All You Need to Know about Europe General Data Protection Regulation (GDPR) and Its Impact to Singapore companies
General Data Protection Regulation (GDPR) – the new data protection law in Europe that came into effect in May 2018 has reshaped the data protection landscape for businesses across Europe and worldwide. GDPR replaces the Data Protection Directive (a previous data protection regulation from 1995), strengthening the data rights of European Union (EU) residents as well as harmonising the data protection law across the EU.
What is GDPR?
The GDPR was first adopted by the European Parliament in April 2016 and came into effect on 25 May 2018. As the name implies, the GDPR is a regulation that mandates businesses and organisations to safeguard the personal data and privacy of EU residents, even if the data collection and process is done outside of the EU. On top of that, the newly enforced regulation regulates the exportation of personal data outside the EU. It will also affect companies outside of the region – if they offer services or goods, or monitor the behaviour of, EU citizens.
What Does GDPR Cover?
The newly implemented data protection regulation imposes uniform law in all 28 EU member states – EU members only have to comply with one standard. The GDPR’s bar is set high and wide – it covers privacy rights, data security, data control, and governance. The violation of GDPR will result in a hefty fine penalty on organisations due to inappropriate handling or misuse of personal data. From the consumer’s perspective, GDPR has given them the control over their data – more transparency about what data businesses/organisations collect about them, and how do those organisations use the data.
Let us zero in on the new obligations being introduced by this legislation:
a) Data control
Data control is one important step to ensure data privacy. Under GDPR, organizations must comply with the following:
- Process data with authority
- Ensure data accuracy and integrity
- Minimize the exposure of subject identities, and
- Enforce data security.
b) Data security
Data security is as important as data control. GDPR mandates organizations to:
- Safeguard data for additional processing
- Enhance data protection measures,
- Enforce security based on risk assessment and encryption
c) Data erasure
Under the GDPR, personal data cannot be kept indefinitely but has to be completely deleted under any of these circumstances:
- Consumer revoke consent
- There are requests of data deletion, or
- At the point of termination or expiration of a service or agreement
d) Risk assessment
Risk assessment is now part of the mandatory requirement of data protection law where organizations must conduct due diligence (to evaluate the risks to privacy and security, and demonstrate risk mitigation plan).
e) 72-hour breach notification
In the case of data breach, organisations need to alert authorities within 72 hours with the description of the consequences of the breach, and prepare to communicate the breach directly to all affected consumers.
GDPR and PDPA: What is the Difference?
While PDPA (Personal Data Protection Act) in Singapore shares some similarities with GDPR, there are couple of things that differentiate these two.
First, the GDPR has stricter measures than the PDPA for requesting and providing consent – for PDPA, consent is not required for business contact information, the public sector and data intermediaries. However, GDPR stipulates that a clear affirmative consent must be given by the subjects before the collection and processing of all personal data.
b) Cross-border data protection
While the PDPA applies only to any Singaporean organizations that process personal data from anywhere (as well as organizations outside of Singapore processing personal data transferred from Singapore), the GDPR regulates all personal data of EU residents and all the all data controllers and processors in the EU, regardless of whether they are established in the EU or the data processing takes place within the EU or not.
c) Access right
Under the GDPR, subjects possess the right to access and obtain information about how their personal data being used by the business (what, and where personal data is being processed, and for what purposes). Simply put, they reserve the right to request the data deletion, access collected data, and provide the data to another company.
d) Data Protection Officers
Unlike PDPA officers, GDPR mandates that the Data Protection Officer (DPO) must have expert knowledge of personal data protection law. GDPR stipulates that the DPOs must provide their contact details to the relevant data protection supervisory authority. At the same time, the DPOs must be given access to adequate resources so that they can fulfil their duties and maintain their expertise.
Are your company GDPR-compliant?
The GDPR may be different from PDPA in Singapore, but here are a few things you can do to ensure GDPR-compliant in your business:
- Obtain consumer’s consent (one of the lawful basis) before you collect and process his personal data as well as before you send out marketing communications.
- Provide the opt-out option to customers.
- Figure out and understand the data storage methods in your company.
- Mitigate potential risk of data breaches with proper technology and processes.
- Exercise data encryption as part of the data security strategies.
- Establish data governance policies especially when transferring EU-specific data to non-EU countries or to jurisdictions that have not been deemed adequate by the European Commission.
- Alert the consumers in the case of data breach.
- Have a Data Protection Officer hired in your company so that your company can keep up with the latest developments around data privacy compliance.