Cost of GDPR Compliance for Singapore Companies
The General Data Protection Regulation (GDPR) is to a large sense, the strictest of data privacy laws globally, and failure to comply could cost your company millions. Being GDPR-ready is an ongoing approach to your business, not just a one-time project. With digitalization happening everywhere, you should not ignore data protection and privacy; especially if you run a business.
What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation on data protection and privacy. It was first adopted on 14 April 2016, and became enforceable beginning 25 May 2018. The regulation became a model for many national laws outside EU, including Chile, Japan, Brazil, South Korea, Argentina and Kenya.
Even Singapore’s Personal Data Protection Act (PDPA) is seeking to emulate some parts of it to strengthen its standards, which can be seen in the recent Public Consultation on Personal Data Protection (Amendment) Bill.
Do Singapore companies need to comply with the GDPR?
The protection regulation applies generally to:
- A company that is registered in the EU and collects or processes personal data of persons (residents) of the EU;
- A company registered in the EU;
- A company that is registered outside the EU but collects or processes personal data of persons (residents) of the EU.
So if your company offers products or services to the EU region, which typically mean that you have to collect and process personal data of clients, employees, or other persons who are residents of the EU, you must comply with the GDPR requirements.
Types of Data Governed under the GDPR
- Basic identity information such as name, address and ID numbers;
- Web data such as location or movements, IP address, cookie data and RFID tags;
- Health and genetic data;
- Biometric data;
- Racial or ethnic data;
- Political opinions;
- Sexual orientation;
- Data on person’s performance at work;
- Economic information;
- Personal preferences and interests;
- Other personal metrics such as reliability, behavior patterns, etc.
To be GDPR compliant, make sure your company keeps in line with the following data protection principles. Generally, the GDPR standards are similar to the Singapore PDPA protection approach; however, they are more detailed and comprehensive in nature when it comes to certain items.
Compliance with the GDPR
The key requirements of the GDPR include the following:
You can process personal data if:
- The data subject has given consent
- The processing of data is necessary for the performance of a contract
- It is necessary to comply with legal obligations
- It is necessary to protect the vital or public interest
- It is necessary for the purposes of legitimate interests
Appointing a Data Protection Officer
The GDPR states that organizations must employ a Data Protection Officer (DPO) where:
- Special categories of sensitive personal data such as data relating to criminal convictions and offences are being processed;
- Data processing is carried out by a public authority or body;
- The core activities of the organization require regular and systematic monitoring of data subjects on a large scale.
Reporting Data Breaches
If any data breaches occur, an organization has up to 72 hours to report the breach to a supervisory authority and the affected individuals if the personal data is likely to risk the rights and freedoms of those individuals.
The GDPR imposes an obligation on organizations to notify supervisory authorities in the event of a data breach. A breach of personal data is defined as an accidental or unlawful destruction, loss, alteration or unauthorized access/disclosure of personal data.
In case of data breach an organization must provide the following information:
- The measures taken by the organization to address or mitigate the effects of the data breach;
- The contact details of the DPO or any other contact point who can provide more information;
- The nature of the breach and the approximate number of data subjects concerned;
- The likely consequences of the breach.
Transferring of Personal Data
Under the GDPR, where data is being transferred out of an EU nation, the country which the recipient organization is in must be approved by the European Commission to provide an adequate level of protection to personal data.
The following elements are considered when assessing the adequacy of the non-EU country, under the GDPR:
- The country’s rule of law, respect for human rights and fundamental freedoms;
- The country’s legislation concerning public security, defence, and criminal law;
- The existence of effective and enforceable data protection laws that can provide judicial relief for data subjects;
- The existence and effective functioning of independent supervisory authorities in the country; or
- The existence of obligations arising from legally binding conventions or international commitments entered by the country.
Singapore companies do often have European parent companies or are part of a bigger International group of companies. Personal data is transferred from European group companies to their Asian subsidiaries or counterparts.
Operating Cost of GDPR Compliance
If you’re worried about the cost of GDPR compliance in terms of implementation and maintenance, know that it’s a much less expensive option than ignoring your requirements.
The cost of GDPR compliance is incurred under the following categories:
- Hiring Data Protection Officer
- Record of Processing Activities (Inventory)
- Gap assessment
- Policies and procedures
- Modify processes
- Train employees
- Monitor compliance
There is no “market price” or fixed price to pay for ongoing operational compliance, and the amount largely depends on the size of your company and number of processes handling personal data. There may also be additional legal costs, which in some cases may be as high as 40% of the total GDPR compliance budget.
What Happens if an Organization Does Not Comply with the GDPR?
In case of an infringement of the provisions of the GDPR, high administrative fines are likely On a case-by-case basis, these fines can amount up to €20 million or up to 4% of the total global annual turnover of the preceding financial year, whichever is higher.
While Singapore businesses still struggle to implement the requirements necessary under the PDPA, the GDPR may soon make many of them subject to an even stricter data protection regime. Given the possibility of high financial penalties, decision makers are well advised to determine as soon as possible whether the GDPR is relevant for their businesses and what measures have to be implemented to be compliant.
Can you Demonstrate your GDPR Compliance?
One of the most frustrating compliance failures is the inability to prove that necessary measures have been implemented.
The GDPR requires organisations to document their compliance practices. That means it’s possible to implement all the solutions but fall foul of the Regulation simply by having no evidence of what you’ve done.
If you are unsure if your business needs to comply with the GDPR, or need help understanding or complying to certain aspects of it, contact Privacy Ninja for a non-obligatory chat on how we can help while keeping the maintenance cost of GDPR compliance low.
Getting to grips with the gaps in your data protection policies especially GDPR Compliance can be time-consuming.
This is where we come in.
Outsource your DPO with Privacy Ninja and save time and money while making sure you are compliant with GDPR policies. Avoid penalties. We know what matters most to you, and that’s to focus on the growth of your business. Contact us now.
CONSULT US TODAY
Privacy Ninja provides GUARANTEED quality and results for the following services:
DPO-As-A-Service (Outsourced DPO Subscription)
PDPA Compliance Training
PDPA Compliance Audit
Digital Transformation Consultancy
Data Protection Trustmarks Certification Readiness Consultancy
PDPA Data Protection Software
Vulnerability Assessment & Penetration Testing (VAPT)
Smart Contract Audit