Compliance As you use your smartphone and connected devices more and more, a vast digital data-based footprint is created based on your behaviour. From a regulatory perspective, an important consideration is who owns all this data – the user or the service provider who stores it? If it’s the service provider, then what obligation does it have to store and protect your data? And to what extent can data be shared with third parties? As a result, compliance legislation is evolving to keep up and to protect individuals, consumers, and organisations.It’s vital for professionals today to understand the importance of compliance in business, as failure to comply with these laws could result in significant business risk. More than that, businesses and individuals who not only comply, but embrace these regulations can use it to their advantage – optimising customer experiences and building consumer trust.
GDPR in Europe
Europe’s General Data Protection Regulation (GDPR) was implemented on 25 May 2018 and is intended to harmonise the data protection rules throughout Europe. It grants greater rights to individuals but also imposes significant new burdens on organisations with increased fines and penalties for breach of the rules.
Requiring data protection ‘by design and by default’, in addition to the right to access and the right to erasure amongst others, companies will need to validate their ability to comply with data security, to uphold the extended rights of individuals, to produce documentation and security audits, as well as data breach notifications.
Non-compliance can result in imprisonment of up to 10 years, and up to 4% of global revenue or €20 million, whichever is greater (GDPR) – as well as the accompanying brand reputation damage to those found short.
GDPR in Hong Kong and Singapore
The GDPR primarily affects organisations operating within the EU. However, any company outside of the EU that offers goods or services to data subjects in the EU, or monitors the behaviour of data subjects in the EU will need to have GDPR compliance in business. The location of the organisation that collects the personal data is irrelevant; the rules apply when personal data is collected from an individual who is located in an EU country when the data is collected and processed, whether they are an EU citizen or not. Similarly, he GDPR does not apply to EU citizens when they are outside of the EU.
According to consultancy EY, nine out of 10 companies in Singapore do not have a plan to cope with GDPR.
Hong Kong businesses may be subject to greater data protection obligations under the GDPR than they currently experience under the Hong Kong Personal Data Privacy Ordinance. The key provisions are:
- Consent – The GDPR requires organisations to obtain freely given, specific, informed, and unambiguous consent before collecting personal data from a data subject, unlike in Hong Kong where businesses generally do not need consent when collecting data, unless for marketing purposes.
- Data Protection Officers – The GDPR requires data controllers, or Data Protection Officers (DPO), to implement technical measures to build privacy by design and to conduct compulsory data-protection impact assessments, amongst other measures. There are no equivalent mandatory provisions in Hong Kong.
- Mandatory breach notification – Under the GDPR, should a DPO experience a breach of security, they will need to notify the Data Protection Authority in the relevant Member State within 72 hours of discovering the breach, unless the breach is “unlikely to result in a risk to the rights and freedoms of individuals”. In Hong Kong, there is no mandatory breach notification requirement.
- New and enhanced rights for individuals – The GDPR gives data subjects certain enhanced rights that are lacking in Hong Kong’s policies:
- The “right to be forgotten” – The right to request erasure of personal data that they have posted online.
- The right to data portability – The right to switch personal data between service providers.
- The right to object to processing (including profiling).
- Data processors – The GDPR imposes statutory obligations directly on data processors – currently not the case in Hong Kong or Singapore _– including maintaining records of their processing activities. This means that data processors can face repercussions directly for data breaches.
- Appointment of a designated representative – Non-EU business must appoint a representative to act as a point of contact for requests by the supervisory authorities or data subjects and represents the controller or processor.
How this has affected business
In section 66 of the POPI Bill, it states companies are not allowed to send any form of electronic marketing messages – such as emails and newsletters – without being granted permission by the recipients to do so.
POPI outlines the following about direct marketing and how companies should act in order to remain compliant in business:
- Collect personal information directly from the data subject
- Collect personal information for specific, explicit, and lawful purposes only
- Only process personal information with the data subject’s consent
- Don’t keep personal information for longer than necessary
- Make it easy for personal information to stay accurate and updated
- Notify the registrar and appoint an information officer
- Protect the security and integrity of personal information
- Any 3rd party/operator must contractually comply
- You must be able to report on the data if asked to do so
- You can only send direct marketing messages if you have the consent of the data subject to do so
- You may request consent
- The data subject must opt-in to every channel
- Where the data subject has requested a change, or opts out of a particular channel, this request must be honoured immediately
While marketing via email and text requires an opt-in consent, the digital marketing world falls somewhat in a grey area. To determine whether you need the consent of consumers to serve personalised advertising, or not will depend on what it is you want to do. When it comes to personalised advertising, consent is not the only way to justify it. In the EU, many digital marketers use the ‘legitimate interest’ argument where the impact on consumers’ privacy is measured by the interests of the business. However, efficient data management by recording when, why, and how the information was collected, and that it was only used for the original purpose, will ensure you can demonstrate that your use of data is, or was, compliant.
Communicating with customers
In terms of section 11 of the POPI Act, a consumer may either refuse to accept, pre-emptively block, or require another person to discontinue any communication which may be seen as direct marketing. This includes telephone calls, e-mails, brochures or letters in the mail. Businesses will need infrastructure and systems in place to receive and record consumers’ specific preferences and abide by these expressed preferences.
The business risks
To ascertain your business’s compliance, in lieu of POPI or GDPR, an initial complete survey of the business’s current personal data processing activities should be carried out. This can include its data protection and privacy policies, notices, international data flows, agreements and templates, products and services using personal data, and advertising/marketing activities and operational protocols. Assess which of the existing procedures and policies are adequate, and which are lacking or absent.
Consider the following when reviewing these according to low, medium, and high-risk areas.
- The risk of exposure – for example, is this a public-facing privacy notice?
- What category of fines this non-compliance falls under
- Whether there is a nonconformity that was already required under an earlier law
- What reputational concerns are at risk
- Whether something can be made compliant quickly
- Whether agreements with third parties or business operations are at risk
- Whether regulators have already signalled interest in particular areas or issues
When people think ‘big data’, they usually think of major online retailers or social media giants. However, organisations of all sizes and sectors are getting closer to their data to improve and personalise the customer experience. This often creates new opportunities, and can even transform entire industries. The UK’s NHS Business Services Authority utilised recent data that has helped improve patient care and save nearly £600 million.