There are some concerns we’ve encountered during conversations with our clients recently, centered around Personal Data Protection Act (PDPA) and General Data Protection Regulation (GDPR). As you may be aware, PDPA is a regulation passed in Singapore whereas GDPR is an EU regulation. Here’s a quick comparison.
Who does it apply to?
PDPA
All businesses in Singapore
GDPR
Applies to any organisation established within and outside of the EU, so long as:
- the organisation offers goods or services to individuals in the EU, or
- monitors their behaviour within the EU
- processes and holds personal data of individuals residing in the EU, regardless of the organisation’s location
What does it do?
PDPA
The [Personal Data Protection Act (PDPA) of Singapore governs] the collection, use and disclosure of individuals’ personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
GDPR
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise the data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organisations across the regions approach data privacy.”
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.
PDPA – What it means for your business?
- 9 data protection obligations:
- Consent: needed before personal data is collected, used, or disclosed
- Purpose limitation: an organisation must inform an individual of its purpose for collecting, using, or disclosing personal data; also, the collected data must not be used for anything other than the initial intended purpose.
- Notification: individuals must be notified of the purpose before they may give their consent to have their personal data collected, used, or disclosed.
- Access and correction: individuals have the right to request access to their personal data in an organisation’s possession or control, and be allowed to correct any error to his/her personal data.
- Accuracy: an organisation should make reasonable effort to collect accurate and complete personal data, especially if any decisions made using the personal data affects the individual, and if the personal data will be disclosed to another organisation.
- Protection: reasonable security arrangements must be made to prevent unauthorised access, use, disclosure, copying, modification, and disposal of personal data in an organisation’s possession or control
- Retention limitation: An organisation may only keep personal data until a certain period, after which it must remove or delete documents containing such permanently.
- Transfer limitation: personal data may not be given outside of Singapore unless the recipient country has data protection standards commensurate to that of the PDPA
- The National Do Not Call Registry
- Names registered into the national DNC Registry may not receive unsolicited marketing messages (voice calls, text messages, or fax) from any registered organisation in Singapore.
GDPR – What it means for your business?
- These are the key changes introduced to the GDPR:
- Increased territorial scope: regardless of where you are in the world, if your company processes personal data of subjects residing in the EU, then the GDPR should apply to you.
- Penalties: An organisation that doesn’t comply can be fined up to a maximum of 4% of annual global turnover, or €20 million (whichever is greater).
- Consent: Individuals must be given a request for consent form that is intelligible and easily accessible.
- Breach notification: Data controllers must notify supervisory authority, private individuals affected, or the organisation to which it reports of any privacy breaches without undue delay/within the first 72hrs of having become aware of the breach.
- Right to access: Data subjects must be able to easily access their personal data in the possession or control of data controllers, free of charge, and must be provided a copy in electronic format.
- Data erasure: Data subjects have the right to have their personal data forgotten: erased, ceased to be disseminated, or have third parties halt processing of their personal data by the data controller.
- Data portability: Data subjects should be able to receive the personal data they have consented to provide in a “commonly used and machine readable format” and have the right to transmit that data to another controller
- Privacy by design: Data protection must be included at the onset of designing of systems, and not just as an addition.
- Appointment of Data Protection Officers will only be for organisations:
- whose core activities consist of data processing operations,
- that do systematic monitoring of data subjects on a large scale,
- that regularly process special categories of data or data relating to criminal convictions and offences
The GDPR has stricter measures than the PDPA for requesting and providing consent, so be sure to take a closer look into this section of the policy.
Personal data
PDPA
Data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access. This includes unique identifiers; photographs or video images of an individual; as well as any set of data, which when taken together would be able to identify the individual.” (Source)
Exclusions:
- Data used for business purposes (i.e., business contact info)
- Data belonging to an individual deceased for over 10 years
GDPR
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
Only data that is necessary to an organisation’s purpose should be collected. (data minimization)
Consent
PDPA
Express Consent”: consent expressed in writing
“Deemed Consent”:
- When an individual voluntarily provides his/her personal data to an organisation and it is reasonable for the individual to do so
- Voluntarily provided data to one organisation can be passed on to another organisation for a particular purpose
(Source)
Exceptions:
Consent is not needed for the following uses and circumstances:
- For collection of personal data: Second schedule
- For use of personal data: Third schedule
- For disclosure of personal data: Fourth schedule
GDPR
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
- Requires positive opt-in (no pre-ticked boxes or default consent)
- Expressly and explicitly given in a very clear and specific statement
- Consent requests should be separate from other terms and conditions.
- Get separate consent for separate purposes. Vague or blanket consent is not acceptable.
- Third-party controllers who will rely on consent should be named
- Individuals should be informed how they may withdraw their consent, and the steps to withdrawal should be easy.
- Consent to processing a precondition of a service should not be made.
For a more thorough checklist on asking for, recording, and managing consent, click here.
Sensitive Personal Data
PDPA
Not defined
GDPR
Personal data revealing:
- racial or ethnic origin,
- political opinions,
- religious or philosophical beliefs
- trade union membership,
- genetic data,
- biometric data for the purpose of uniquely identifying a natural person,
- data concerning health, or
- data concerning a natural person’s sex life or sexual orientation.
Such data is prohibited from being collected, used, or disclosed.
Age of Consent
PDPA
Not defined
GDPR
Threshold set at 16 years old, but may be lowered by member states to between 13 to 16 years old.
Purpose
PDPA
- Should be considered appropriate to the circumstances by a “reasonable person” (Section 18)
- No need to specify the activities an organisation will be undertaking in relation to the data collected; however, objectives and reasons for collecting such should be provided to the individuals from whom you wish to gain consent (Source)
GDPR
Strictly limited to:
- “specified, explicit and legitimate purposes” (Article 5)
- public archiving, historical, scientific, or statistical purposes must not be incompatible with the initial purposes (purpose limitation)