All You Need to Know about Europe General Data Protection Regulation (GDPR) and Its Impact to Singapore Companies
General Data Protection Regulation (GDPR) is the new data protection law in Europe that came into effect in May 2018. It has reshaped the data protection landscape for businesses across Europe and worldwide. GDPR replaces the Data Protection Directive (a previous data protection regulation from 1995), strengthening the data rights of the European Union (EU) residents as well as harmonizing the data protection law across the EU.
What is GDPR?
The European Parliament first adopted the GDPR in April 2016. However, it came into effect on 25 May 2018. As the name implies, the GDPR is a regulation that mandates businesses and organizations to safeguard the personal data and privacy of EU residents, even if the data collection and process is done outside of the EU. On top of that, the newly enforced regulation regulates the exportation of personal data outside the EU. It will also affect companies outside of the region. Every company will need to follow this regulation if they offer services or goods, or monitor the behavior of EU citizens.
What Does the General Data Protection Regulation (GDPR) Cover?
This latest data protection regulation imposes uniform law in all 28 EU member states – EU members only have to comply with one standard. The GDPR’s bar is high and wide – it covers privacy rights, data security, and data control. Likewise, it also looks after governance. The violation of GDPR will result in a hefty fine penalty on organizations due to inappropriate handling or misuse of personal data. From the consumer’s perspective, GDPR has given them control over their data. This is because there’s more transparency. They can have a good idea about what data businesses/organizations collect about them. Besides that, they will also be able to control how organizations use the data.
Let us zero in on the new obligations as per this legislation:
a) Data control
Data control is one important step to ensure data privacy. Under GDPR, organizations must comply with the following:
- Process data with authority
- Ensure data accuracy and integrity
- Minimize the exposure of subject identities, and
- Enforce data security.
b) Data security
Data security is as important as data control. GDPR mandates organizations to:
- Safeguard data for additional processing
- Enhance data protection measures,
- Enforce security based on risk assessment and encryption
c) Data erasure
Under the GDPR, personal data cannot be kept indefinitely but has to be completely deleted under any of these circumstances:
- Consumer revoke consent
- There are requests of data deletion, or
- The companies will also need to delete personal data at the point of termination or expiration of service or agreement
d) Risk assessment
Risk assessment is now part of the mandatory requirement of data protection law. Due to this, organizations must conduct due diligence in evaluating the risks to privacy and security, and demonstrating a risk mitigation plan.
e) 72-hour breach notification
In the case of a data breach, organizations need to alert authorities within 72 hours with the description of the consequences of the breach. Additionally, they must communicate the breach directly to all affected consumers.
GDPR and PDPA: What is the Difference?
While PDPA (Personal Data Protection Act) in Singapore shares some similarities with GDPR, there are a couple of things that differentiate these two.
a) Consent
First, the GDPR has stricter measures than the PDPA for requesting and providing consent – for PDPA, consent is not required for business contact information, the public sector, and data intermediaries. However, GDPR stipulates that a clear affirmative consent must be given by the subjects before the collection and processing of all personal data.
b) Cross-border data protection
While the PDPA applies only to any Singaporean organizations that process personal data from anywhere (as well as organizations outside of Singapore processing personal data transferred from Singapore), the GDPR regulates all personal data of EU residents and all the all data controllers and processors in the EU, regardless of whether they are established in the EU or the data processing takes place within the EU or not.
c) Access right
Under the GDPR, subjects possess the right to access and obtain information about how their personal data being used by the business (what, and where personal data is being processed, and for what purposes). Simply put, they reserve the right to request the data deletion, access collected data, and provide the data to another company.
d) Data Protection Officers
Unlike PDPA officers, GDPR mandates that the Data Protection Officer (DPO) must have expert knowledge of personal data protection law. GDPR stipulates that the DPOs must provide their contact details to the relevant data protection supervisory authority. At the same time, the DPOs must be given access to adequate resources so that they can fulfill their duties and maintain their expertise.
Is your company GDPR-compliant?
The GDPR may be different from PDPA in Singapore, but here are a few things you can do to ensure GDPR-compliant in your business:
- Obtain consumer’s consent (one of the lawful basis) before you collect and process his personal data as well as before you send out marketing communications.
- Provide the opt-out option to customers.
- Figure out and understand the data storage methods in your company.
- Mitigate the potential risk of data breaches with proper technology and processes.
- Exercise data encryption as part of the data security strategies.
- Establish data governance policies especially when transferring EU-specific data to non-EU countries or to jurisdictions that have not been deemed adequate by the European Commission.
- Alert the consumers in the case of a data breach.
- You can also hire a data protection officer. Doing this will let your company keep up with the latest developments around data privacy compliance.
