involved in high-risk processing; and
  • Organisations processing special categories of data.

A DPO has set tasks:

  • Inform and advise the organisation of its obligations.
  • Monitor compliance, including awareness raising, staff training and audits.
  • Cooperate with data protection authorities and act as a contact point.

Personal data

What is personal data? 

Personal data is any information relating to an identified or identifiable natural person (data subject). The GDPR places much stronger controls on the processing of special categories of personal data than the DPA 1998 did. The inclusion of genetic and biometric data is new.

Personal data

  • Name
  • Address
  • Email address
  • Photo
  • IP address
  • Location data
  • Online behaviour (cookies)
  • Profiling and analytics data

Special categories of personal data

  • Race
  • Religion
  • Political opinions
  • Trade union membership
  • Sexual orientation
  • Health information
  • Biometric data
  • Genetic data

The wider scope of the GDPR

The GDPR does not merely apply to organisations located in the EU. If a company in the Asia-Pacific region processes personal data through a business establishment in the EU or in the course of one of the following activities, it must comply with the Regulation:

  • Offers goods or services to people in the EU. Simply being able to access the company's website from the EU will not be sufficient to trigger the application of the GDPR, however. For the Regulation to apply, the company must clearly intend to offer services to individuals located in the EU.
  • Monitors the behaviour of individuals in the EU. This includes a host of activities, from tracking Internet users, such as through advertising technology platforms, to profiling and analysing their preferences, behaviours and attitudes.

Asia-Pacific companies not established in the EU that meet one of the above qualifying factors may have to appoint a representative based in the EU as the contact person for all questions on data protection from consumers and data protection authorities. A representative will not be required where processing is occasional or does not include large-scale processing of special categories of data.

Service providers (data processors) that process data on behalf of an EU organisation also come under the remit of the GDPR and will have specific compliance obligations. An example might be a company that processes payroll or a Cloud provider that offers data storage, even if the server sits outside the EU.


GDPR penalties and fines

The maximum fine under the GDPR is up to 4% of annual global turnover or €20 million – whichever is greater – for organisations that infringe its requirements.

There are two tiers of administrative fine that can be levied as penalties for GDPR non-compliance:

  1. Up to €10 million, or 2% of annual global turnover – whichever is greater; or
  2. Up to €20 million, or 4% of annual global turnover – whichever is greater.

Fines are discretionary rather than mandatory. They must be imposed on a case-by-case basis and should be “effective, proportionate and dissuasive”.


How are GDPR fines determined?

Fines of up to €10 million or 2% of annual global turnover can be issued for infringements of articles:

  • 8 (conditions for children’s consent);
  • 11 (processing that doesn’t require identification);
  • 25–39 (general obligations of processors and controllers);
  • 42 (certification); and
  • 43 (certification bodies).

Fines of up to €20 million or 4% of annual global turnover can be issued for infringements of articles:

  • 5 (data processing principles);
  • 6 (lawfulness of processing);
  • 7 (conditions for consent);
  • 9 (processing of special categories of data);
  • 12–22 (data subjects’ rights); and
  • 44–49 (data transfers to third countries or international organisations).

How IT Governance can help you comply with the EU GDPR

IT Governance, a leading global provider of IT governance, risk management and compliance solutions, is at the forefront of helping organisations address the challenges of EU GDPR compliance.

This website uses cookies. View our cookie policy