Skip to main content

This article is brought to you by CSC's Digital Brand Services. Visit their website HERE.

Currently, the acronym on the lips of many in-house lawyers around the world is GDPR, or General Data Protection Regulation. The regulation was passed in the European Union (EU), but it affects businesses with a physical presence in the EU as well as any company around the world dealing with personal data of EU residents, including targeting EU customers, employing EU residents or dealing with EU suppliers.

This includes online marketplaces, meaning that even the smallest of businesses based in Asia but selling products to a European consumer base on Alibaba or Amazon–as well as those with employees from the EU―will be required to comply as of 25 May 2018. However, research conducted last year revealed that nearly all APAC companies (93%) surveyed did not have a plan in place when GDPR becomes enforceable in May 2018.

In 2016, the EU’s second largest trading partner was China, recording close to €515 million in trade, while all APAC countries combined represented more than €1,000 billion worth of trade with the EU. This flow of business between the two regions suggests that many Asian companies will be impacted by GDPR.

Undoubtedly, Asia is no stranger to domestic data protection laws. Hong Kong has its Personal Data (Privacy) Ordinance law, with maximum fines up to HK$1million (€108,000) and imprisonment up to five years for non-compliance with an enforcement notice from the Privacy Commissioner, and Singapore with its Personal Data Protection Act with maximum fines up to SG$1million (€626,000) and imprisonment up to three years for failure to comply with the Act.

These financial penalties pale in comparison to the €20 million – or as much as 4% of their total global annual revenue (whichever is greater) – fines which could be imposed by the GDPR should a business fall victim to a cyber security attack, and a data breach occurs.

Cyber Security: A Driving Force Behind the Regulation

As organisations get up to speed with legal compliance, many may fail to consider one of the driving forces behind the regulation: increased cyber security at a foundational level to ward off data breaches – be they through hacking, phishing, or malware attacks–before they gain steam. 

It’s important for businesses to understand the cyber security element of the GDPR, as well as the solutions to the issues they may face, and how to divide and conquer those issues by working closely with key departments like IT, legal, marketing, and security.

“While the risks of being non-compliant are significant, this is also an exciting opportunity for companies to really understand how they deal with data–what personal data they collect, what they do with it, and how long they hold it for–and to improve their processes,” said Salma Daneshmand, associate general counsel for CSC®, a global leader in digital asset management, online brand protection, and cyber security.

“Being able to demonstrate GDPR compliance will also enable companies to inspire trust amongst their customers, suppliers, and employees,” Daneshmand continued. “If you can show how you’re protecting your data from unauthorised access, people are going to want to work with you and trust you.” 

Cyber Criminals Never Sleep

The digital landscape is littered with cyber criminals willing to jump at every chance to profit from your business. The Anti-Phishing Work Group, an international consortium that monitors businesses affected by phishing attacks, reported that phishing activity rose from 2015 to 2016 to a total of 1,220,523 attacks, a nearly 65% increase year over year. Phished logins and identities can be used to socially engineer access to the data you hold.

Cyber criminals and hacktivists also compromise systems by employing a variety of methods including DDoS attacks, malware, and even SQL injections to get what they want, leaving companies exposed and vulnerable. To help avoid such attacks and also to mitigate the risks against a significant fine and damage to your reputation and operations, it is worth employing what the GDPR describes as appropriate ‘technical and organisational measures’.

Solving the Problem Requires a Team Effort

Cyber security is no longer simply the responsibility of the IT department as it may have been 10 or 20 years ago. With every department, desktop, and mobile device a potential victim, it’s up to each company to unite the forces of IT, legal, marketing, and security to stop cyber criminals in their tracks.

The process may seem like a major undertaking, but it’s important to partner with expert providers that ensure data is protected and secure as part of data protection law compliance, which involves more than just a tick-box approach.

Figuring out exactly how many different digital assets your company maintains–and finding out where they’re located, if they’re secure, and who looks after them–requires a multipronged effort. There are four ways to begin the process:

  • Consolidate and secure – Ideally, you want to set out all your digital assets in one comprehensive view, which should include domain names, DNS, SSL, and social media usernames. Check to make sure your digital IP resolves to relevant content and directs traffic to your sites, then ensure they’re properly safeguarded with security measures like SSL certificates, MultiLock, and two-factor authentication.
  • Optimize and promote – Analyse which of your domains can be safely divested based on their relevance to your company and the business they conduct. Only then can you identify the gaps related to available domain names, including brand and social media usernames.
  • Monitor and enforce – Search for GDPR infringements across your assets. Once you’ve identified them, prioritise violations by importance, so you can ensure compliance on a case-by-case basis.

You could have a belt-and-braces privacy policy, but if you or your data processing providers don’t abide by its provisions, you will be penalised by data protection authorities in the event of a security breach. Get out of your comfort zone and form your multidisciplinary team. It’s the best way to devise a defense plan and research which approach you want to take, including which third parties may be able to help you with compliance. GDPR may be a terrifying acronym, but embracing the change now will save you time, money, and quite possibly your brand’s reputation.

 


Mark Flegg, Global Product Director of Domains and Security, CSC 

In his role at CSC, Mark is responsible for advising a global client base on digital risk and the preventative measures brands can take to safeguard their digital assets. During his 16-year career, Mark has acquired a wealth of experience in cyber security technology, focusing on DNS, SSL, and DDoS protection software. In order to further raise awareness of the digital threats that businesses are susceptible to, Mark regularly presents at leading industry events.

Related Articles

Q&A with Edwin Northover, Debevoise & Plimpton LLP

Debevoise & Plimpton LLP won the Insurance Law Firm of the Year award at the ALB Hong Kong Law Awards 2024, apart from being the sponsor of the Insurance In-House Team of the Year award. Edwin Northover, Asia-based corporate partner and head of the firm’s financial institutions and corporate practices in Asia, talks about the firm's recent achievements, trends in the insurance industry, and future outlook for insurance law in Hong Kong.

Kramer Levin and Herbert Smith Freehills plan latest law firm mega-merger

by Reuters |

U.S. law firm Kramer Levin Naftalis & Frankel and global legal giant Herbert Smith Freehills are planning to merge to create a firm with more than 2,700 lawyers, according to a joint statement on Monday.

Tokyo International makes Singapore debut with SE Asia in its sights

by Sarah Wong |

Japanese boutique Tokyo International Law Office (TKI) is set to establish its first overseas outpost with the opening of a Singapore office in January 2025, marking a significant milestone in the rapidly expanding firm's global strategy.