The Difference Between GDPR And PDPA Under 10 Key Issues

With cross-border collaborations becoming much easier thanks to the convenience of modern digital pathways, all kinds of data are also being exchanged or moved across various locations. Personal data, the new currency, is one of them.

Thus, it is only fitting that governments establish a set of provisions to protect the personal data of all individuals whether living or deceased. Along with these provisions benefitting individuals are safety measures to ensure organisations can still benefit from the collection, use or disclosure of personal data.

Do you know that regardless of location, cyberattacks can happen to your organisation? Once it does, your business is at risk of having all of the data it manages exposed to illegal entities? Don’t let this happen to you. Let Privacy Ninja help your company find security vulnerabilities before the bad guys do. Ask about our >> (opens in a new tab)” rel=”noreferrer noopener” class=”rank-math-link”>vulnerability assessment and penetration testing today >>>

What do the GDPR and the PDPA have to do with my business?

The EU’s General Data Protection Regulation (GDPR) covers Singapore companies that offer goods and services to, or track the behaviour of, individuals in the EU, regardless if these companies have a presence in the EU or not. For instance, if your company sells its products or services to individuals in the EU (such as ecommerce) or tracks their behaviour (such as online behavioral advertising), then your company is subject to the GDPR.

For Singapore companies that are already compliant with Singapore’s Personal Data Protection Act (PDPA), this begs the question of what else needs to be done to ensure full compliance.

If your company is already PDPA-compliant, you are already at an advantage of stepping closer toward being GDPR-compliant. However, there are still other aspects of GDPR compliance that are beyond the scope of the PDPA.

Also Read: The 5 Benefits Of Outsourcing Data Protection Officer Service

The Difference Between GDPR And PDPA

We take a closer look at key issues that highlight the difference between GDPR and PDPA as well as proposed action points if your business is subject to GDPR.

Issue No. 1: Kinds of data that are subject to the law

Position under the GDPR – the GDPR covers almost all kinds of personal data, which is defined as “details pertaining to an identified or identifiable natural person”.

Position under the PDPA – The PDPA covers to personal data but exempts business contact details from PDPA’s protection obligations. Under the PDPA, personal data is defined as “data, regardless if it’s true or not, pertaining to an individual who can be identified from that data or from other information to which the company has or is likely to have access.”

Practical steps if you are subject to GDPR:

1. Implement a new data mapping exercise and see to it that it takes into account GDPR’s definition.
2. See to it that existing documents and contract terms are wide enough to cover GDPR’s definition.
3. Rethink your strategy if your company has been relying on the PDPA exemption for business contact details.

Issue No. 2: Kinds of organisations that are subject to the law

Position under the GDPR – the GDPR pertains to a wide range of entities. It refers to both private sector and public sector entities, those located outside the EU, and it establishes a number of direct obligations on data processors.

Position under the PDPA – The PDPA pertains to a narrower range of entities. It doesn’t pertain to public agencies or organisations acting on their behalf. Unlike the GDPR, data processors have fewer direct obligations under the PDPA. That is, they only need to comply with the security and retention provision.

Practical steps if you are subject to GDPR:

1. Public agencies or organisations acting on the public agency’s behalf must determine if they are subject to GDPR.
2. Organisations that usually act as processors or intermediaries must comply with more stringent requirements of the GDPR.

Issue No. 3: Sensitive personal data

Position under the GDPR – In this difference between GDPR and PDPA, extra protection is provided for “special categories of data”, which includes data about a person’s race or ethnicity, religious or philosophical beliefs, sex life, sexual identification, political leanings, trade union membership, health details as well as genetic and biometric data.

Position under the PDPA – Under the PDPA, there are no specific provisions for sensitive personal data, although guidance from the PDPC does advise that personal data of a sensitive nature must be given a higher level of protection as an act of good practice.

Practical steps if you are subject to GDPR – As part of a new data mapping exercise, know if special categories of data are processed and, if so, apply the more stringent GDPR provisions.

Issue No. 4: Purpose and data minimisation

Position under the GDPR – Under this next difference between GDPR and PDPA, organisations must see to it that they collect personal data for specified, explicit and legal purposes and does not further handle the data in a way that doesn’t fit those purposes. Additionally, the processing must be enough, relevant and limited to what is needed relative to the intentions for which they are processed.

Position under the PDPA – Organisations must only collect, use or disclose personal data for intentions that a reasonable person would deep appropriate in the circumstances.

Practical steps if you are subject to GDPR – Review provisions and apply the more stringent GDPR provisions.

The next issue that tackles the difference between GDPR and PDPA is quite long, are you ready?

