• 26 April, 2023
• No Comments

GDPR vs PDPA: Understanding the Differences

Introduction

The General Data Protection Regulation [GDPR] is a European Union regulation that imposes strict rules on how companies handle personal data. It applies to all companies that operate in the European Union [EU], regardless of where they are located. GDPR was adopted by the European Parliament on Thu, 14-Apr-2016, & it came into force on Fri, 25-May-2018 & the purpose of this law is to protect European Union [EU] citizens from privacy violations.

The Personal Data Protection Act [PDPA] is a Singapore National Law that came into effect in July 2014 & the main purpose is to protect privacy rights of individuals & regulate how personal data can be collected & used by private sector organisations.

Businesses need to comply with Data Privacy Regulations such as GDPR & PDPA to protect the personal data of their Customers & Employees. Collecting, processing & storing personal data comes with risks including the potential for data breaches, hacking or misuse of data.

Overview of GDPR & PDPA

GDPR: The GDPR is an important component of the European Union [EU] Privacy law & Human Rights law. It addresses the transfer of personal data outside EU regions. The GDPR’s primary aim is to enhance individuals’ controls & rights over their personal data & to simplify the regulatory environment for International Businesses. The GDPR requires businesses to obtain explicit consent from individuals before processing their personal data & imposes strict data protection requirements.

PDPA: The PDPA is a Singapore regulation that came into existence in July 2014. It applies to businesses that process personal data in Singapore including businesses that are not based in Singapore but process personal data of citizens from Singapore. The regulation aims to regulate the collection, use & disclosure of personal data by businesses in Singapore. It requires businesses to obtain consent from individuals before collecting & processing data & imposes various data protection obligations.

Both laws are comprehensive & set out similar personal & international scopes. While the GDPR applies to both private & public bodies, the PDPA excludes public agencies & organisations acting on behalf of public agencies from its scope. Both the GDPR & the PDPA provide supervisory authorities with wide-ranging investigatory powers & corrective powers & outline significant monetary penalties in cases of Non-Compliance. 

Here are some of similarities & differences between GDPR & PDPA

Similarities:

1. Protect Personal Data: The GDPR & PDPA only protects living individuals. The GDPR does not protect the personal data of deceased individuals, this being left to the Member States to regulate.
2. Rights Over Data: GDPR & PDPA grant individuals several rights over their personal data including the right to access, correct & delete data.
3. Provisions for Data Breach Notification: Both Regulations require businesses to report data breaches to relevant authorities & affected individuals. 
4. Penalties for Non-Compliance: Both regulations have significant fines & penalties for businesses that fail to comply with their provisions.

Differences:

1. Data Controller: Under GDPR, Businesses that collect & process personal data are known as Data Controllers & are responsible for ensuring Compliance with the Regulations while PDPA uses the term Data User to refer to businesses that process personal data.
2. Penalties for non-compliance: Penalties for GDPR are more severe than those of PDPA. GDPR violations can result in fines of up to €10 Million  or 2% of business’ global annual revenue while PDPA violations can result in fines up to SGD 1 Million or 10% of the business annual revenue.
3. Consent requirements: GDPR has more strict consent requirements than PDPA. To be Compliant with GDPR, businesses must obtain explicit consent from individuals before collecting & processing their personal data while in PDPA implied consent may be sufficient in some cases.
4. Data Portability: GDPR includes a provision for Data Portability which allows individuals to request a copy of their personal data in a machine readable format while PDPA does not have a similar provision.

Scope & Applicability

GDPR & PDPA have different scope & applicability requirements. The GDPR applies to all businesses that process personal data of European Union [EU] Citizens, regardless of where they are located. The regulations apply to all businesses, regardless of their size that process personal data, which means that even small businesses that process personal data are subjected to GDPR’s requirements.

The PDPA on the other hand applies to businesses that process personal data in Singapore, regardless of the size of businesses. The regulations apply to all businesses including non profit organisations & government agencies that process personal data in Singapore.

With regard to territorial scope of each regulation the GDPR applies to Data Controllers & Data Processors that do not have a presence in the EU but have processing activities that take place in the EU. Similarly, the PDPA applies to all organisations which are not a public agency or acting on behalf of a public agency that carry out activities relating to the collection, use, & disclosure of personal data in Singapore, whether or not they are formed or recognised under the laws of Singapore, or resident or have an office or a place of business in Singapore.

