Data Privacy in Asia

General Data Protection Regulation (GDPR) was approved by the EU Parliament on April 2016 and enforced for all EU countries on May 2018

• Data deletion principle

• Data minimization principle

• Right to Opt-in

• Clauses in third party contracts

• BCR (Binding Corporate Rules) for intra group transfers

• Deadline to notify to the regulator in case of a data breach

• Strict guidelines to establish a data privacy governance

• Risk Assessment on high risk processes – PIA (Privacy Impact Assessment)

• Control plan on data privacy risk

• Annual data privacy report

• Register of Processing to document personal information and processes

California Consumer Privacy Act & Federal Trade Commission (USA)

The US has several sector-specific and medium-specific national privacy or data security laws. The California Consumer Privacy Act (CCPA) is a state statute that provides their residents an enhanced privacy rights and consumer protection.

• Clear framework and dedicated data privacy authority

• Individuals rights including right to know, right to delete, right to opt-out and right to non-discrimination 

• Data disclosure requirements

In addition, the US Federal Trade Commission (FTC) has jurisdiction over a wide range of commercial entities under its authority to prevent and protect consumers against unfair or deceptive trade practices, including materially unfair privacy and data security practices. 

Cybersecurity Law & Personal Information Protection Law (PRC)

Introduced in 1 June 2017 by the Standing Committee of the National People's Congress (NPC), it is the first set of comprehensive legislation governing cyber security and data privacy in China. 

• Onshore data storage requirements

• Significant regulation for transferring data offshore

• Individual rights including right to access information, rights to data portability, right to be forgotten and objection to direct marketing

In October 2020, the NPC released a draft of Personal Information Protection Law (PIPL) which came into effect on November 1, 2021. It becomes China’s first comprehensive law on the protection of personal data which binds compliance obligations previously considered recommended practice and requiring organizations to comply with additional requirements.

The Personal Data (Privacy) Ordinance (Hong Kong)

One of the longest standing comprehensive data protection laws based on OECD Privacy Guidelines 1980 to ensure an adequate level of data protection to retain its status as an international trading centre and give effect to human rights treaty obligations.

• Clear framework (''Data Protection Principles'' or DPP) and dedicated data privacy office

• DPP1: Lawful purpose for collection

• DPP2: Data accuracy and only for intended use 

• DPP3: Prohibits the use of personal data for any new purpose unless consent is received 

• DPP4: Data users take all practicable steps to protect the personal data

• DPP5: Ensure openness of their personal data policies and practices

• DPP6: Data subject right to access and correction of their own personal data

Personal Data Protection Bill (India)

Personal Data Protection Bill (PDPB) is very much inspired by GDPR and sets rules for how personal data should be processed and stored. The PDPB is currently pending consideration of the Indian Parliament and may undergo significant changes to its current form. The PDPB is expected to come into effect towards the end of 2021:

• Clear framework and dedicated data privacy authority

• Individuals rights

• Cross-border transfer requirements

Once the PDPB is enacted, we should expect widespread effect on almost all business across India's economy to meet the bill's conditions.

 Personal Data Protection Act (Singapore)

The Personal Data Protection Act (PDPA) is a well established data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. The PDPA aims to strengthen and entrench Singapore's competitiveness and position as a trusted, world-class hub for businesses.

• Restriction in terms of cross-border movement of data

• Mandatory data breach notification

• Individual rights including right to access information, right to data portability, right to be forgotten, objection to direct marketing and profiling, right to correct data as well as the right to withdraw consent, use and disclosure of data.  

Protection of Personal Information (Japan)

The Act on the Protection of Personal Information ("APPI") regulates privacy protection issues in Japan and the Personal Information Protection Commission ("PPC"), a central agency acts as a supervisory governmental organization on issues of privacy protection. The APPI contains similar provisions as the GDPR. 

• Restriction on the transfer of personal data to foreign countries

• Security requirements and third party management 

• Individual rights including privacy notices, rights to access information, rights to data portability, rights to be forgotten etc. 

On 5 June 2020, the law amending the APPI was enacted, and is expected to enter into force within 2 years of the publication date (i.e., by 12 June 2022). 

Insurance and brokerage

• AXA Global Life
• AXA Assurance Banque
• Direct Assurance
• Caisse d'epargne
• Credit Agricole
• Interiale Mutuelle
• Alptis 
• ZA International

Banking, Asset Management and Financial Companies

• Konew Financial Express
• AXA Investment Managers
• BNP Paribas

Other Industries (utilities, retailers, airports, etc.)

• Ingenico
• Engie
• EDF
• SGS
• Club Med
• Aéroports de Lyon
• Rungis Marché Internationale
• GBP
• Riley Cillian

APAC Personal Data Protection control framework design

• Harmonization of the Personal Data Protection (PDP) framework of the bank across the 14 Asia Pacific jurisdiction where the CIB business unit operates, ensuring compliance with local requirements and applicable group standards
• Definition of the personal data protection controls of the 1st  and 2nd lines of defense​
• Building the implementation plan and quantify the associated costs

GDPR Maturity assessment and implementation 

• Assess the maturity of company data protection framework regarding the GDPR requirements
• Formalize a comprehensive reporting of GDPR maturity level as of today
• Define and Implement the compliance roadmap to achieve GDPR compliance Implement the compliance roadmap to achieve
• GDPR compliance

Writing up Data Privacy policy

• Assess the current state of company/employee data protection framework
• Support the formalization of a comprehensive data privacy policy document for the client’s business
• Provide recommendations and define an action plan to enhance the client’s company data privacy framework

Data Protection compliance assessment

• Analyze present activity involving personal and sensitive data processing
• Formalize benchmarks related to ethic on social platform
• Assess the level of compliance level regarding GDPR and other relevant data protection law
• Develop action plan of targeted processes and controls

GDPR Maturity Assessment 

• Assess the maturity of company's data protection framework and configuration
• ​Support the formalization of a comprehensive reporting of GDPR maturity level for the client’s business
• ​Provide recommendations and formulate compliance roadmap to faciliatate foreign business expansion