What is the GDPR: A Brief Summary
The GDPR gives individuals more control over how data is collected and used and forces entities (organisations and individuals) to justify what they plan to do with it.
The GDPR contains a list of rules that dictate what data controllers and processors can lawfully do with personal data. This gives individuals more control over how data is both collected and used and forces entities (organisations and individuals) to justify what they plan to do with it.
While the GDPR is a European legislation, it has a substantial impact on countries and companies operating outside of the EU. This includes Singapore – as some Singaporean companies may be interested in digitally operating within European territories.
The EU introduced the GDPR to supplement laws that it established before the world began to view data as a commodity. The GDPR most notably appertains to both public and private bodies. Furthermore, it separates personal data into special categories. These are just two of the differences between the GDPR and PDPA.
What is the PDPA: A Brief Summary
Entities must securely dispose of data when it is no longer required for legal or financial reasons.
Singapore’s PDPA was passed in October 2012. It contained simple guidelines for data protection. Soon after it came into effect, various amendments and provisions were made to it. Some of the most notable include the Do Not Call (DNC) provisions and the data protection provisions. Nevertheless, Singapore’s Personal Data Protection Committee serves as the authority in charge of matters related to the PDPA.
This includes providing additional simplified advisory guidelines to private entities. Singapore's Personal Data Protection Commission (PDPC) highlights 11 obligations (at the time of writing this article) from the PDPA that data controllers and processors must adhere to, including:
Accountability: Entities’ data protection policies must be made available for scrutiny at any time.
Notification: Entities must notify subjects that their data will be collected and/or processed. Furthermore, they must disclose the reason that said data is being collected.
Consent: Entities must earn a subject’s consent before collecting their data. Subjects must be allowed to withdraw consent at any time. Once consent is withdrawn, the data collector and/or processor must cease all collection and/or processing of the subject’s data.
Purpose Limitation: There is a limit to what data entities can collect and how they can use it. Data should not be collected for purposes beyond providing the subject with a service or product.
Accuracy: Entities must ensure that collected data is accurate, especially if it will be employed in decisions that affect the subject.
Protection: Entities must take the necessary steps to ensure that the private data of subjects are protected.
Retention Limit: Entities must securely dispose of data when it is no longer required for legal or financial reasons.
Transfer Limitations: Entities can only transfer data to other countries if they adhere to regulations set out by the PDPA. However, they may also acquire an exemption from the PDPA for special circumstances.
Access and Correction Obligation: Entities must provide subjects with their data upon request. Additionally, they must provide information regarding how the data was used or disclosed – and to whom. Entities are also required to correct any erroneous or missing information.
Data Breach Notification: In the event of a data breach, entities must assess its severity to determine if the data of subjects was exposed. If a data breach is indeed severe, the entity must inform the PDPC and the affected subjects.
Data Portability: Upon request from the subject, entities must be able to transfer data to other entities in a machine-readable format.
Again, the PDPA largely applies to private entities, not public ones. However, there are cases where public entities have been punished for overreaching and violating the privacy rights of subjects. The PDPA offers no delineation between types of personal data in the same way that GDPR does. Should organisations limit their spending and time to become only PDPA compliant if they’re only going to operate in that region? Or are these resources better spent meeting GDPR requirements?
Key Differences Between the GDPR and PDPA
The most notable advantage that the PDPA has over GDPR is that it is more business-friendly. This may make it more attractive if your organisation is primarily focused on the Singaporean market.
GDPR is globally considered the strictest and most thorough regulation for data privacy. As such, GDPR compliance often results in cross-region compliance. Essentially, this could mean automatic adherence to Singapore’s data and privacy regulations.
Nevertheless, GDPR compliance tends to require more work and resources from your organisation as several requirements may be unnecessary for other regions. Thus, if you plan to be operating in a select few regions, it may not be worth it.
The upfront investment required to achieve GDPR compliance may be significant. However, it will allow your organisation to immediately work with users based in the EU. This prospect may be attractive if your organisation is aiming for global availability.
The most notable advantage that the PDPA has over GDPR is that it is more business-friendly. This may make it more attractive if your organisation is primarily focused on the Singaporean market.
