The European Union’s (EU) General Data Protection Regulation (GDPR) was crafted in response to growing public discomfort over the volume of data collected on individuals without them knowing about it. First introduced in 2016, GDPR became effective on 25 May this year, superseding earlier privacy regulations.

Under GDPR, the exact uses of personal data must be specified prior to collection, and explicit consent must be given by the user; it can be withdrawn at any time. Individuals also have the right to review what an organization knows about them, and can request for their data to be erased, also known as the right to be forgotten.

Speaking at DCD>Converged in Hong Kong earlier this month, David Rainsford, the managing partner of of Albenque Advisors, briefed the attendees on GDPR and its implications for data center providers in the region.

David Rainsford
David Rainsford, Albenque Advisors – DCD

Why it matters

Why would GDPR matter to data center operators and businesses in Hong Kong, or the Asia Pacific region? Rainsford posed this question instead: “How can you be sure that you don’t have any European citizen data in your database?”

“They don’t really care where your data center is, where your website is hosted, or where your business is registered. If you have data about individuals who are living in the EU or the EEA [European Economic Area], they believe that you are subject to their law,” he explained.

And with fines that can go as high as €20 million ($22.56m), or four percent of the organization’s global turnover, this is no idle question. Using October’s massive data breach at Hong Kong-based Cathay Pacific airline as an example, Rainsford talked about a hypothetical fine of HK$3.88 billion ($495m), extrapolated from the airline’s revenue in 2017, to underscore the potential impact of penalties.

“[GDPR] was designed to protect the right of individuals, not to make life easier for privacy officers. It was not designed to make life easier for data center or marketing managers. And when we talk about the fines, it’s basically to create so much pain that you will rather deal with this, rather than face the risk of having to go to the board to explain why you are going to get fined, or why you have a pending lawsuit,” Rainsford said.

Broad implications

Rainsford was quick to concede that there is simply no way to know how a GDPR lawsuit will play out in the courts. With no legal precedent, it is essentially uncharted territory.

Advising against adopting a 'wait and see' approach, he highlighted some examples to illustrate the many ways GDPR could rear its head in Asia. He cited the entirely plausible example of a holidaying UK resident who downloads an app to get free Wi-Fi in Hong Kong: “If I start taking their data, then from the EU point of view, I have broken the law.”

There are also scenarios that are less clear-cut: “Someone who came [to Hong Kong] on a project to build a data center. They may domicile in Europe for taxation purposes and may be an EU passport holder. They may say, ‘I’m a European, I expect to be treated as a European under the law.’”

FIn addition, businesses must have their incident response plan ready for the inevitable security incident. In line with GDPR, data breaches must be reported to the local authorities within 72 hours of being discovered, which means that any response plan must already be documented and signed off by the board before a cyberattack happens.

Take action today

Rainsford's recommendation for local businesses is to go through a classification exercise to review the data they have on individuals and ascertain their level of risk where GDPR is concerned. Alternatively, businesses can approach this exercise by working out ways to ensure that they don’t have any data collected from EU individuals.

He urged businesses to act early: “Start taking steps to comply now. Look at your existing policies and procedures, look at agreements that you have with partners.

“You may be subject to GDPR even if you are processing information in Hong Kong. The penalties for this are very severe. They are intended to be severe. [The framework] is built on the philosophy that individuals own their data. There is still a lot of uncertainty because this is a new law, new regulations. Despite the uncertainties, I would encourage you to take action now.”