Countdown to GDPR: Even everyday tasks will be affected
On 25 May 2018, the General Data Protection Regulation (GDPR) comes into effect in the EU and around the world, regulating how businesses should handle personal data. The regulation will affect businesses of all sizes including those in Singapore, due to its extra-territorial reach.
In Asia, many businesses think that the GDPR will not affect them, and are still not ready for the regulation. According to EY, only 10% of Singapore companies have a GDPR compliance plan in place, far below the global average of 33%. While the reality is that most companies will not be fully compliant by 25th May, we should still start taking steps in the right direction today.
Even things we do every day without a second thought will be affected by the GDPR. With the regulation’s complexity, organisations need to be more careful about handling data in various contexts. Here are some examples of activities that you should reconsider as these simple tasks may lead to difficult outcomes:
1. Sending office greeting cards
Businesses that send greeting cards, such as Christmas cards, to customers in Europe should hold their horses. If you do not have express consent to contact each customer, mailing to home addresses – considered personal data – may not be legitimate under the GDPR. E-cards will have to suffice.
2. Forwarding a candidate’s resume for a second opinion
Candidates’ resumes are considered personal data, and thus protected under the GDPR. Instead of forwarding them as is, anonymise them by removing names, addresses, phone numbers and any other personally identifiable information. This is also becoming a growing trend among businesses as a part of an approach to remove gender and race bias in recruitment.
3. Ticking the box to join a mailing list
Do registration forms on your website have pre-ticked boxes for customers to receive marketing information? You might want to rethink that. Under the GDPR, silence and inactivity will no longer suffice as consent. Privacy policies should also be revised, because businesses’ requests for consent to use personal information must be intelligible and in clear, plain language.
Aside from day-to-day activities, the GDPR also makes it a business imperative for all organisations to demonstrate compliance with its data processing principles. In some cases, companies may need to formally appoint a Data Protection Officer (DPO) before carrying out any large-scale processing of personal data.
Additionally, data breach management under the GDPR now makes disclosure the top priority. Personal data that is accidentally or unlawfully lost, destroyed, altered or damaged, must be reported to supervisory authorities within three days. All individuals impacted must also be informed if the breach is high risk and likely to lead to financial loss, identity theft or fraud.
The GDPR has long arms and will surely affect businesses in Asia, one way or another. With fines of up to €20 million, or 4% of worldwide annual revenue, it’s easy to feel paralysed by the GDPR’s heavy impact. Rather than fearing the regulation, businesses should take the GDPR as an opportunity to demonstrate a commitment to customers’ data privacy.