Data privacy is no longer a buzzword but a cross border business necessity.
The new European legislation, General Data Protection Regulation (GDPR) is a new data protection law that will affect any businesses that are located within the European Union (EU) or any businesses that offer goods or services to EU residents. It becomes enforceable on 25 May 2018 and the financial repercussions of non-compliance is significant.
Non-compliance may result in suspension of data processing and fines of up to 4% of worldwide turnover or €20 million, whichever is greater.
The law is changing to keep up with digital advances in business. GDPR has direct effect across all EU member states, however Member States are able to adopt their own national rules so businesses should be aware that each Member State may have a different law. The principles are largely the same across all member states making it easier for businesses to comply. More importantly, it helps to bolster consumer confidence with stronger control over their own data in the age of privacy breaches and transparency.
GDPR vs PDPA: Same but different
How does GDPR compare to Singapore’s Personal Data Protection Act (PDPA)?
Professor Hannah YeeFen Lim, writing for the International Association of Privacy Professionals
, says that although PDPA is as technology-neutral as GDPR, it is a “light touch regime”. Most notably for PDPA, consent is not required for business contact information, the public sector and data intermediaries.
GDPR, on the other hand, does not allow for the concept of deemed consent – processing of all personal data requires a clear affirmative action for the consent to be valid. Consent must also be given by someone with the legal capacity to do so – a factor not stipulated in PDPA.
Weak GDPR compliance in Singapore
According to consultancy EY, an overwhelming nine out 10 companies in Singapore do not have a plan to cope with GDPR. This is a worrying statistic considering that Singapore is the EU’s largest trading partner in ASEAN.
In 2016, the existing foreign direct investment stock between the EU and Singapore amounted to €236 billion. A Singapore company would need to comply with the GDPR principles for any EU customers.
According to Singapore’s business daily, Business Times, “as long as an organisation collects data on people within the EU, shares data or sells products and services within the EU, they will be subjected to GDPR – even if they are located in Singapore
. Non-compliance will result in potential fines of S$29.8 million or up to 4% of global annual turnover, whichever is greater.”
The customer is always right
Here are some things to note that may help your business to comply with GDPR and, naturally, it starts with the customer:
- You have to have a lawful basis for processing customers’ data. Consent is one lawful basis but there are six in total, another being that the processing is necessary for a contract you have with the individual. Establishing the lawful basis is the first step to compliance.
- Give customers the right to opt-out of research and marketing. They must also have the right to delete any personal data you have on them, access data collected, and give the data to another company.
- Understand your data. It is important to know, store and structure customer data so that it can be managed in a more meaningful manner.
- Encrypt your data. While this may seem a straightforward exercise, it’s important to know where your company keeps all customer data. Informal processes over the years may mean that different data is housed in different departments.
- Develop data governance policies when moving EU-specific data to countries outside of the EU or to jurisdictions that have not been deemed adequate by the European Commission.
- You must inform users if there is a security breach that affects their data. Mitigate potential breaches into your customer database with proper technology and processes. Most privacy breaches are caused by human error. Employees should be aware of privacy risks and trained in the proper way to handle data.
- Plan your response for different eventualities. This includes the worst-case scenario of rendering your data unusable if it falls into the wrong hands.
- Train your employees they know what they need to do in order to comply with the law. Make sure you have policies and procedures in place that they can refer to.
- If you send out marketing communications, consider first if you need to gain consent from the individual.
- Put someone in charge of data compliance. A Data Protection Officer can stay up-to-date on the latest developments around data privacy compliance and ensure that your company is securing data correctly and in accordance to protocols.
Disclaimer: All materials have been prepared for general information purposes only to permit you to learn more about Hawksford, our services and related matters. The information presented is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice.