The challenge for anyone with data from the Asia Pacific region is the ever-expanding number of countries initiating data protection/cybersecurity requirements in the region, many of which are similar, but different in important ways, to the EU’s data privacy rules (GDPR). It would be one thing if they lined up to the GDPR perfectly, but each seems to have its own flavor and unique requirements. Several have GDPR-like obligations, including requirements for data subject notifications, consent, retention and security. However, several have very unique applications, such as:
- China and Vietnam’s lack of a “legitimate interest” as a legal basis for processing, and much broader restrictions on moving data outside of each country.
- China and Singapore’s requirements to appoint a local Data Privacy Representative responsible for compliance with local data protection laws.
- Japan and Singapore’s heightened concerns over protection of national IDs, and Japan’s more stringent notification requirements yet easier ability to transfer to processors.
- Korea’s restrictions on moving data outside of Korea, as well as its 24-hour breach notification requirements for internet/mobile entities.
- Registration requirements including in China, the Philippines and Vietnam.
Most jurisdictions in Asia Pacific now have implemented or have in place their own unique data privacy/cybersecurity laws, including Hong Kong, Taiwan, Singapore, Vietnam, Thailand, Indonesia, Malaysia, the Philippines, Australia, New Zealand and others. In the event of a cross-border data breach, the determination of when that event is notifiable, to whom and by when becomes even more convoluted.
How We Can Help
We are extremely well placed in Asia, with data privacy and cybersecurity specialists in offices in Australia, China, Hong Kong, Japan and Singapore and a network of trusted local firms throughout the region as needed. We can assist in:
- Gap analysis – Assessing current practices against the local requirements, identifying gaps, developing a streamlined work plan to address those gaps and providing comprehensive templates that will enable your organization to efficiently address compliance issues.
- Data mapping – Assisting to create a record of your processing activities, which may be required by local law.
- Data protection officer (DPO) or local Data Protection Representative – Advising on compliance with applicable requirements.
- Data transfers – Advising on and implementing appropriate data transfer solutions.
- Consent – Reviewing existing consents, advising on alternatives to individual consent for processing and, where necessary, implementing mechanisms for obtaining explicit data subject consents.
- Notice – Reviewing and redrafting privacy notices as required by local law.
- Vendor compliance and management – Developing template vendor agreements to address local requirements and manage risk within your organization, including key provisions, such as data ownership, liability for breach of data protection or security requirements and notification requirements for a security incident, and reviewing or revising existing contracts.
- Data subject requests – Developing systems/processes that will enable your organization to respond to access, erasure and portability requests in the manner and within the timeframe stipulated by local law.
- Data protection impact assessments (DPIAs) – Evaluating whether processing qualifies as “high risk” or otherwise under local law and, if so, developing appropriate DPIAs, and assisting you with any consultation with the data protection authority required.
- Contracts – Preparing contracts, including updating data processing agreements to cover the new contracting requirements these laws mandate.
- Data incident preparedness – Creating a robust data breach response plan and doing preparedness drills for your team that will help your organization meet the local requirements and reduce the cost of a breach.
- Cyberbreach response – Providing a robust legal response to a data breach, especially where global data is involved, and establishing the Attorney-Client and other privileges, where appropriate, to enable free and effective communications.
- Security assessments – Assessing the adequacy of your security controls and the arrangements with your service providers/processors, including providing security compliance checklists.
- Email marketing/cookie policies – Advising clients on the development of email marketing campaigns and cookie policies/consents for compliance with local privacy laws.
Why Choose Us
- Our global footprint allows us to provide assistance in the jurisdictions where you do business.
- Our experience advising numerous SMEs, multinational companies and global organizations with local data privacy/cybersecurity compliance will translate into efficiencies for your organization.
- Our commercial knowledge allows us to help you manage your data to leverage its value while meeting your compliance obligations.
- With deep roots in the APAC region, we are able to assist you in developing good working relationships with APAC data protection authorities and other regulators.