The GDPR deadline may be behind us, but the conversation on the implications for marketers in Asia Pacific who have yet to comply with the European Union's data-privacy regulation, is still ongoing.
A joint-survey in March and April 2018, by SAP Hybris and the CMO Council of 165 marketers globally, including APAC, found that only slightly more than half of marketers said they had a plan in place to comply with GDPR and were currently implementing changes.
One of the biggest misconceptions is that marketers have leeway with the ‘legitimate interest’ clause which allows marketing to use personal data without user consent, says Patrick Salyer, general manager for SAP customer data cloud at SAP Hybris in a conversation with The Drum.
“However, this is a tricky issue, as there is indeed a legitimate interest exception, but it will be weighed against personal data rights. Data can only be used under court order or to protect human-interest rights. Otherwise, consent is needed for marketers to use consumers’ personal data for marketing purposes,” he adds.
Salyer points out another misconception is that only companies in the EU are liable under GDPR, or that it only affects companies doing business in the EU. “In reality, under GDPR, any EU citizen has the right to sue a company based outside the EU if their personal data is used without consent. Any business that monitors the behaviour of individuals in the EU and handles their data will be subject to GDPR,” he explains.
The reluctance behind complying with GDPR by APAC companies
Explaining why APAC companies have been slow to comply, Salyer points out many APAC countries already have some form of regulation that’s similar to the GDPR, such as Singapore's Personal Data Protection Act (PDPA), Japan’s Personal Information Protection Commission, and the Philippines’ National Privacy Commission.
“The Australian Privacy Act of 1988 also shares commonalities with GDPR, including requiring businesses to implement a “privacy by design” approach to compliance, demonstrate compliance with privacy principles and obligations, and adopt transparent information handling practices,” he adds.
Why APAC companies should pay attention to GDPR
Despite having individual data privacy laws in their own countries instead of a region-wide blanket regulation like GDPR, it is still important for brands to comply.
A report released before the deadline by adtech firm Unruly found that brands must be more transparent about data usage if they wanted to win back and retain consumer trust. However, due to the low levels of awareness around the changes made by GDPR, there is also a communication gap between brands and their customers.
It found that in APAC, 67% of Singaporeans wanted the right to delete data collected at any time, while 82% of Singaporean consumers said they would only buy from brands if they trust them. In India, 73% of Indian consumers said they trusted brands more when they are clear about how and where there data is used, which is the highest worldwide.
The Unruly report is backed up SAP Hybris’s Consumer Insights Report 2017, which revealed that the majority (78%) of APAC consumers would not purchase from a brand again if their data were used without their knowledge, according to Salyer.
“GDPR is actually an opportunity for APAC businesses to turn compliance into a competitive advantage,” he explains. “Instead of merely taking a reactive approach and focusing all resources on navigating GDPR or regulations in other markets, organisations should be channelling efforts towards building trust with their customers. Trust is the ultimate currency in today’s digital economy, and GDPR validates this notion.”
“To successfully connect with consumers and build trust, organisations need to identify and engage them across channels and progressively get to know them in a way that’s respectful of their privacy. And, this is now absolutely critical as the stakes are high,” adds Salyer.
Phil Townend, managing director for APAC at Unruly shares Salyer’s sentiments and argues that APAC companies are very reactive, instead of being proactive, by developing new products just to cope with the data regulations.
Pointing to how the industry reacted in 2016 and 2017 with brand safety and new adblockers in Google Chrome and Safari, Townend says: “There is proactive and reactive innovation, and everyone assumes that all innovation is building new stuff. Actually, because of the brand safety stuff we have in 2017, a lot of companies were running for the hills in terms of reactive innovation.”
He adds that there is still a debate whether a western tech company that is headquartered in China or companies like Rakuten in Japan are willing to place GDPR compliance on the top of their agenda.
“How high is it on everyone's agenda? If you got a big business in the US and the UK, you are going to put a lot resources into research. I don’t see the same in APAC,” explains Townend.
Andy Houstoun, product director at Crimtan advises APAC companies that to deal with data subjects in the European Economic Area territory in the work they do, is to first understand the implications of GDPR if they do process these individuals data in some way and understand whether they have a legal means of processing the data, which means that they can support the rights of the individuals should that need be forthcoming.
"The regulation is ensuring that when this personal data is stored and used, at any time they have the right to access what is stored, to correct what is stored, to restrict what is stored or any sort of processing, to erase this data, to port this data somewhere else, the right to object if something is wrong with it or that it is stored in the first place, and that in the unlikely event of a security breach of this data, they are notified. This to me all seems very fair," he explains.
To read more about The Drum's coverage on GDPR and how marketers can use GDPR to their advantage, read here.