APAC Firms Risk Being Red Carded for GDPR Non-compliance

GDPR may be here, but many APAC firms are still unprepared.

Consulting firm EY, which made this key observation, noted that many firms in the region are yet to develop sufficient compliance plans to address GDPR requirements.

More sobering is the fact that many have not even started to examine whether GDPR impacts their activities and operations.

“The GDPR is a game changer, establishing a new global gold standard in data protection. Its reach adds to the complexity of compliance and no organization can afford to be complacent. This presents significant challenges for Asia-Pacific organizations attempting to meet consumers’ increasing privacy expectations and comply with privacy requirements across Asia-Pacific borders,” Nicola Hermansson, Director, and EY Asia-Pacific Privacy Leader, said.

Due to GDPR’s vast extraterritorial reach, four industries in the Asia Pacific region stand to lose the most with GDPR: Banking, tourism/leisure, airline, and retail.

Specifically, APAC firms that process personal data of individuals located in the EU (at the time of any processing) may need to comply with the regulation, including:

  • APAC banks monitoring their customers’ transaction activity while they are traveling within the EU
  • APAC tourism companies using cookies to track and analyze EU located customers’ browsing and purchase histories to figure out their preferences, hobbies, and habits
  • APAC retailers selling products on their websites and allowing customers based in the EU to make orders and settle payments in Euros
  • APAC insurers emailing existing or former customers now located in the EU to renew their policies or offer additional insurance products

Firms that fail to comply with the new GDPR regime will be liable for penalties of up to 4% of their worldwide annual revenue or EUR 20 million, as well as class action lawsuits from individuals and proliferation on processing personal data.

EY noted that financial penalties are not the only concern; non-compliant firms stand to lose customer trust.

Instead, EY urged firms to take a proactive look and consider it as an initiative to build customer trust.

“A low level of alert and preparedness could have far-reaching implications than just financial penalties, as organizations' failure to protect and respect their customer’s personal data will lead to customer trust being eroded. Rather than seeing it as purely a compliance issue, organizations should be proactive and consider that the GDPR is an opportunity to reaffirm their resolute commitment to managing customers’ data securely,” Hermansson said.