The General Data Protection Regulation (GDPR) poses challenges for organizations with customers in the European Union. Entering into force in May 2018, the GDPR requires to undertake a root and branch review of how they handle, process and govern the use of customer data across their entire organization.

GDPR applies to (1) individuals that are EU residents, (2) organizations that are based in the EU, or (3) organizations based outside the EU, that target EU citizens.

Asian organizations and their subcontractors will have to adhere to the GDPR in case they have the intention to offer their services to individuals residing in the EU or monitor their behavior.

Indirect application of the GDPR through contractual obligations

In light of the data controller-data processor relationship, Asian companies might be obliged to adhere to GDPR requirements by their suppliers or contracting partners. This is where these other organizations themselves (and by extension, their data processors or co-data controllers) fall under the scope of the regulation.

For Singapore, the organizations will be affected by the GDPR as Singapore is the EU's largest commercial partner in ASEAN, accounting for slightly under one-third of EU-ASEAN trade in goods and services

Organizations who do not make the necessary operational and technology changes are looking at fines up to 4 percent of their annual turnover. Many organizations admit they will not be ready in time and that they are struggling to find the right expertise to guide the transition.

Some key questions that we hope to address in this article:

• What are the consequences of non-compliance?
• How can the GDPR be enforced in Asia? 
• What can organizations do in order to prepare for the GDPR?