Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

5 Brief Concepts Between Data Protection Directive vs GDPR

data protection directive vs gdpr

GDPR changes the definition of personal data, reflecting changes in technology and the ways that organisations collect data about people.

5 Brief Concepts Between Data Protection Directive vs GDPR

When the General Data Protection Regulation (GDPR) takes effect, it will replace the Data Protection Directive (DPD) – becoming enforceable by May 25, 2018. The following is a detailed explanation of the differences between the DPD and the GDPR.

1. Personal Data Redefined

GDPR changes the definition of personal data, reflecting changes in technology and the ways that organisations collect data about people. Profiling, or developing a snapshot of an individual’s preferences using browser history, purchase history, and other related activity will no longer be acceptable under the GDPR unless the individual in question has explicitly consented. Comparatively:


Under the DPD, personal data was defined as data such as names, photos, email addresses, phone numbers, addresses, and personal identification numbers (social security, bank account, etc.).


Under the GDPR, personal data is defined as any information that could be used, on its own or in conjunction with other data, to identify an individual. This data includes IP addresses, mobile device identifiers, and geolocation and biometric data (fingerprints, retina scans, etc.). The GDPR also covers data related to an individual’s physical, psychological, genetic, mental, economic, cultural, or social identity.

Under the DPD, personal data was defined as data such as names, photos, email addresses, phone numbers, addresses, and personal identification numbers.

2. Individual Rights

Opt-in and Consent

The GDPR represents progress in privacy considerations; it requires explicit opt-in for the processing of any personal data. Descriptions of data use must be short and straight to the point and will eliminate one-size-fits-all agreements.

Right to Access                   

To make the use of personal data more transparent and empower the residents of the EU, the GDPR gives data subjects the right to access their personal data. In other words, they have the right to obtain from data controllers information on how their data is being used, where, and for what purpose. Data controllers must provide this information along with a copy of the requestor’s personal data in an electronic format, free of charge.

Right to be Forgotten

Residents of the EU will also have the right to request that data be transferred from one good or service provider to another, as well as the right to be forgotten. If a person submits such a request, data controllers must erase all the requestor’s personal data, cease further use of that data, and if applicable, halt any third-party use of that data.

Also read: 7 Key Principles of Privacy by Design that Businesses should adopt

3. Data Controllers vs. Data Processors


A key difference between the DPD and the GDPR is that data processors are now regulated under the GDPR. Both data controllers and processors will be jointly responsible for complying with the new rules, meaning if an organisation outsources data entry or analysis to a third party or processes data on behalf of another organisation, both parties are required to abide by the GDPR and are liable for violations.


Under the DPD, only data controllers were held accountable for any mishandling of consumer data.


Under the GDPR, data processors are required to have a contract with data controllers to process personal data. The data processor is the entity liable for the security of personal data.


The controller or processor must appoint a data protection officer when its core activities involve “regular and systematic monitoring of data subjects on a large scale.” The data protection officer will serve as a central point of contact who knows about how the collection or processing of personal data is performed.

4. Information Governance and Security

Privacy: Data Regulation

GDPR requires that organisations consider compliance with the regulation from the inception of systems and processes—that is, that they implement “privacy by design.” In other words, they should consider the privacy of collected data at all steps in the development of business concepts, from the very beginning. Privacy by design also requires that controllers discard personal data when they are no longer using it.

Security: Impact Assessments

For the security of personal data collected and processed by controllers and processors, the GDPR requires that organisations conduct impact assessments for automated data processing activities, large-scale processing of certain kinds of data, and systematic monitoring of publicly accessible areas on a large scale.

DPD, only data controllers were held accountable for any mishandling of consumer data.

 5. Data Breach Notification and Penalties

Breach Timeline and Procedures

The GDPR requires organisations to report data breaches to the individuals whose data was compromised and to their supervisory authority within 72 hours. The authority will evaluate the data compromised and the preventative security measures in place at the time of the breach to assess repercussions and ensure future compliance.


Under the DPD, EU member states were free to adopt different data breach notification laws. As a result, when companies suffered data breaches in the EU, they had to research and ensure compliance with each member state.


With the adoption of the GDPR, there will be a single requirement to follow: Data controllers must notify their supervisory authority and individuals affected by a personal data breach within 72 hours of learning about the breach.


The DPD was not nearly as expansive as the GDPR in its geographical reach, partially because it did not plan for the use of digital personal data such as IP addresses. The GDPR states that it applies to the processing of personal data of subjects located in the EU, even if the controller or processor is not established in the EU, making the GDPR a worldwide law.

Summarising, the following are some key changes that will be implemented with the GDPR:

  • The regulation applies to all companies that process personal data of people residing in the EU
  • Data subjects must be given more information when their data is collected.
  • Both consent and explicit consent now require clear affirmative action.
  • The minimum age for individuals whose data can be collected is rising from 13 to 16.
  • Organizations have 72 hours to notify regulators of data breaches that pose a risk to data subjects.
  • There is a single national office for complaints.
  • Large data controllers must appoint a data protection officer.

Also read: How to Register Data Protection Officer (DPO) in ACRA Bizfile+




Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us