Asia-Pacific businesses that assume they need not worry about the upcoming European Union's data privacy laws should think again, as they may need to ensure compliance even if they do not physically operate in the region.

Slated to take effect on 25 May next year, the General Data Protection Regulation (GDPR) would enable more than 500 million citizens in the European Union (EU) to move their data from one provider to another, as well as instruct any organisation to stop building profiles on them. Businesses found to have breached the privacy laws would face fines of up to 4% of their annual global revenue or €20m (£17.65m), whichever amount was greater.

To help marketers manoeuvre in a GDPR landscape, IAB Australia worked with consulting firm EY to produce materials, as well as presentations and webinars, that aimed to provide guidance on the impact of new EU laws. These initiatives were to be rolled out this month, according to Kamani Krishnan, director of regulatory affairs at IAB Australia.

The initiative would help its members understand issues related to the EU legislation, particularly, how and when they might be impacted and must be in compliance. Krishnan added that is also would offer practical tips on how to ensure compliance.

"Given the potential fines of a minimum of €20m, or 4% of global revenue, it is far too risky for organisations to ignore GDPR, hoping it will not apply to their operations", she cautioned. "GDPR applies far more widely than existing EU privacy laws; so every organisation needs to consider if they will be impacted."

Kamani Krishnan, Director of Regulatory Affairs, IAB Australia

Even if organisations were not established in the EU, any business entity that conducted business in the region, or collected personal data of any EU residents, including indirectly via a third party, likely would be covered by GDPR.

This included companies that tracked or profiled any EU residents' online behaviour, even if they were doing so on behalf of a customer or third party, she explained.

GDPR influence goes global

Enza Iannopollo, Forrester's analyst for security and risk, stressed that GDPR was becoming a global standard for the protection of consumer privacy. She pointed to the research firm's latest Privacy Heat Maps, which assessed privacy regulations in 54 countries and found a convergence towards Europe's standards.

Japan, for instance, had significantly beefed up its existing policies and created an independent regulatory body to oversee privacy issues.

Iannopollo noted: "We also see more and more countries adopting data residency rules similar to those that we have in Europe. Therefore, every company should consider GDPR requirements as they design their data handling practices and privacy policies."

Forrester's global data privacy heat map

IAB Australia recommends all organisations comprehensively investigate their potential need for compliance and to seek expert advice if necessary.

To start off, Krishnan said, they should initiate a data-mapping exercise to determine what kind of personal information they were collecting and the origins of such data, be it from a third party or individual consumers. Businesses also should be aware of how they were using the data and to whom or where they might disclose personal data.

Iannopollo concurred: "Marketers must take procedural, technological, and organisational steps to ensure their data sourcing and handling practices are in line with GDPR.

"The first thing they must do is to determine which data falls within GDPR. Companies must classify data in a dynamic manner and determine whether single or multiple pieces of data allow them to directly or indirectly identify someone. If the answer is yes, that's personal data and falls within the scope of the rules."

The Forrester analyst recommends that businesses start by building a cross-functional team responsible for leading privacy initiatives. They then need to understand their data and assess risks associated with their data-driven activities. Organisations need to design and instil policies that complied with government regulations, as well as their customers' privacy expectations.

Krishnan noted that data mapping should be carried out for all information collected and used, adding that this would provide a clear picture of whether the organisation had or was using any EU customer data.

Only when they had completed their data mapping would they be able to assess if they were impacted by GDPR, she said.

With the May 2018 deadline looming, Iannopollo urged businesses to begin – if they had not already – preparing for the new rules, as GDPR often required profound changes in the company's systems, processes, oversight, and skillsets.

Asked how it was assessing its GDPR compliance, AdAsia Holdings' CEO and co-founder Kosuke Sogo said he had appointed a data-protection officer to help ensure a smooth transition.

Noting that data was the foundation of today's marketing and advertising landscape, Kosuke explained: "Even though the majority of our clients are Asian-based, some have operations in Europe, or target European audiences, and this has an indirect impact on our operations.

"Our advertiser and publisher engagement teams will be consulting with impacted clients to ensure their first-party data and collection methods are compliant with the new regulations", he said.

According to a survey conducted by Vanson Bourne, and commissioned by data security vendor Veritas Technologies, businesses in Singapore, Japan, and South Korea were amongst the least prepared for the GDPR. The study polled 900 business decision makers in eight markets, including Germany and the UK, and from companies that had business dealings with EU.

Some 56% in Singapore expressed concerns they would not be able to meet the deadline for compliance, while 60% in Japan as well as South Korea had similar worries.

Globally, 86% were concerned their failure to comply would have a significant negative impact on their company, with almost 20% worried that it could lead to a business shutdown. Some 25% in Australia, as well as in the US, feared noncompliance could shutter their business.