Why Europe's GDPR affects data protection practices in Asia

Since its implementation in 2018, the European Union’s General Data Protection Regulation (EU GDPR) is widely seen as the global regulatory standard in the data protection and privacy landscape. In many countries enacting new data protection laws or modernising current data protection laws, such as Thailand and Indonesia, the GDPR has been viewed as a useful yardstick.

The GDPR was designed to ensure the protection of personal data processed by both public and private organisations within the EU. Privacy is regarded as a human right that is necessary to protect, especially when it comes to business practices and personal data.

How does the GDPR affect companies outside of the EU?

It is not unusual to see multinational corporations that are headquartered in the EU choosing to take the GDPR as the default position for data privacy across all of their global operations to ensure consistency among the countries in which they operate. At times, these corporations take that position simply because they think that it is the right thing to do.

On the flip side, Asian companies that choose to market their goods or services to individuals located in the EU or who choose to profile such individuals must comply with the GDPR when they carry out these activities. For most Asian companies, such compliance is typically little different from complying with local data protection or data privacy law.

If you are interested in learning more about the GDPR and how it applies to the region of Asia, check out our course here.

Meet ASEAN, the up-and-coming region for privacy regulations

By 2022, all of ASEAN’s founding members are expected to have data protection laws put in place and recent trends indicate that the entire region is pressing the reset button on data privacy, opening up new business opportunities and driving strong demand for data protection talent.

The job market for data protection and privacy professionals is expected to rise, with many looking to pursue professional certifications to be a part of, or to further their careers, in this industry. Find out more about the insights from the Singapore’s Data Protection Job Trends research in 2021 by viewing a slide deck or an infographic.

The DPEX Network recently held a webinar regarding the enforcement cases in the European Union and Singapore, both of which had data protection laws in force for quite some time. Insights from the research and analysis conducted on the enforcement cases were shared by a distinguished panel of experts from the region. 

During the webinar, Dr Prapanpong Khumon, former Advisor to the Secretary-General of the Personal Data Protection Commission in Thailand, noted that data from the analysis is extremely valuable for countries emerging in the data protection landscape. He said that the statistics are very good for the Thai data protection circle moving forward and that the Thai law is based heavily on the EU GDPR. The Thai Personal Data Protection Act will be fully enforceable from 1 June 2022.

Get a brief overview through our webinar summary here.

Biggest privacy risks for users in the new age

The extent to which users are tracked across applications and social media, generally for the purpose of serving targeted advertising, is probably considered the biggest privacy risk for users today. It is a subject of considerable regulatory concern in the European Union and change is likely in the next year or two.

Other prominent privacy risks include data mining, identity theft and phishing. Typically, users provide many pieces of personal information when they sign up for social media accounts or memberships. All of this data is gathered and analysed by companies to do better targeting for advertising campaigns, or for the data to be sold.

Identity theft is also a risk since bad actors may use an individual's profile information to impersonate them. With cyber attacks and phishing on the rise, criminals could attempt to “phish” for personal data and they could do so by sending phishing links via messages to an individual’s contact list or by gaining control of social media accounts.

To protect their interests, it is important for individuals to know their rights under the PDPA and to ask organisations that collect their personal data why they do so, and how they will use, disclose, and protect that data. Published privacy policies of organisations can provide insight into the purpose behind the collection of data and how the organisations will use, disclose and protect personal data, hence, it is good practice to make it a habit to read the privacy policy before downloading an app, for instance, so that you know what the organisation is doing in relation to personal data.

For organisations, it is critical for the internal data protection management programme (DPMP) to be implemented properly and reviewed regularly to ensure that operational practices are aligned with good data protection culture.

Find out how to develop a robust data protection management programme through our course here.

For more Data Protection resources, visit www.dpexnetwork.org. Sign up for free as a member to have full access to all content. This article was first published on 19 May 2022.