Issue No. 5: Notice and consent

Position under the GDPR – The GDPR sets a high standard for consent. Organisations are mandated to get permission in a clear, open, specific and transparent manner. Furthermore, the consent obtained must be unambiguous, specific, freely shared, informed and given by a statement or affirmative action. This means that there must be a positive opt-in from individuals. Pre-ticked boxes or any other kinds of default consent are
not acceptable. Consent is not the only factor for processing personal data
under GDPR. There are other bases for handling data which may be better suited to your organisation’s specific circumstances.

Position under the PDPA – consent is the only factor of processing under
the PDPA. So, while the principles on obtaining consent are the same, the PDPA’s standard of consent is less restrictive as compared to GDPR. There are also several exceptions that allow an organisation to process personal data without consent, such as if the data is publicly available or if it is collected by a news organisation solely for its news activity.

Practical steps if you are subject to GDPR:

1. Check if consent is a relevant basis for processing personal data under GDPR.
2. Review notices and permissions to ensure that they meet the more stringent GDPR requirements. In other words, fine print and pre-ticked boxes are not acceptable.

Also Read: PDPA Compliance Singapore: 10 Areas To Work On

Issue No. 6: Correctness and completeness

Position under the GDPR – Organisations must see to it that all personal data managed is correct, and updated.

Position under the PDPA – The correctness and completeness only arises when the personal data is likely to be: (1) used by the organisation to arrive at a decision affecting the individual, or (2) likely to be shared to another organisation.

Practical steps if you are subject to GDPR – Put in place provisions to make sure that the personal data processed is correct and complete, notwithstanding how the personal data is used.

Issue No. 7: Data protection by design and data protection impact assessments (DPIA)

Position under the GDPR – Organisations must combine data protection principles and technical and organisational safeguards into their processing
exercises, from the design stage right to the end of the exercise. DPIAs help organisations to identify and lower data protection risks in their processing activities to facilitate data protection by design. DPIAs are required where the processing likely leads to a risk to the rights and freedoms of natural
persons. If the DPIA determines a high risk, the organisation must consult the necessary regulators before it begins the processing.

Position under the PDPA – There is no express data protection by design or
DPIA provision in the PDPA, but the PDPC regards it good practice for the organisation to conduct DPIAs and have the necessary policies and processes in place for handling personal data before its embarks on any data processing.

Practical steps if you are subject to GDPR:

1. Put in place provisions and processes to ensure data protection by design.
2. Enforce DPIAs for new or updated data processing projects, and keep records.
3. Consult with the right regulators if the DPIA concludes that the data processing activity is high risk.

Issue No. 8: Documenting compliance

Position under the GDPR – Controllers must keep a record of all processing
activities under their responsibility. Processors must keep a record of all categories of processing activities that they enforce on behalf of the controller.

Position under the PDPA – An organisation must keep records on the ways it has used or disclosed personal data for at least 12 months as part of its obligation to provide individuals with access to their personal data.

Practical steps if you are subject to GDPR: Put in place processes to ensure that processing records are kept.

Issue No. 9: Data processing agreements

Position under the GDPR – All processors must be contractually bound to a set of obligations, regardless of whether the processing occurs within the EU or outside the EU.

Position under the PDPA – The PDPA does not obligate processors to be
contractually bound to a set of provisions – the only exception is where
personal data is transferred by the controller to a processor based outside
Singapore. Processors in Singapore are usually subject to contractual
processing terms but these rarely go as far as GDPR’s requirements.

Practical steps if you are subject to GDPR: Enter into GDPR-compliant contracts with the necessary processors whenever they are engaged to manage the personal data of data subjects located in the EU.

Issue No. 10: Data protection officer (DPO)

Position under the GDPR – All controllers and processors must designate a
DPO if they are a public authority, or where their core activities involve the regular tracking of data subjects on a large scale, or where they process sensitive personal data and data on criminal convictions and offences on a large scale.

Position under the PDPA – All controllers must designate a DPO, regardless of the nature of the processing. Processors are not required to designate a DPO. Unlike GDPR, the DPO is responsible only for one task, i.e. he or she must see to it that the organisation complies with its data protection obligations under the PDPA.

Practical steps if you are subject to GDPR:

1. If required, designate a DPO (especially if you were not required to do so under the PDPA, such as if your company is only a processor).
2. See to it that the DPO is properly designated in terms of mandate, position in the organisation, confidentiality and resources.
3. See to it that internal governance processes requires the DPO to be proactive in data protection issues.
4. Furnish information about your DPO to the regulators and on your website notices.

If you would like to explore further if your company is GDPR-compliant, contact us for a no obligations chat to understand what compliance audit services are required to comply with the GDPR. Learn more >>>