EU General Data of Protection Regulation (“GDPR”)
22 Nov 2017
Why should an EU regulation, which only becomes applicable on 25th May 2018 have any relevance in Hong Kong today?
The answer is because the GDPR has a global footprint and so, if you already have a company which is registered within the EU or intend to have one incorporated before 25th May 2018, then the GDPR will apply. The GDPR will also apply to organisations that: (i) do not physically process data in EU but are ‘established’ (i.e. exercise a real and effective activity) in EU, or (ii) do online businesses with representatives in EU countries. If you have customers who are EU citizens, you will have to comply with GDPR too.
Some legislation provides a “grace period” for implementation, but that does not apply to the GDPR. Besides, GDPR is a regulation, not a directive, it has binding legal force and therefore by 25th May next year, every relevant company must have in place a fully thought through protective environment and protocol for the collection, handling and storage of personnel data. This includes defining access permission, passwords and data encryption.
Most importantly is the requirement that all unencrypted data breaches must be reported to the relevant national data protection authority (Supervisory Authority) within 72 hours, if not, draconin sanctions are applicable and we are told they will be enforced. This reminds us that there is a real need for every company, especially a company which has a European footprint, to have in place proper and detailed protocols to deal with data breaches and cyber-attacks. Billions of dollars are already lost each year through email fraud and now there is an ever expanding threat of cyber-attack on data, whether through malware, ransome ware or the like.
So, does your company yet have in place plans and protocols that can prevent or reduce the risk of any such cyber-attack? Has that yet been considered, because after an attack has taken place, it will be too late?
Typically, there should not only be an initial compliance plan to monitor the risk of any such attack, but there then needs to be an instant response plan. From a legal point of view, there will also be the questions of whether law enforcement agencies are required to investigate and prosecute, so when should the incidents be reported, how should the reporting be performed, what evidence should be collected and how should that evidence be collected? Part of this process will be the required communication response to reduce reputation risk. The World is becoming more and more international and so there is a greater threat to business through an increasing reliance on e-commerce and continuity in cyber space.
OLN in Hong Kong and through its international network of Law Firms can assist in this area. Should you want more information, please do not hesitate to contact Stephen Chan at stephen.chan@oln-law.com.