The impact of GDPR and PDPA in Singapore

Singapore is generally deliberated to be a top business core in the Asia-Pacific region and various international corporations have recognized their center of operations in Singapore. Their business operations might comprise prospective data transfers between their European and Singapore offices, or the directing of European businesses to proffer goods and amenities. Additionally, with Singapore being the EU’s major trading partner in the Association of Southeast Asian Nations (ASEAN), it is unavoidable that many businesses and organizations based in Singapore will have to comply with the GDPR and PDPA.

What does GDPR mean?

The GDPR (General Data Protection Regulation) is a data protection legal framework. It dictates how personal data is collected, stored, and used. It also gives individuals substantial control over their personal data.

How does GDPR rules affect our websites and data protection?

Cookies/IP addresses & GDPR: Every website and blog depends on cookies that collect user information to function appropriately and securely. Some of this information includes location data and IP addresses, which can potentially be used to identify a person (i.e. personal data).

Opt-in Forms & GDPR: Similarly, practically every website and blog display has opt-in forms for newsletters, service subscriptions, and more. The GDPR deliberates a person’s name, contact information, address, credit card details, personal data and more.

Must businesses outside the EU abide by the GDPR?

You must adhere to the GDPR requirements if your business or organization holds personal data of EU residents.

This means any personal data collected when someone from the EU:

• visits your website (i.e. cookies and IP address)
• signs up for your email list (i.e. name and email)
• gets your product/service (i.e. billing details)
• accepts your free offer (i.e. name and contact details)

Doesn’t PDPA already cover data protection in Singapore?

The PDPA is inadequate in range and lacks certain individual rights to personal data. On the contrary, the GDPR gives EU residents more control over their personal data. It also mandates strict notification procedures in the event of a data breach which the PDPA has recently (at the time of writing) sent out consultation papers to seek industry feedback to emulate closer to the GDPR’s standards.

Here’s a brief summary of the European Union’s GDPR

1. Obtain explicit consent to use personal data

Your business has to get unambiguous approval to accumulate and use personal data from an individual in the EU, age must not be under 16 years.

• Given Freely: The person has to take action to agree, no such thing as agree by default. The person must also be able to know how to withdraw their consent.
  
• Specific & informed: Inform people the specific personal data you’re collecting, why you need it, and how it will be used. Also, inform them about the third-parties you can share their data with.
  
• Clear & upfront: Use plain language, and keep the request for consent separate from the terms and conditions page. The GDPR does not allow organizations to disguise their intentions with legal jargon and technical language.

2. Facilitate rights to personal data

GDPR gives individuals the rights to get a copy of their personal data, the purpose it was collected for, and whom the data had been disclosed to.

• Correct inaccurate personal data.
• Erase personal data in some situations.
• Restrict or object to the processing of personal data in some situations for instance, when it is illegal, when it is used for direct marketing, etc.
• Receive and transmit their personal data in a structured machine-readable format to another organization
• Not be subjected to automated decision-making in some situations

3. Designate a Data Protection Officer

Businesses and organizations whose procedures include regular monitoring of individuals and/or processing sensitive personal data, have to appoint a data protection officer.

4. Make sure default privacy is strict by design

People shouldn’t have to jump through hoops to get stricter privacy practices or settings. The GDPR requires the strictest privacy by default. In the same manner, a business/organization must take procedures to collect and process data that is only necessary for the permitted purpose.

5. Notification of data breaches

If a personal data breach does occur, the business/organization must inform the appropriate administrative authority within 72 hours. Furthermore, if the breach poses a high risk to the rights and freedoms of the individual, the business/organization has to inform those individuals right away.

The consequences of not complying with the GDPR and PDPA

GDPR compliance deadline was May 25, 2018. This data protection law commends substantial fines of up to 4% of a business’s global revenue or €20 million. Furthermore, businesses that don’t follow data protection best-practices, which the GDPR carefully covers, stand to lose their customers’ trust.

Singapore’s PDPA deals a financial penalty of up to $1 Million for organizations that are found to have disregarded the PDPA and $10,000 per DNC breach, plus any enforcement action or direction as deemed fit by the PDPC. However (at this time in writing), consultation papers have been released to seek industry feedback on increasing the penalities as well.

Since each business/organization varies in processes and degree of data processing, there isn’t a one-size-fits-all resolution to GDPR and PDPA compliance. Henceforth, consider engaging Privacy Ninja if your organization caters to the global or EU market, and get started on your GDPR and PDPA compliance journey.