In May, a new European privacy law called the General Data Protection Regulation (GDPR) will come into effect. While it is a European Union (EU) legislation, companies all over the world – including Singapore – will be affected by the regulation.

The GDPR will have a far-reaching impact because it not only affects organisations located within the EU. It also applies to companies outside of EU that offer goods or services to them, or monitor the digital behaviour of people within the EU.

What is GDPR?

The law essentially raises the standards of personal data privacy and changes the rules for companies that collect, store, or process large amounts of user information. Every company that operates in Europe or has European users will be required to be GDPR-compliant and give users more access to and control over their own data.

The legislation has provided rules for how companies should handle the data of European citizens and more importantly, has also expanded the scope of what is understood to be personal data. The penalties for noncompliance are also very steep.

What is required of businesses to comply to GDPR?

The regulation stipulates that organisations covered by the GDPR must employ a Data Protection Officer, who is responsible for ensuring that the organisation collects and secures personal data responsibly.

Secondly, individuals now have more rights over how their personal data is being used by the organisation. Their personal data cannot be used or kept if they withdraw their consent or if keeping their personal data is no longer required for the purpose the individual consented to.

That being said, consent for a particular use must now be explicitly given before a person’s personal data can be used for that purpose. This means that personal data that was previously collected without meeting this new requirement cannot be used unless express consent is obtained. Organisations must also immediately report breaches in data security to the relevant authority within 24-72 hours of the breach.

A global study from Veritas Technologies revealed that 86% of organisations worldwide are concerned about failing to comply to the GDPR, which takes effect on 25 May 2018.

In Singapore, the figure is higher as 92% of local organisations have expressed concerns over potential GDPR fallout. About 20% also fear that their businesses could be shut down due to non-compliance.

SMEs in breach of GDPR will face stiff penalties

Failure to comply will result in stiff penalties under the GDPR, which will introduce a tiered approach to fines. For example, a company can be fined $29.8 million or 4% of the firm’s global turnover of the preceding financial year, whichever is higher, if they are found to be non-compliant with the GDPR.

If a company is found to not have its records in order, or not notifying the supervising authority and data subject about a breach, or not conducting a Privacy Impact Assessment, it will be fined $16.2 million or 2% of the firm’s total global turnover of the preceding financial year, whichever is higher.

How can Singapore SMEs be prepared?

It is important to evaluate and ensure that all personal data is stored responsibly and securely. Organisations need to know what data is being stored, where it is stored and who has access to it. Crucially, organisations need to come up with a framework that helps them to spot breaches as they occur.

Data security arrangements also have to be regularly reviewed and updated. Privacy impact assessments are also essential. It is also important to review the consents given when personal data was collected. You need to stop using the personal data if it was collected under an “opt out” mechanism. Make sure to update your organisation’s privacy policies and inform individuals of their new rights under the GDPR.

Is Personal Data Protection Act (PDPA) requirements enough for GDPR?

While the PDPA has set strict guidelines with regards to an organisation’s use of personal data, the GDPR is even stricter. Complying with the PDPA does not mean you are complying with GDPR.

For example, the PDPA is more laxed when it comes to requirements of gaining consent. Under the PDPA, consent can be acquired even if the individual does not explicitly give it. Consent is simply deemed as given if the individual voluntarily provides the data. This is known as the concept of ‘deemed consent’, which the GDPR does not allow. GDPR requires consent to be unambiguous, explicit, expressed and be freely given.

The PDPA also has a more limited scope and does not necessarily apply to all personal data processing activities, including that of the public sector and any agent of a public agency.

Maintain Compliance with Office 365

Office 365 is a tool that will help customers meet their compliance obligations when it comes to data protection and data privacy. Some features include:

• Labels to classify data, e.g. general, personal, credit card, etc.
• Tracking of every document through the cloud – who has opened it and at what time
• Ability to revoke access to a document remotely in the event that a possible data breach has been detected
• The organisation and storage of data in the cloud to ensure they can be easily found later

Summary:

• GDPR is an EU privacy law that takes effect 25 May 2018. While it is an EU regulation, it affects any company that provides goods or services or monitors the behaviour of EU users, whether in or outside of Europe.
• GDPR gives more rights to the individual over the use of their personal data.
• Some important conditions of GDPR include appointing a data protection officer and expressly acquiring consent of the individual whose data you plan to collect or use for a particular purpose. It is also crucial to report data breaches within 72 hours.
• Failure to comply with GDPR will result in steep penalties.
• Complying with PDPA does not mean you comply with GDPR. Singaporean SMEs who need to comply with GDPR as well have to ensure they take into account the stricter guidelines of the European privacy law.

• Leverage GDPR compliant solutions such as Microsoft Office 365 to stay compliant. Contact us today to find out more.