GDPR in Asia – Basic Compliance Tips
Are you running an ecommerce business and Asia that has customers in the European Union? Are you an asian business with that hires european talent? Do you routinely collect information from your clientele and store them, to facilitate transactions, improve customer service and enhance user experience? Can any of this information be classified as personal and possibly sensitive?
If you answered yes to any of the above then you need to read this STAT at get yourself compliant with the General Data Protection Regulations of the EU.
HR Data Management for EU talent
If you have EU talent, the first thing you need to do is password protect all information obtained int here tenure. This includes file transfers, so if you’re planning to send the information to people via a google spreadsheet then you still need to password protect it.
Secondly, you are no longer allowed to do criminal background checks. Even if you ask for explicit consent, the regulations operate under the principle that employees would be pressured to comply because they wouldn’t want to deny the request, as risk of the perception of having something to hide. The power dynamics are simply unacceptable, so say goodbye to online criminal background checks from online services.
Lastly, you need to ask for specific and unambiguous consent. This means, you need to ask for permission to save the specific data you’re requesting, its intended purpose, and they must consent. This consent can also be revoked, and if that does happen for whatever reason, you need to delete it and provide evidence of this. To alleviate storage issues, its best to periodically inform them of the information rather than ask for ongoing consent.
All sensitive information that you have collected must be encrypted, so internally establish what is your definition of sensitive and get storing.
Asian E-commerce Operators with EU Customers
If digital marketing is your main engine then here are the fundamentals you need to cover.
Your digital marketing strategies may include opt ins for targeted material like email marketing subscriptions, etc. You are required to ask for consent again stating the adherence to the GDPR policy and give them the option to unsubscribe.
Should your business model employ behavioral data collection to power up targeted advertising, then it’s time to transition to contextual advertising. The GDPR is eye a ban on behavioural profiling without a legitimate reason, and this may affect the type of metadata you are allowed to syphon off. The information you store must also be made portable, so the user can copy it, or delete it.
Do not take this lightly as the punitive fines are upto 4% of your annual revenue or €20 million.
In conclusion, other Asian nations like Singapore are creating their own versions to protect their citizens data. Many of them would like to guarantee the right to erasure and active consent. Its best to take a preemptive approach to compliance by drafting a data acquisition process, filtering and securing the relevant information.