5 questions with Straits Interactive on General Data Protection Regulation

While most businesses have likely heard of GDPR, there is still some confusion as to what extent GDPR compliance is an issue for businesses located in ASEAN. To help shed some light on the issue, we speak with Kevin Shepherdson, CEO of Straits Interactive.

1. Why should SMEs based in ASEAN be concerned about GDPR compliance?

Organisations might consider data protection laws as a low priority and underestimate the impact of the GDPR on the processing of personal data around the world.

However, SMEs based in ASEAN should be concerned about GDPR compliance because it applies to countries outside the European Union (EU) if they target individuals in the EU. Whether that be through providing goods and services or profiling (tracking behaviours on their websites), or if they have an office or branch located in the EU, SMEs across the world should be GDPR compliant.

Another reason why SMEs based in ASEAN should be concerned about GDPR compliance is because some business partners, customers, and suppliers might demand GDPR compliance as a condition of dealing with the SME. This can happen in larger organisations which want to make sure their entire supply chain or business network is GDPR compliant - as a way of avoiding risk through business partners, customers and suppliers.

Many organisations take a blanket approach covering all of their network as a matter of administrative convenience. Failing to satisfy these requirements can mean a loss of valuable business opportunities for SMEs.

2. Given that GDPR was adopted in 2016 and has been enforced since May 25th 2018, have you noticed SMEs in the region becoming more aware and prepared?

As a result of compliance demands from business partners, customers, and vendors, SMEs in ASEAN are becoming more and more aware of GDPR requirements. But, more often than not, SMEs are still unprepared for it. We regularly see SMEs in ASEAN who have no idea that the GDPR might apply to them and they might be fined by the EU for failure to comply. In case I'm putting too much emphasis on the risk of fines here, it's also important that a regulatory failure brings with it substantial reputation damage - which can be more expensive than paying a fine or the management disruption caused by a regulatory investigation.

What's missing in the ASEAN region is a business culture of focusing on data privacy and protection, as part of everyday business functions which process personal data (HR, finance, marketing, procurement etc.). Even with a PDPA data protection officer, many SMEs are only concerned with data privacy and protection as a legal or compliance issue, rather than something involving operational processes across businesses.

3. What are the top 3 most common mistakes/misconceptions SMEs have about GDPR?

#1 GDPR does not apply to local companies

From our conversations and work with SMEs, the most common misconception is that they aren't covered by GDPR because they're not in the EU. Generally their risk is related to the companies and individuals they work with, monitor and target. For example, an SME might be providing outsourced solutions like customer service or software support to a firm in the EU, which makes them a data processor for that EU firm. They might not be in the EU but their customers won't deal with them unless they also comply with GDPR.

#2 Data breaches only happen to big companies

The majority of PDPC enforcement cases in Singapore involved an SME. While 77% of all cases were due to contravening the protection obligation under the PDPA, only less than 20% were because of an actual cyber attack.

The top 3 common causes of PDPC breaches resulting mainly in unauthorised disclosure of personal data were actually caused by:

- A lack of information security training

- A lack of proper standard operating procedures in protecting personal data

- Weak administration and physical controls besides the usual technical controls.

These can happen to any organisation.

Although these are Singapore figures, we have seen the same general pattern elsewhere under data protection law. It's reasonable to expect that the Singapore experience is not substantially different from what we'd see elsewhere in the ASEAN region.

#3 Data Protection Officer requirements and EU Representative requirements

Companies may also require a data protection officer (DPO) under the GDPR. For SMEs in the ASEAN region with no presence in the EU, there will still be a requirement under GDPR to appoint an EU representative.

The GDPR has specific requirements for DPOs, for example: expert knowledge of data protection law and practices. While the PDPA doesn't specifically state a DPO must be an expert, it is encouraging to see that organisations and SMEs in Singapore have been approaching Straits Interactive seeking international certifications in data privacy.

4. What are 3 actionable takeaways that SMEs can do immediately?

We would suggest:

#1 To comply with the PDPA first, especially if nothing has been done within the organisation. After this, companies can transition to achieve full compliance. More often than not, the difference between PDPA compliance and GDPR compliance is not substantial. We work with a lot of clients with GDPR in mind, as well as covering compliance on a local level. Data privacy compliance should be treated as a standard operating procedure within organisations if it deals with personal data. If there is a complaint or a breach, SMEs will need to demonstrate accountability and compliance.

#2 Appoint your DPO and Data Protection governance committee. Go for hands-on compliance courses instead of just seeking legal guidance. Straits Interactive runs PDPA and GDPR hands-on courses in conjunction with Singapore Management University that will help organisations achieve operational compliance in the shortest time and with the aid of a powerful privacy software platform.

#3 Identify the top five to 10 PDPA risks faced by your organisations and address them immediately with thorough policies and procedures backed by a strong and active data protection management programme (DPMP). Steps in doing this include taking a complete personal data inventory and then analysing the business data flows (how data is collected, used, stored/disposed, shared to identify the risks associated with the handling of personal data. Then identify standard operating procedures to manage those risks.

The good news for Singaporean SMEs is that the PDPC has identified the importance of having a data protection management programme as a key competency for DPOs, and has made a new Practitioner course available which has Skills Future funding. These, along with dedicated data protection officer hands-on training and professional certifications, all have generous funding support from the government towards operational compliance.

However, we cannot expect these funding to be available forever, and we strongly urge SMEs to leverage on this opportunity to participate in this joint effort towards growth.

Most important of all, when processing personal data relating to people who live in Europe, do bear in mind that personal data is considered a human right in Europe - so treat it with respect!

5. What is the cost of compliance?

As a start, SMEs should get their PDPA compliance in order before tackling the GDPR. For SMEs, the bug-bear relates to three factors: No budget; No time; No people.

Companies may not have budgeted for such, but there is government funding available to alleviate some of the cost of training and system implementation - such as the SkillsFuture, IMDA's CITREP+ and EDG (Enterprise Development Grant) schemes.

There are also hands on courses that make use of a company's own information, to quickly cut down the time. SMEs can also utilise the government's PCP scheme to help them in hiring a data protection professional to take on the role.