What Singapore Companies Need to Know About GDPR Compliance
This article is referenced from the Singapore government and to show how Singapore businesses can be GDPR compliant. What is GDPR? Well, it is an abbreviation from the General Data Protection Regulation (GDPR). Will the Europe-centric GDPR affect those companies operating in Singapore? Let’s find out what is changing and how as a business, comply.
We are all aware that data privacy is no longer a buzzword, but an important requirement in any business.
We mentioned that this is a Europe-centric GDPR, a new data protection law that will affect any businesses locating within the European Union (EU) or any businesses that offer services and products to EU residents. It was enforced around the 25th of May, 2018 and the financial repercussions of non-compliance were significant.
What was one financial percussion that non-compliance to the law bring? It can result in the suspension of data processing and in addition, the business can get fined of up to 4% of the worldwide turnover of €20 million, whichever is greater.
Here’s another thing that businesses need to keep in mind, the law keeps changing in order to keep up with the technology, especially with the digital advancement in business. Now, enough of the EU GDPR, let’s focus on the GDPR of Singapore’s Personal Data Protection Act (PDPA).
According to Professor Hannah Yee Fen Lim, who writes for the International Association of Privacy Professionals, “ although PDPA is a technology-neutral as GDPR, it is a “light-touch regime”. Most notably for PDPA, consent is not required for business contact information, the public sector, and the data intermediaries.
On the contrary, GDPR does not allow for the concept of deemed consent – where it processes all the personal data because it requires a clear affirmative action for the consent to be considered valid.
Consent must also be given by someone with the legal capacity – this is one factor that is not stipulated in the PDPA.
Singapore’s Weak GDPR Compliance
Now, according to consultancy EY, there are overwhelming 9/10 companies in Singapore that do not have a plan in order to cope with the GDPR. This is quite a worrying statistic, considering that Singapore is the EU’s largest trading partner in the ASEAN.
2016, the existing foreign direct investment stock between Singapore and EU amounted to €236 billion. Just to inform, any Singapore company would need to respect the GDPR compliance or principle for any EU customers.
Quoting Singapore’s Business Times, “as long as an organization collects data on people within the EU, shared data or selling products and services within the EU, they are subjected to the GDPR – even if they are located in Singapore. Non-compliance will end up with potential fines of about S$29.8 million or up to 4% of global annual turnover, whichever is greater.”
The Customer is Always Right
Here are some things to note that may help your business to comply with GDPR and, naturally, it starts with the customer:
You have to have a lawful basis for processing customers’ data. Consent is one lawful basis but there are six in total, another being that the processing is necessary for a contract you have with the individual. Establishing a lawful basis is the first step to compliance.
Give customers the right to opt-out of research and marketing. They must also have the right to delete any personal data you have on them, access data collected, and give the data to another company.
Understand your data. It is important to know, store and structure customer data so that it can be managed in a more meaningful manner.
Encrypt your data. While this may seem a straightforward exercise, it’s important to know where your company keeps all customer data. Informal processes over the years may mean that different data is housed in different departments.
Develop data governance policies when moving EU-specific data to countries outside of the EU or to jurisdictions that have not been deemed adequate by the European Commission.
You must inform users if there is a security breach that affects their data. Mitigate potential breaches into your customer database with proper technology and processes. Most privacy breaches are caused by human error. Employees should be aware of privacy risks and trained in the proper way to handle data.
Plan your response for different eventualities. This includes the worst-case scenario of rendering your data unusable if it falls into the wrong hands.
Train your employees because they know what they need to do in order to comply with the law. Make sure you have policies and procedures in place that they can refer to.
If you send out marketing communications, consider first if you need to gain consent from the individual.
Put someone in charge of data compliance. A Data Protection Officer can stay up-to-date on the latest developments around data privacy compliance and ensure that your company is securing data correctly and in accordance with protocols.