After attending multiple meeting and forums associated with GDPR, reading hundreds of pages of GDPR provisions, referring to relevant documents from the four accounting and law firms in China and reading relevant comments and insights from domestic and foreign media organizations, I still believe that there is an ambiguous zone for interpretation. Especially, many media organizations have differences in the viewpoints on the territory or object. However, it cannot be denied that GDPR is the most stringent law of EU on personal data and privacy protection. Due to huge amounts of punitive damages, global business and financial and telecom service providers must maintain their resilience.
The law itself has other spillover effects: (1) I faintly sensed that GDPR contains some extent of protectionism; (2) such law is targeted in a specific manner. Such law has no great impact over economic entities attaching great importance to personal data protection and has harm over those economic entities attaching no importance to personal data and privacy protection; (3) such Asia Pacific economic entities as Taiwan China and Mainland China (Japan and South Korea already proactively negotiated with EU) are not in the list of countries allowed by EU to exchange personal data.
In the next step, how to dispose of personal data of civilians in EU members which are collected for the commercial and economic activities in EU? Before negotiation with the government and implementation of the law, management, control and protection processes by the enterprises must be in accordance with GDPR. Additionally, it is recommended that information and data security products (with records on traces of EU civilians) sold to Europe or related to EU enterprises in Taiwan should be modified to comply with GDPR for the purpose of reducing future disputes and huge amounts of punitive damages. For example, great importance is attached to the cloud service industry and both Amazon Cloud (it is claimed at the earliest time that Amazon Cloud complies with GDPR) and Microsoft Azure comply with GDPR.
It may be a feasible method to obtain EU certification in the future, but data exchange between different countries is not feasible within a short period of time (Taiwan is not in the list) and local protection of data of EU civilians is more appropriate. On the contrary, actually personal data law of Taiwan is a law based on the needs for business activities in EU. It is a pity that practice of personal data law in China did not yield effects. The proportion of enterprises which idealistically comply with the law partially is higher than the proportion of enterprises and organizations which comply with the law practically (relevant punishment and audit mechanisms do not have an effect). Many enterprises sensed stress when facing GDPR less through more from the thought in another perspective that many provisions share the same spirit if relevant provisions of personal data law of Taiwan are well implemented and such law is further compared to GDPR.
Personal data law of Taiwan is more extensive on technical application, punishment rules and protection items. Besides, IP addresses, gene and medical data (special personal data) were temporarily bypassed during the revision of personal data law of Taiwan, while GDPR almost covered all these data. In addition, the right to deletion, right to be forgotten, right to data portability and right to object were appropriately added into the system process. For GDPR, the independent DPO data protection officer was also appointed. If the size of the enterprise exceeds a certain extent, the right of such role may be strengthened for differentiation in terms of system function.
I personally believe that GDPOR is a management and control model both considering the territory and personnel with respect to the process and system design principle. If the enterprise can design measures based on the principle of focus on territory and personnel, it will be better because great importance is attached to personal privacy protection in EU countries and this is a process of legitimation in EU members. In other Asia Pacific countries, there is a lack of education of such awareness.
In terms of the application of security protection techniques, enterprises must not be made to invest in data security devices in a bottomless manner. Technical application of encryption measures is an unavoidable datum and covers data archives and database contents, but obstacles over the application are caused in the exchange and analysis of encrypted data, so appropriate products must be properly found to import such encrypted data. Taking FineArt X-FORT as an example, several protective measures need to be modified. Product compliance such as design deletion, right to be forgotten, database strengthened encryption protection and de-identification of alias (note: the meaning of alias is different from that of anonymity) may be completed before 2021.
Additionally, there will be an opportunity for FineArt’s SVS module to become the result from the two-win situation of the previously mentioned encryption and application. The SVS module is a good tool for data security exchange application and is worth being recommended for purchase by massive users. In terms of data localization design, X-FORT can be localized as server database in EU or isolated as cloud to meet relevant restriction needs.