Rights of Data Subjects

Both GDPR & PDPA grant individuals several rights over their personal data. Below mentioned are the rights under this regulations:

1. Right to access: Individuals have the right to access their personal data held by businesses & to request information about how their data is being processed. 
2. Right to rectification: Individuals have the right to request that their personal data be corrected if it is inaccurate or incomplete.
3. Right to erasure: Individuals have the right to request that their personal data be deleted in certain circumstances such as when data is no longer necessary for the purpose for which it is collected.
4. Right to not be subject to automated decision-making: GDPR grants individuals the right to object to automated decision making processes that have legal or similar significance effects on them.

Consent & Opt-Out

Both GDPR & PDPA require businesses to obtain individuals’ consent before collecting, using or disclosing their personal data. However there are some differences between the two regulations in terms of how consent is obtained & how individuals can opt-out of data processing.

Under GDPR one must obtain consent from individuals before processing their personal data. The individuals’ must be able to freely give their consent which means that they must be able to understand what they are agreeing to & have the option of changing their mind.

Under PDPA you can use implied consent as an alternative method for obtaining permission from customers if you don’t have sufficient information about them. In order for implied consent to be valid under PDPA rules you must make it clear how long you will keep the customer’s data.

For opting out, businesses should provide simple & easy methods like unsubscribe links or an email address where individuals request that their personal data not be used for marketing purposes. By providing clear opt-out mechanisms & respecting individuals’ requests to opt-out, businesses can build trust with their customers & demonstrate their commitment to Data Privacy.

Data Protection Requirements

Under GDPR, businesses must implement appropriate technical & organisational measures to ensure a level of security appropriate to the risk presented by the processing of personal data. These measures include pseudonymization & encryption of personal data, regular testing & evaluation of security measures & the ability to restore the availability & access to personal data. GDPR also requires businesses to maintain record of their processing activities & to conduct Data Protection Impact Assessments [DPIA] in certain circumstances, such as when processing is likely to result in high risk to individuals’ rights & freedom.

Under PDPA, businesses must also implement reasonable security arrangements to protect personal data against unauthorised access, use, disclosure, modification or disposal. These security arrangements may include physical & logical access controls, encryption of personal data & review of security measures. PDPA also requires businesses to maintain an inventory of their personal data assets & to conduct regular Risk Assessments to identify potential threats & vulnerabilities to personal data.

Data Breach Notification

Under GDPR, businesses must report data breaches to relevant authorities within 72 hours of becoming aware of the breach unless the breach is unlikely to result in risk to individual rights & freedom. GDPR also requires businesses to notify affected individuals without undue delay when the breach is likely to result in high risk to their rights & freedoms.

Under PDPA, businesses must also report data breaches to relevant authorities as soon as possible after becoming aware of the breach. PDPA requires businesses to assess the impact of the breach on affected individuals & to notify them as soon as practically possible if the breach is likely to result in significant harm or affect a large number of individuals.

Both GDPR & PDPA emphasize the importance of reporting data breaches promptly to minimise the potential harm to individuals & to demonstrate a commitment to data privacy & security.

Enforcements & Penalties

The enforcement mechanisms for GDPR & PDPA are similar. Both laws provide for a range of penalties for Non-Compliance. The fines can be up to 2% of annual global turnover in GDPR while in PDPA it can be 10% of annual turnover. In addition both laws provide for criminal sanctions against individuals who knowingly or negligently violate their respective regulations.

GDPR allows individuals to bring legal action against businesses for Non-Compliance & seek compensation for damages resulting from violations while PDPA also allows individuals to bring legal action against businesses for Non-Compliance & seek compensation for damages resulting from violations.

Comparison of GDPR & PDPA

Conclusion

The GDPR & PDPA are similar in many ways but there are also some key differences. The most obvious one is that GDPR applies only to EU member states while PDPA applies to Singapore as well as some asian pacific countries. The implications of these regulations are significant for businesses operating within their respective regions. Compliance is crucial because Non-Compliance with GDPR can result in fines up to 10 Million euros or 2% annual revenue whichever amount is higher. By complying with GDPR & PDPA businesses can demonstrate a commitment to Data Privacy & Security & build trust with their customers & stakeholders. It is essential for businesses to stay up to date with these Regulations & to seek professional advice if they are unsure about their Compliance obligations.

FAQs

Who must comply with the GDPR?

Any business that processes the personal information or data of individuals in the EU or EEA countries must comply with GDPR regardless of where the business is located. 

What is the GDPR & who does it apply to?

GDPR is data privacy regulation that applies to any business that processes the personal data of individuals in EU or EEA countries, regardless of where the business is based. The Regulation aims to protect individuals personal information & ensure that businesses handle data responsibly.