What You Must Know About the European Union’s New General Data Protection Regulation (GDPR)

INTRODUCTION

The General Data Protection Regulation 2016/679 (“GDPR”) will come into effect on 25 May 2018. It is a new data protection regulation which will apply to any organisation that collects the personal data of European Union (“EU”) citizens / residents.

The broad reach of the regulation suggests that as long as a company collects data on people who are resident in the EU, or hires EU citizens as employees, it must comply with the GDPR, or risk being fined, even if the company is located outside the EU, such as in Singapore. This is regardless of whether the company knows it is collecting data on EU residents, which poses a particular concern to companies that routinely collect information from customers including tourists (such as in the consumer retail industry).

The consequences of non-compliance are severe:

1. the maximum fine for a breach of the GDPR is presently set at the greater amount of €20 million (approximately SGD 33 million); or
2. four percent of the company’s annual turnover.

Pecuniary penalties aside, the manner in which the EU handles GDPR breaches may also present organisations with an urgent choice:

1. they must either bring their policies and processes in line with the GDPR’s new rules; or
2. risk being shut out and suffering injury to their reputation in a market with almost half a billion potential consumers.

COMPLIANCE WITH SINGAPORE’S PDPA REGIME IS NOT SUFFICIENT TO MEET THE EU’S GDPR REQUIREMENTS

Personal data in Singapore is protected under the Personal Data Protection Act 2012 (“PDPA”). While the PDPA is fairly comprehensive, compliance with the PDPA is not sufficient to meet the requirements of the GDPR.

While there are numerous differences between the PDPA and the GDPR, we highlight the following three key differences for your immediate attention and action:

1. No “Deemed Consent” Under the GDPR

Section 15 of the PDPA provides a practical carve-out to the otherwise onerous task of procuring clear consent by allowing consent to be deemed from an individual in two situations.

The first situation is where an individual voluntarily provides his or her personal data to the organisation for a specific purpose and it is reasonable that the individual would voluntarily provide the data.

The second situation occurs if an individual gives or is deemed to have given consent to Organisation A to disclose his personal data to

Organisation B for a certain purpose, then Organisation B can proceed to use that personal data without having to obtain fresh consent.

In contrast, the GDPR does not allow for consent to be deemed at all.

Under Article 4 of the GDPR, consent must be clearly and freely expressed.

Consent must also be specific to the purpose or task at hand, and must be based on a full understanding of how that personal data is to be used and processed. Accordingly, organisations will have to build in and systematise a means of soliciting, obtaining and recording actual informed consent from the consumer, whether through the use of an e-alert requiring some form of confirmation or reply, or a physical form that the customer can review and fill in to signify his or her agreement to the use of personal data.

2. Data Adequacy / Minimisation Under the GDPR

The PDPA is silent on the degree of relevance that the personal data collected must have to the organisation’s professed purpose(s).

In contrast, Article 5(1)(c) of the GDPR sets out a clear position on data minimisation, which is the principle that an organisation may only collect personal data that is “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. This exacting standard demands that organisations limit themselves to collecting a bare minimum of personal data necessary to accomplish a given task. While the concept itself may be simple, organisations looking to be GDPR-compliant must consider a host of questions, including but not limited to the following:

• how long data is automatically stored for;
• what automatic data logging and capturing processes are in place, and the scope of those processes;
• whether any departments or divisions have the practice of retaining data that is presently irrelevant with a view towards future relevance; and
• how to construct a framework for determining (and evidencing) the personal data that will be essential to that organisation’s goods and services.

This will require new data minimisation guidelines and policies to be put in place at each step of the data lifecycle.

3. Onerous Data Erasure Requirements

Article 17 of the GDPR provides individuals with the right to have their personal data erased or ‘forgotten’ by an organisation under several circumstances, such as the withdrawal of consent.

This is potentially one of the most daunting regulations to comply with since the means by which an organisation collects and stores personal data can vary greatly. For instance, a company may not know how many copies of every individual’s personal data are stored on local computers, network servers and remote backup servers. Further, certain backup servers do not allow data to be deleted piecemeal. These technical issues can become serious legal and public relations challenges to organisations who have to comply with an EU resident’s request for personal data deletion.

Under the PDPA, section 22 affords the individual the right to request for a correction of personal data while section 25 requires that data must be disassociated from the individual or destroyed if it is reasonable to assume that the purposes for that data are no longer being served. However, the PDPA does not give the individual the right to demand deletion of his/her personal data upon withdrawal of consent, unlike the GDPR.

URGENT NEXT STEPS

As the deadline for GDPR compliance draws near, it is imperative that local businesses pay heed to its numerous regulations, especially since Singapore is one of the EU’s largest trade partners in ASEAN.

The potential changes required under the GDPR can be wide-ranging – from an overhaul of a corporation’s data policies and processes, to changing IT hardware and systems to better capture, store and account for customer data, and even the encouragement of a change in corporate culture through training and equipping.

Corporations must be ready to provide evidence of active compliance, and prior preparation and planning directed towards such compliance in the event of contingency.

Parties with further queries please do not hesitate to contact our Corporate Practice for detailed advice tailored to your company’s specific needs.

^{The above content is for general information purposes only.  It is not and does not constitute nor is it intended to provide or replace legal advice, a legal opinion or any information intended to address specific matters relevant to you or concerning individual situations. Should you require specific legal advice, please do not hesitate to contact the Partner listed above or your regular contact at the Firm. Copyright of Oon & Bazul LLP.}