Asia Pacific Data Protection and Cybersecurity Guide 2020
The GDPR, implemented in the EU in May 2018, continues to generate shockwaves internationally. The immediate impact for businesses headquartered in the APAC region has been the extension of the scope of application of European data protection law from an “establishment” concept limiting the law’s application to organizations with “bricks and mortar” operations on the ground in the EU
to a broader set of criteria making the GDPR applicable to APAC businesses.
The prospect of penalties reaching 4% of world-wide turn-over has caught the attention of many APAC-based businesses, and so we see concerted compliance activity with a view to understanding the extent to which the new European requirements apply to businesses headquartered here. In some cases, organizations’ operations and interaction with the EU and EU data subjects can be restructured so as to avoid “over-compliance” with EU requirements. In many cases, however, the international scopeof business necessitates a GDPR compliance exercise in respect of at least some of the organization’s operations.