The General Data Protection Regulation [GDPR] is a European Union regulation that imposes strict rules on how companies handle personal data. It applies to all companies that operate in the European Union [EU], regardless of where they are located. GDPR was adopted by the European Parliament on Thu, 14-Apr-2016, & it came into force on Fri, 25-May-2018 & the purpose of this law is to protect European Union [EU] citizens from privacy violations.
The Personal Data Protection Act [PDPA] is a Singapore National Law that came into effect in July 2014 & the main purpose is to protect privacy rights of individuals & regulate how personal data can be collected & used by private sector organisations.
Businesses need to comply with Data Privacy Regulations such as GDPR & PDPA to protect the personal data of their Customers & Employees. Collecting, processing & storing personal data comes with risks including the potential for data breaches, hacking or misuse of data.
GDPR: The GDPR is an important component of the European Union [EU] Privacy law & Human Rights law. It addresses the transfer of personal data outside EU regions. The GDPR’s primary aim is to enhance individuals’ controls & rights over their personal data & to simplify the regulatory environment for International Businesses. The GDPR requires businesses to obtain explicit consent from individuals before processing their personal data & imposes strict data protection requirements.
PDPA: The PDPA is a Singapore regulation that came into existence in July 2014. It applies to businesses that process personal data in Singapore including businesses that are not based in Singapore but process personal data of citizens from Singapore. The regulation aims to regulate the collection, use & disclosure of personal data by businesses in Singapore. It requires businesses to obtain consent from individuals before collecting & processing data & imposes various data protection obligations.
Both laws are comprehensive & set out similar personal & international scopes. While the GDPR applies to both private & public bodies, the PDPA excludes public agencies & organisations acting on behalf of public agencies from its scope. Both the GDPR & the PDPA provide supervisory authorities with wide-ranging investigatory powers & corrective powers & outline significant monetary penalties in cases of Non-Compliance.
GDPR & PDPA have different scope & applicability requirements. The GDPR applies to all businesses that process personal data of European Union [EU] Citizens, regardless of where they are located. The regulations apply to all businesses, regardless of their size that process personal data, which means that even small businesses that process personal data are subjected to GDPR’s requirements.
The PDPA on the other hand applies to businesses that process personal data in Singapore, regardless of the size of businesses. The regulations apply to all businesses including non profit organisations & government agencies that process personal data in Singapore.
With regard to territorial scope of each regulation the GDPR applies to Data Controllers & Data Processors that do not have a presence in the EU but have processing activities that take place in the EU. Similarly, the PDPA applies to all organisations which are not a public agency or acting on behalf of a public agency that carry out activities relating to the collection, use, & disclosure of personal data in Singapore, whether or not they are formed or recognised under the laws of Singapore, or resident or have an office or a place of business in Singapore.
Both GDPR & PDPA grant individuals several rights over their personal data. Below mentioned are the rights under this regulations:
Both GDPR & PDPA require businesses to obtain individuals’ consent before collecting, using or disclosing their personal data. However there are some differences between the two regulations in terms of how consent is obtained & how individuals can opt-out of data processing.
Under GDPR one must obtain consent from individuals before processing their personal data. The individuals’ must be able to freely give their consent which means that they must be able to understand what they are agreeing to & have the option of changing their mind.
Under PDPA you can use implied consent as an alternative method for obtaining permission from customers if you don’t have sufficient information about them. In order for implied consent to be valid under PDPA rules you must make it clear how long you will keep the customer’s data.
For opting out, businesses should provide simple & easy methods like unsubscribe links or an email address where individuals request that their personal data not be used for marketing purposes. By providing clear opt-out mechanisms & respecting individuals’ requests to opt-out, businesses can build trust with their customers & demonstrate their commitment to Data Privacy.
Under GDPR, businesses must implement appropriate technical & organisational measures to ensure a level of security appropriate to the risk presented by the processing of personal data. These measures include pseudonymization & encryption of personal data, regular testing & evaluation of security measures & the ability to restore the availability & access to personal data. GDPR also requires businesses to maintain record of their processing activities & to conduct Data Protection Impact Assessments [DPIA] in certain circumstances, such as when processing is likely to result in high risk to individuals’ rights & freedom.
Under PDPA, businesses must also implement reasonable security arrangements to protect personal data against unauthorised access, use, disclosure, modification or disposal. These security arrangements may include physical & logical access controls, encryption of personal data & review of security measures. PDPA also requires businesses to maintain an inventory of their personal data assets & to conduct regular Risk Assessments to identify potential threats & vulnerabilities to personal data.
Under GDPR, businesses must report data breaches to relevant authorities within 72 hours of becoming aware of the breach unless the breach is unlikely to result in risk to individual rights & freedom. GDPR also requires businesses to notify affected individuals without undue delay when the breach is likely to result in high risk to their rights & freedoms.
Under PDPA, businesses must also report data breaches to relevant authorities as soon as possible after becoming aware of the breach. PDPA requires businesses to assess the impact of the breach on affected individuals & to notify them as soon as practically possible if the breach is likely to result in significant harm or affect a large number of individuals.
Both GDPR & PDPA emphasize the importance of reporting data breaches promptly to minimise the potential harm to individuals & to demonstrate a commitment to data privacy & security.
The enforcement mechanisms for GDPR & PDPA are similar. Both laws provide for a range of penalties for Non-Compliance. The fines can be up to 2% of annual global turnover in GDPR while in PDPA it can be 10% of annual turnover. In addition both laws provide for criminal sanctions against individuals who knowingly or negligently violate their respective regulations.
GDPR allows individuals to bring legal action against businesses for Non-Compliance & seek compensation for damages resulting from violations while PDPA also allows individuals to bring legal action against businesses for Non-Compliance & seek compensation for damages resulting from violations.
The GDPR & PDPA are similar in many ways but there are also some key differences. The most obvious one is that GDPR applies only to EU member states while PDPA applies to Singapore as well as some asian pacific countries. The implications of these regulations are significant for businesses operating within their respective regions. Compliance is crucial because Non-Compliance with GDPR can result in fines up to 10 Million euros or 2% annual revenue whichever amount is higher. By complying with GDPR & PDPA businesses can demonstrate a commitment to Data Privacy & Security & build trust with their customers & stakeholders. It is essential for businesses to stay up to date with these Regulations & to seek professional advice if they are unsure about their Compliance obligations.
Any business that processes the personal information or data of individuals in the EU or EEA countries must comply with GDPR regardless of where the business is located.
GDPR is data privacy regulation that applies to any business that processes the personal data of individuals in EU or EEA countries, regardless of where the business is based. The Regulation aims to protect individuals personal information & ensure that businesses handle data responsibly.