Asian Data Protection Regulations vs GDPR
In recent years, Regulators in several countries in Asia have worked to build a framework of data privacy requirements, however with different levels of exigences. Some of them have looked at the GDPR framework as benchmark and adopted similar requirements. This objective of this study is to highlight the current gaps and common points between GDPR and local Asian regulations.
GDPR is an extraterritorial regulation, and therefore it impacts many businesses in the APAC region. For companies and organizations that are supposed to be compliant with GDPR, it is important to identify the common points between the European and the local APAC regulation and the potential gaps which potentially need to be addressed. The study was conducted by identifying key requirements in GDPR and compare them with the local regulations of 11 countries in the APAC region. Different sources have been used for this analysis, including available articles, studies and local regulations documentation. The results of the analysis are based mainly on qualitative criteria used to compare the different laws.
In the graph below we present a key outcome of our analysis, which shows the different levels of adhesion of local regulation with GDPR
The outcome is based on different key criteria according to GDPR, which have been categorized in two axes:
Data subject rights
In order to estimate the “level of adhesion” for each country, different “weights” have been allocated to each criteria. This is because the requirements within GDPR have different scope and levels of complexity for the concerned organizations, and some requirements are definitely more impacting than others.
Data protection analyse has been conducted considering the following requirements and criteria from GDPR:
About general obligations
Data Security Obligation is one of the main requirements that is common and addressed by the majority of local data regulations.
Some requirements such as Data Breach Notification, Privacy Impact Assessments (PIA’s), Training Organisation and Governance are very heterogeneous and have a very different level of complexity and exigency in each country. Data Protection by design and by default is mandatory on the same exigences as GDPR in Hong Kong in Singapore, a lighter version in Australia and in South Korea, but almost non-existent in most of other Asian countries.
In conclusion, the gaps between GDPR and APAC countries might be significant and this poses a serious risk to businesses touched by GDPR. Organizations should perform detailed analysis at country level to understand and identify the specific gaps and how to address them.
About data subject rights
GDPR highlights the data subject right enforcement and provide a harmonized framework for European residents. For all the companies affected by data regulation, the key point is to enhance transparency with personal data management and data subject right to promote user trust. Once again, GDPR represents a high-level standard, higher than Data Regulations in the APAC region.
Looking at the different countries, Data Subject Rights and Consent Management have a very different level of regulatory requirements.
Apart from India and Thailand, a few key rights are common and mandatory for all the Asian countries, such as the right to be informed, the right of access and the right of rectification.
Currently, Thailand and India present poor data subject rights requirements with the exception of the right to restriction of processing, which is aligned with GDPR requirements.
Consent requirements are not equally addressed in the APAC region as well. For instance, consent to commercial prospecting is aligned to GDPR regulation in South Korea, Malaysia and Singapore. About consent for automated decision making, this requirement is aligned with GDPR in South Korea, Mainland China and The Philippines.
The right to erasure (or to be forgotten) requirement has heterogeneous definitions and forms in each country, except from India and Thailand where it is almost absent from their local privacy data regulation.
The cost of being GDPR compliant
Based on our past experience and previous corporate assignments, we have estimated an average cost of GDPR implementation in a company, with a low maturity level in terms of GDPR compliance.
Ten main categories have been identified for a typical GDPR implementation project, with different contributions to the total cost of the project:
Generally, data subject right and consent management requirements represent 25% of total GDPR implementation costs, including Process and IT related matters.
The IT implementation costs are the most significant. The IT costs strongly depend on the actual level of data compliance maturity of the company, and they could reach more than 60% of the GDPR implementation cost including consent, data subject rights and IT request from privacy by design and PIA.
Next steps overview
Despite the differences identified, some countries in Asia are taking good steps toward a more comprehensive Personal Data Protection framework in order to close the gap, and India is one of them. The Draft Personal Data Protection Bill introduced in 2018 offers more common points with GDPR compared to the current regulation, such as a clear purpose of processing of personal data, key rights, the appointment of a DPO, etc. However, a few major differences remain, for instance the right to be forgotten is still not taken into account in the Draft Bill. The journey of approval and application of the Draft Bill is still long and it should take one or two years before it becomes effective.
Thailand is also expected to significantly improve the current regulation, with the Personal Data Protection Act (PDPA). The Act was recently approved by the National Legislative Assembly and it will be soon enacted as a law. In this new regulation Thailand has addressed many requirements, in particular the need of consent by the data subject rights, including the right to be forgotten, the right of access and the right of data portability to mention a few. Following the requirements of GDPR, the PDPA also introduces the roles of Controller and Processor, the appointment of a DPO and the obligation of data breach notification.
In general, following recent security incidents and data breaches, most Asian countries have improved their Personal Data Privacy regulation in recent years. We foresee more developments in this direction in order to create a more harmonized and homogeneous framework across the APAC region. This trend will definitely reduce complexity and costs for corporations who have multinational businesses and operations.