GDPR

GDPR Compliance in Singapore Organisations

The European Union General Data Protection Regulation (EU GDPR) was first published in April 2016 and then put into force on 25 May 2018.

Overseas business organisations either supplying goods and services to individual consumers in the EU or identifying and monitoring their behaviour, either directly or indirectly within the EU come under the ambit of this regulation. The organisations may or may not have any physical presence in the EU.

Singapore is the largest trading partner of the EU in ASEAN and many organisations in Singapore come under the jurisdiction of EU GDPR.

When does a Singaporean organisation come under the jurisdiction of EU GDPR?

GDPR is a European regulatory standard and its applicability extends far beyond its borders. Companies must opt for GDPR compliance in Singapore if they are involved in some of the following activities

  • Personal data processing of individuals in the EU in the context of offers and supplies of goods and services made to the individuals in the EU.
  • Identifying and monitoring the behaviour of the individuals in the EU.
  • Publishing the price of products or services in Euros or the currency of an EU Member State.
  • Using online identifiers including IP address, unique IDs, cookies, RFID tags, search & browser history and many more.
  • Making business websites in the vernacular language of an EU Member State

If a Singaporean organisation’s target audience includes individuals in the EU for business purposes, it needs to engage a European representative if

  • personal data processing is carried out on a large scale or
  • special categories of personal data as defined in Articles 9(1) and 10 of the GDPR are processed

There are sensitive data that can not be processed as per EU GDPR subject to certain exceptions and include

  • Racial or Ethnicity data
  • Data relating to religious, political or philosophical beliefs
  • Data relating to sexual orientation
  • Genetic or biometric data
  • Data relating to trade union membership

Does compliance with Singapore's Personal Data Protection Act (PDPA) mean EU GDPR compliance?

No, because the two regulatory regimes namely GDPR and PDPA spell out different sets of requirements, Singapore data protection compliance does not necessarily mean the organisation complies with the EU GDPR. While there are exemptions given to public agencies and their agents, employees, or individuals acting in a personal capacity in PDPA, there is no such waivers in GDPR and applies to everyone equally.

The revised and more detailed Singapore data protection compliance regulation enacted by the Singapore government on 1st February 2021 is however a more streamlined and converged approach towards the European regulation on data protection almost resembling the six legal bases for personal data processing specified in GDPR. The recent amendments incorporated in Singapore data protection compliance requirements include

Data breach notification

Mandatory data breach notification

Legitimate interest

An exception to consent for legitimate interest

Deemed consent by notification

Deemed consent by notification

Increased financial penalties

Increased financial penalties

Data portability right

New data portability right

The Personal Data Protection Commission (PDPC) Singapore illustrated through an infographic model the broad categorization highlighting differences between these two regulations with the exceptions to consent and legal bases of personal data processing as per GDPR.

What is needed for Singaporean organisations to be compliant with the EU GDPR?

There are guidelines provided by the European regulators for being compliant with the EU GDPR with references to specific online resources on the regulatory requirements. Business organisations can use this link for necessary GDPR compliance in Singapore. Legal help and advice may also be sought whenever needed.

The key requirements for EU GDPR have been highlighted in the factsheet pdpc issued by the PDPC and can be used by businesses in Singapore as an organizational database.

For GDPR compliance in Singapore, business organisations need to do the following

Data processing as a necessity

Establish data processing as a necessity

Data retention and deletion

Decide on data retention and deletion

Data encryption

Ensure that all data are encrypted

GDPR awareness

Spread GDPR awareness

Train employees

Train employees on proper data handling techniques

Transfer data to other country

Frame data governance policies for transferring EU specific data to other countries outside the EU

Procedures to GDPR

Ensure appropriate procedures and processes for all data subject to GDPR compliance

The Personal Data Protection Commission (PDPC) Singapore illustrated through an infographic model the broad categorization highlighting differences between these two regulations with the exceptions to consent and legal bases of personal data processing as per GDPR.

Are there penalties for non-compliance with GDPR?

Yes, non-compliance with GDPR can bring severe consequences for non-compliant organisations with hefty administrative fines imposed by GDPR supervisory authorities.

  • For minor infringements such as failure in notifying data breaches and implementing data protection by default, a fine up to 10 million Euros or 2% of the yearly global turnover of the preceding financial year and whichever is higher.
  • For major infringements such as violating the conditions for consent or failure to adhere to regulations while transferring personal data to a third country or an international organisation, a fine of up to 20 million Euros or 4% of the yearly global turnover of the preceding financial year and whichever is higher.

In contrast to Singapore data protection compliance the penalties for GDPR non-compliance apply equally to business organisations and individuals.

Besides huge penalties, any violation in GDPR compliance also damages the organizational reputation and adversely impacts the customer base and future growth prospects.

Conclusion

The EU with a population of 440 million is a huge market for Singapore which is only expected to grow over time. This will undoubtedly drive an increased number of businesses to go for GDPR compliance in Singapore.

GDPR is unmatched legislation for enhancing the rights and transparency of individuals over their data and is embraced by Singaporean businesses with spirit and enthusiasm.

Just drop your email id and we will get in touch with you