The challenge for anyone with data from the Asia Pacific region is the ever-expanding number of countries initiating data privacy/cybersecurity requirements in the region, many of which are similar, but different in important ways, to the EU’s data privacy rules (GDPR). It would be one thing if they lined up to the GDPR perfectly, but each seems to have its own flavor and unique requirements. Several have pretty standard GDPR obligations, like data subject notifications, consent requirements, retention and security requirements. However, several have very unique applications, such as:
- China’s lack of a “legitimate interest” as a legal basis for processing, its much broader restrictions on moving data outside of China and its requirement to have a local Data Privacy Representative responsible for compliance with PRC laws.
- Japan’s heightened concerns over protection of national IDs, notification requirements and easier ability to transfer to processors.
- Korea’s restrictions on moving data outside of Korea, as well as its 24-hour breach notification requirements for internet/mobile entities.
Most countries now have implemented or have in place their own unique data privacy/cybersecurity laws, including Hong Kong, Vietnam, Thailand, Taiwan, Singapore, Malaysia, the Philippines, Australia, New Zealand and many others. In the event of a cross-border data breach, the determination of when that event is notifiable, to whom and by when becomes even more convoluted.
How We Can Help
We are extremely well placed in Asia, with data privacy and cybersecurity specialists in offices in Japan, China, Hong Kong, South Korea, Singapore and Australia, and a network of trusted data privacy firms throughout the region as needed. We can assist in conducting:
- Gap analysis – Assessing current practices against the local requirements, identifying gaps, developing a streamlined work plan to address those gaps and providing comprehensive templates that will enable your organization to efficiently address compliance issues.
- Data mapping – Assisting to create a record of your processing activities, which may be required by the local law.
- Data protection officer (DPO) or local Data Protection Representative – Advising on compliance with applicable requirements.
- Data transfers outside the applicable country – Advising on and implementing appropriate data transfer solutions.
- Consent – Reviewing existing consents, advising on alternatives to individual consent for processing and, where necessary, implementing mechanisms for obtaining explicit data subject consents.
- Notice – Reviewing and redrafting privacy notices as required by local law.
- Vendor compliance and management – Developing template vendor agreements to address local requirements and manage risk within your organization, including key provisions, such as data ownership, liability for breach of data protection or security requirements and notification requirements for a security incident, and reviewing or revising existing contracts.
- Data subject requests – Developing systems/processes that will enable your organization to respond to access, erasure and portability requests in the manner and within the timeframe stipulated by local law.
- Data protection impact assessments (DPIAs) – Evaluating whether processing qualifies as “high risk” or otherwise under local law and, if so, developing appropriate DPIAs, and assisting you with any consultation with the data protection authority required.
- Preparing contracts, including updating DPAs to cover the new contracting requirements these laws mandate
- Data incident response – Creating a robust data breach response plan that will help your organization meet the local requirements.
- Security assessments – Assessing the adequacy of your security controls and the arrangements with your service providers/processors, including providing security compliance checklists.
- Email marketing/cookie policies – Advising clients on the development of email marketing campaigns and cookie policies/consents for compliance with local privacy laws.
Why Choose Us
- Our global footprint allows us to provide assistance in the jurisdictions where you do business.
- Our experience advising numerous SMEs, multinational companies and global organizations with local data privacy/cybersecurity compliance will translate into efficiencies for your organization.
- Our commercial knowledge allows us to help you manage your data to leverage its value while meeting your compliance obligations.
- With deep roots in the APAC region, we are able to assist you in developing good working relationships with APAC data protection authorities (DPAs) and other regulators.