GDPR is going live next month. It’s got everyone around the world scrambling to make sure they’re compliant. Even the beleaguered Mark Zuckerberg has his team working on it, assuring senators and viewers of his testimony at the US Congress that Facebook will be GDPR-compliant in May.
Are you ready for GDPR, or the EU’s General Data Protection Regulation? After all the adjustments you may have already made for Singapore’s Personal Data Protection Act (PDPA) in 2014, you may think that you already have your customers’ personal data protected. But the GDPR is quite different from the PDPA.
We’ve come up with comparative charts below to give you a quick glance into the similarities and differences of each, so you can see how this will affect your organisation.
Fast Facts on Singapore’s PDPA and the EU’s GDPR
Took/will take effect on
Do Not Call registry: 2 Jan 2014
Data protection obligations: 2 Jul 2014
|25 May 2018|
|Who are governed by these policies?||
Covers virtually all businesses in Singapore
Applies to any organisation established within and outside of the EU, so long as:
|What is it about?||
“The [Personal Data Protection Act (PDPA) of Singapore governs] the collection, use and disclosure of individuals’ personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.”
“The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise the data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organisations across the regions approach data privacy.”
“The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.”
At a glance: PDPA
The PDPA has two main provisions:
- 9 data protection obligations:
- Consent: needed before personal data is collected, used, or disclosed
- Purpose limitation: an organisation must inform an individual of its purpose for collecting, using, or disclosing personal data; also, the collected data must not be used for anything other than the initial intended purpose.
- Notification: individuals must be notified of the purpose before they may give their consent to have their personal data collected, used, or disclosed.
- Access and correction: individuals have the right to request access to their personal data in an organisation’s possession or control, and be allowed to correct any error to his/her personal data.
- Accuracy: an organisation should make reasonable effort to collect accurate and complete personal data, especially if any decisions made using the personal data affects the individual, and if the personal data will be disclosed to another organisation.
- Protection: reasonable security arrangements must be made to prevent unauthorised access, use, disclosure, copying, modification, and disposal of personal data in an organisation’s possession or control
- Retention limitation: An organisation may only keep personal data until a certain period, after which it must remove or delete documents containing such permanently.
- Transfer limitation: personal data may not be given outside of Singapore unless the recipient country has data protection standards commensurate to that of the PDPA
- The National Do Not Call Registry
- Names registered into the national DNC Registry may not receive unsolicited marketing messages (voice calls, text messages, or fax) from any registered organisation in Singapore.
GDPR: A quick look
These are the key changes introduced to the GDPR:
- Increased territorial scope: regardless of where you are in the world, if your company processes personal data of subjects residing in the EU, then the GDPR should apply to you.
- Penalties: An organisation that doesn’t comply can be fined up to a maximum of 4% of annual global turnover, or €20 million (whichever is greater).
- Consent: Individuals must be given a request for consent form that is intelligible and easily accessible.
- Breach notification: Data controllers must notify supervisory authority, private individuals affected, or the organisation to which it reports of any privacy breaches without undue delay/within the first 72hrs of having become aware of the breach.
- Right to access: Data subjects must be able to easily access their personal data in the possession or control of data controllers, free of charge, and must be provided a copy in electronic format.
- Data erasure: Data subjects have the right to have their personal data forgotten: erased, ceased to be disseminated, or have third parties halt processing of their personal data by the data controller.
- Data portability: Data subjects should be able to receive the personal data they have consented to provide in a “commonly used and machine readable format” and have the right to transmit that data to another controller
- Privacy by design: Data protection must be included at the onset of designing of systems, and not just as an addition.
- Appointment of Data Protection Officers will only be for organisations:
- whose core activities consist of data processing operations,
- that do systematic monitoring of data subjects on a large scale,
- that regularly process special categories of data or data relating to criminal convictions and offences
The GDPR has stricter measures than the PDPA for requesting and providing consent, so be sure to take a closer look into this section of the policy.
Definitions of Key Concepts
“Data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access. This includes unique identifiers; photographs or video images of an individual; as well as any set of data, which when taken together would be able to identify the individual.” (Source)
“Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
Only data that is necessary to an organisation’s purpose should be collected. (data minimisation)
"Express Consent": consent expressed in writing
Consent is not needed for the following uses and circumstances:
"Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"
|Sensitive personal data||
Not specifically defined
Personal data revealing:
|Age of consent||
Minimum age not stipulated in the PDPA
Threshold set at 16 years old, but may be lowered by member states to between 13 to 16 years old.
Strictly limited to:
Fines and Penalties for Noncompliance
|Penalties for persons or individuals in breach of the policy||Fines not exceeding S$5,000-10,000 (depending on the offence) or imprisonment of up to 12 months||
Not indicated, as compliance is expected from firms, not individuals
|Penalties for organisations in breach of the policy||
Fines not exceeding S$50,000-100,000 (depending on the offence)
While fines are administered by individual member states' supervisory authorities using a 10-point criteria, offenders may be fined from €10 million to €20 million, or 2 to 4% worldwide annual revenue, whichever is greater. (Source)
Need the Complete Text?
For the complete text of each policy, refer to the links below:
Not only are the fines painful to shoulder, but noncompliance could also have a devastating effect on your company's image and reputation. Take the necessary steps to familiarise your staff with the key points and changes, and how you can protect the data you collect, use, disclose for your customers.
Need A GDPR Compliant Website or Microsite?
Image Sources & Credits
Mark Zuckerberg: Getty Images via TheAustralian.com.au