What businesses need to know about the General Data Protection Regulation

  • Published: 6 June 2018
  • Author: Jocelyn Ho

Have you been receiving multiple emails about your data privacy lately? Two weeks ago, the European Union’s General Data Protection Regulation (GDPR) came into full affect. Although it is intended to protect customer’s personal data from unauthorised use, it could mean a complex case of data management if not properly handled by businesses.

What is the GDPR?

The GDPR was established in 2016 under European Union (EU) law to protect the personal data privacy of those within the EU and the European Economic Area. It is enforced by national governments and aims to give customers control over their personal data by strengthening enforcement and increasing fines for non-compliance. Though implemented in 2016, news coverage has recently increased because the EU had given businesses a two-year transition period to slowly prepare themselves for the official deadline on May 25, 2018.

Personal data is defined as “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly.” Under the regulation, businesses must:

  • clearly disclose any data that has been collected,
  • declare the lawful basis and purpose for how they will use this data,
  • disclose how long data will be retained, and
  • if it is being shared with any third-parties or outside of the EU.

Citizens will also have the right to request a portable copy of any data that has been collected, in addition to exercising their “right to be forgotten”, which means that they have the authority to ask for their data to be erased under certain circumstances. In cases of non-compliance, regulators can fine businesses up to four percent of their global revenue.

How does it differ from the existing regulation in Hong Kong?
The Hong Kong Privacy Commissioner for Personal Data (the Privacy Commissioner) is the authority responsible for implementing the Personal Data (Privacy) Ordinance (Cap. 486) in Hong Kong, as well as the GDPR. Comparatively, the GDPR is more stringent than Cap. 486 in that consent must be freely given, specific and informed. Businesses are required to notify the authority when there is a breach of data use and customers have the “right to be forgotten,” none of which is covered under Cap. 486.

What does this mean for businesses and what actions will be required?
Even though Hong Kong is not part of the EU, businesses headquartered in Hong Kong with subsidiaries in the EU, and those offering goods or services to individuals in the EU are affected by this regulation. Whilst it may seem that the activation of the GDPR can be an administrative burden, if done properly, it can be a competitive advantage to a business as a brand-building component. For customers, increased transparency is a means of trust. Findings from a survey revealed that 73% of consumers agreed that easy-to-read privacy policies would increase their trust in companies with regard to the protection of their personal information1 . By proactively protecting the privacy of your customers, they are more likely to maintain long-term relationships with your business.

A risk based approach with proactive measures and plans in place to prevent misuse of customers’ personal data will be required. The Privacy Commissioner has outlined five measures companies to consider when demonstrating their compliance:

  • Integrate a privacy by design approach by taking into account privacy throughout the entire process
  • Conduct a Data Protection Impact Assessment to identify and manage risks
  • Develop internal policies or guidelines to outline the activities required to maintain compliance
  • Appoint a Data Protection Officer to monitor, implement and advise on compliance with GDPR
  • Maintain records of processing activities

To assess whether your company’s operating procedures need adjustments to comply with GDPR, businesses should examine their existing data management procedures. For those with stringent procedures in place that already partially fulfil the GDPR, this avoids potential duplication of work. Once procedures are assessed, a gap analysis of what is required by the Privacy Commissioner compared with what is already in place would be necessary to identify what next steps to take and the amount of resources required for implementation. From there, an internal compliance strategy should be developed, outlining all the necessary steps and personnel required. The strategy should be tailored to the operating scale and nature of goods and services provided by the company so that the most efficient and cost-effective procedure is implemented. To demonstrate the business’ commitment to compliance, a company-wide policy on data processing and management could be developed as a communication tool for both internal and external use.

Recommended reading: