Asia companies scramble to be compliant ahead of GDPR

A tarnished reputation, a ban on data processing and crippling fines of between €10 million (US$14 million) and €20 million (US$28 million) are just some of the consequences of falling foul of General Data Protection Regulation (GDPR), the biggest shake-up in data protection law in 20 years.

With less than two months before the regulations come into force on May 25, it seems that businesses within Asia-Pacific are dragging their heels when it comes to compliance. A survey released in February from Ernst & Young showed that only 12 percent of those surveyed within the region say they are ready.

Under the new law, any business that has a presence, offers goods or services, or monitors individuals’ behaviours in the European Union (EU) needs to comply with the regulation.

American Express Global Business Travel prepared a white paper, European Union’s General Data Protection Regulation: A guide for APAC companies, outlining the impact of the regulations in Asia-Pacific. Sasha Kalb, its vice president, compliance and risk for APAC, said there are a number of steps event planners and agencies can take to ensure compliance.

These cover the creation of a data inventory. GDPR requires that all regulated companies maintain a written report with the details of all their data processing activities, and ensuring that data processing activities are effectively and transparently communicated to data subjects, which includes having a compliant privacy notice.

Is your company #GDPR ready? Today, GBT’s Sasha Kalb presented at a customer forum in #Sydney on how Australian businesses should be preparing for GDPR. pic.twitter.com/xJ50yI2KyE

— American Express GBT (@amexgbt) March 13, 2018

“Some businesses might only need to tweak their existing programmes and make minor adjustments here and there at a reasonably low cost,” said Kalb. “However, given how comprehensive GDPR is, significant costs are being borne by some companies as they alter their policies to ensure they are compliant.”

And with elements related to meetings and events having the potential to change at a fast pace and with little notice, such as updated delegate lists or revised travel arrangements, Kalb adds that managing GDPR within the sector will be particularly challenging.

“How do you ensure compliance hygiene in such a fast-paced environment?,” she said. “An ability to thrive in this new environment will require focus on planning and processes.”

CWT Meeting & Events has redesigned its privacy programme and put together plans to ensure full compliance. This includes the development of a GDPR governance structure, the appointment of a dedicated data protection officer, the implementation of a data inventory and mapping project and updated documents as part of its global privacy framework.

The agency has also reviewed its contract templates to ensure compliance with GDPR and launched updated employee training and awareness programmes.

In 2018 the European regulation #GDPR will unify #data protection for all individuals in the EU. We tell you why every company needs to handle this, and how we are ready @CWT_ME https://t.co/CXk33eEud2 #data #security #eventprofs pic.twitter.com/hqZKNfMOYs

— CWT Meetings & Events Global (@CWT_ME) November 27, 2017

Cindy Fisher, senior vice president and global head at CWT Meetings & Events said GDPR will impact areas such as the use of personal registration data (eg name, address, citizenship, and age), the use of attendee data for marketing, the retention of session data for analytics and future conference preferences and even the retention of personal data for frequent traveller programs, food preferences, birthdays, and allergies.

“Asia-Pacific planners who only provide ad hoc services to European residents probably will not need to deploy a fully-fledged GDPR programme,” she said. “It is important to meet with your data protection officer or company department responsible for this and work with them to examine the lifecycle of personal data and potential impacts with ad hoc services.”

Other meeting and events planners in Asia-Pacific that have a truly international reach with a major presence in Europe will, she says, need to examine the lifecycle of personal data with a magnifying glass.

At MCI Geneva, Anne Lesca, its group internal controller, says the agency views the onset of GDPR as an opportunity for improving the way business is conducted within the industry.

“We see it as a competitive advantage for our clients, as achieving GDPR compliance is not an easy task,” she said. “Companies that are on the way to achieving this status will have the strong selling point of minimizing risks for their clients.”

She added that MCI has been taking all necessary steps to be one hundred per cent-GDPR ready, such as undertaking potential risk assessments, appointing data protection officers and carrying out a close inspection of its suppliers list to ensure that they are compliant.

Scott Thiel, partner at law firm DLA Piper and based in Hong Kong, said there have been interesting debates with colleagues in Germany around fundamental differences in the definition of privacy within various regions, such as how Asia-Pacific compares to Europe or the US for example.

“Acting for the Asia end, one of the conclusions I am drawing is to perhaps stop sending data to headquarters based in Europe. If there is no need to, you are better off not sending the data there in the first place.”

He added that businesses will need to be more transparent, with the real challenge around substantiating what is “the proper use of data” for collection purposes.

“You need to look at what the event is, who is attending, their expectations,”said Thiel. “We are working with one company that has numerous apps; this has involved looking at each one on an app by app basis, exploring what would be a reasonable use [of data collection], given the functionality of the app. You have to scratch the surface of each case and see whether the use of data is reasonable.”

Regardless of whether GDPR applies to an individual business in the region, Kalb suggested that it’s good practice to roll out training and awareness programmes around the introduction of the regulations.

“The EU is really at the forefront of data privacy legislation and even if the new law doesn’t apply to an organisation right now, similar local regulations may be enforced in the near future,” she said. “Where in the past companies might have been quite relaxed about data privacy protection, they can no longer afford to be.”