As of the 25th of May 2018, the extraterritorial effect of the GDPR came into play. What does this mean?
Firstly – the GDPR is purposed as an improvement of the earlier legislation governing the retention of use of personal data. One of the earlier pieces of legislation here is known as the Data Protection Directive that was implemented by the European Union in 1995. The Data Protection Directive had 3 main principles, being transparency, proportionality and legitimate purpose. These 3 guiding principles governed the general use of personal data to the point that it ensured the right of the subject to be informed if his or her data is being processed, that the processing or use of such data is for legitimate and specific purposes, and such processing is allowed insofar that it is adequate and relevant to the purposes to which the data was collected.
The GDPR, or General Data Protection Regulation is fairly more all-encompassing and it is based on 6 guiding principles.
- Lawfulness, fairness and transparency
- Purpose limitations
- Integrity and confidentiality
- Data minimisation
- Storage limitations
Summarily, these 6 principles already break down into far greater detail how personal data may be used, from how lawfulness, fairness and transparency (as compared to just transparency under the Data Protection Directive) is to be interpreted, to the imposition of Individual Rights allowing various forms of rights (to access, to restrict, to be informed, etc) to persons whose data is in use for any particular purpose.
The obligations here are tremendous, and although the abovementioned deadline for implementation has passed, companies small and large that deal with data relating to individuals or organisations from the EU are still trying to figure out how best to abide by the GDPR in a cost-effective and efficient manner without being slapped with a fine that could possibly hit 4% of their annual global turnover or from EUR 10 million – EUR 20 million, whichever is greater.
Some Key differences between GDPR and PDPA
- In Singapore, the Personal Data Protection Act prescribes how personal data may be used to a certain extent, but this is a far cry from the restrictions and new issues to be taken note of under the GDPR.
- Breach notifications, made mandatory under the GDPR, are not provided for under the PDPA. “Consent” under the GDPR needs to be clear, in plain language and is easily accessible.
- In comparison, the PDPA does not prescribe the language or mechanics of how consent is to be provided for.
- As mentioned above, one of the rights of individuals under the GDPR is the right to access their personal data and how their personal data is processed at no charge, whereas the PDPA suggests that data subjects may request for this but organisations may charge for such services.
- Privacy by design is another new requirement imposed by the GDPR, imposing the need for data controllers to implement technical and organizational measures to ensure data protection principles. This is not provided for by the PDPA.
- Also, as compared to the penalty mentioned above for non-compliance with the GDPR under GDPR Principles, penalties are applicable to organisation and not to individuals, although non-compliance with the PDPA carries the possibility of a prison term for individuals, the maximum fine imposed on them would be S$10,000 or S$1m on organisations.
Better be prepared!
It is for this reason that, no matter what type of institution you are a part of, as long as it has some form of nexus to the EU, intends on offering its products or services in the EU, or is currently or intends to handle data that could be deemed personal in form stemming from an EU individual – it would be apt for you to take a long hard look at your current internal processes, policies and procedures to see how these could be amended to comply with the GDPR. This relook could range from your Information Technology systems and where your data is housed, to the methods adopted by your staff with how they on-board clients and where such files are kept, to even accessibility of individuals and designated persons who are able to sight such data to be adequately qualified and are able to answer to such responsibility.
Irrespective of the complexity of your data management, we here at Argus have the capabilities, experience and know-how to help you manage all your GDPR-compliance needs. We can help you understand to what extent your compliance is required, how to execute this efficiently, and how to ensure that you are able to maintain compliance in a cost-effective and seamless manner while ensuring continuity with your business as is. Whether you are a fund management company, advertising company, pharmaceutical company, or any other relevant business – as long as you deal with personal data, we can help you.
Do get in touch with us via email at firstname.lastname@example.org or call us at +65 68176861.