Nevertheless, you must be aware of the following differences between the PDPA and GDPR when determining the right regulations for your organisation:
GDPR vs PDPA: Key Differences | ||
GDPR | PDPA | |
Region | Applies to entities and establishments operating within territories of the EU. Protects living EU citizens. | Applies to entities and establishments operating within Singapore. Protect living Singaporean citizens. |
Date Passed | 25 May 2018 | 15 October 2012 |
Views Business Email Addresses as Data | ✔ | |
Scope of Consent for Data Usage | Entities that have previously obtained consent for data collection for a specified purpose must obtain additional consent when they want to use the data for a different purpose. | Entities that have obtained consent for data collection for a specified purpose must obtain additional consent when they want to use the data for a different purpose unless the data will be used to improve services and/or products. |
Minute-by-Minute Data Tracking | Enforces strict minute-by-minute tracking of data. Data controllers and processors must know where the data is at all times. | The PDPA does not enforce minute-by-minute tracking of personal data from subjects. As such entities are not required to record when the data was accessed or processed and by whom/what. However, if an entity subject to the PDPA does decide to put an effort into tracing and documenting the flow of personal data, it may ultimately become a point of consideration in determining the amount of the levied fine in the case of a breach. |
Enforces Data Privacy Compliance in Contractual Agreements with Third Parties with Data Access | Strictly enforces it. | PDPA encourages entities to address data privacy compliance in their contractual agreements with third parties who have access to private data. However, it does not enforce it. |
International Data Transfers | Overseas facilities are required to offer the same level of protection and compliance that the local entity does. The specifics of these rules are contained in no less than seven articles of detailed requirements. They can be quite far-reaching and difficult to enforce for organisations. | While less prescriptive than the GDPR, the PDPA states that data controllers may only transfer data to parties outside of Singapore if they’ve received consent from the data subject. Furthermore, the third party must be certified and be able to provide sufficient protection that is comparable to the standards of the PDPA. |
Data Destruction | The GDPR’s rules on data destruction are more clearly defined than those of the PDPA. In fact, the GDPR defines data destruction as a necessary form of data processing. However, it does not specify any retention periods. Nevertheless, data must be destroyed once it has completely fulfilled its purpose. Dormant or useless data must also be purged as soon as possible. | Again, the PDPA’s rules on data destruction are less prescriptive. Much like the GDPR, it does not specify any hard-line rules or data retention periods. |
The PDPA has gone through many alterations and amendments over the last decade. It continues to evolve with each iteration aligning closer with the GDPR. Thus, there is no guarantee that the business-friendly aspects of the PDPA will continue to persist into the next decade. This especially applies to certain sections that the PDPC has yet to be strictly defined. As stated above, this includes how data access is tracked, agreements between organisations and vendors, and international data transfers.
Best Ways to Be Both GDPR and PDPA Compliant
Entities must closely follow the official channels of data privacy regulators for any new updates that may impact your organisation.
Your organisation must first understand the current state of both its PDPA and GDPR compliance. There are online assessments available that can make this easier.
Your organisation should then determine and implement privacy regulations that are relevant to it. It is recommended that organisations that plan to conduct business outside of Singapore’s border try to comply with the GDPR.
On the other hand, organisations planning to remain local or have the budget to implement separate global and regional privacy compliance could benefit in Singapore from the more business-friendly aspects of the PDPA.
Thus, you must always closely follow the official channels of data privacy regulators for any new updates that may impact your organisation. This includes the official GDPR and PDPA websites. Following their official pages or accounts on social media would also be helpful.
GDPR vs PDPA: A Summary
Whether you decide to follow the GDPR or PDPA, you must remember that one of the best ways for your organisation to protect itself is by only retaining the data it needs to avoid data breaches.
The PDPA is comparatively forgiving. On the other hand, the intricacies of the GDPR are supplied to entities and individuals through a large complex document. Nevertheless, if you plan to operate in and around the EU, it’s important that your organisation internalises and applies the necessary measures to be GDPR compliant. While Singapore is indeed an economic powerhouse, there are simply more opportunities within Europe. Nevertheless, whether you decide to follow the GDPR or PDPA, you must remember that one of the best ways for your organisation to protect itself is by only retaining the data it needs. This will mitigate the severity of data breaches. However, you need to establish a regular data destruction routine that is reliable, safe, and effective. This can only be achieved by aligning yourself with an IT asset management partner that specialises in data erasure and destruction. Contact SPW today to learn how we can help you maintain multi-territory private data compliance.
We Have Your Back
Our secure IT asset disposal services provides the dependable solution you need for your e-waste and end-of-life asset needs. Our team applies safe and sustainable steps that are regulatory-compliant at every stage of the process.
From the point of collection, auditing, shredding and/or wiping to remarketing and/or donating your IT assets, you can be sure with our end-to-end services that we take your security seriously.
We have coverage against the loss of or damage to your goods during transportation. This includes marine cargo shipment from the ports to the warehouses
Our professional team of asset removers ensure your devices are packed safely into our vehicles which are also equipped with GPS-tracking systems. We have armed our warehouses with fingerprint-only access complete with security alarms and 24/7 CCTVs in place
Our reach spans across the globe through our networks of partners and vendors. Wherever your business is based, you can leverage our worldwide network and we would be happy to assist you throughout your ITAD journey
SPW is Asia's go-to solutions provider for data destruction, data erasure, IT asset remarketing, and environmentally-responsible IT asset disposals. Contact us and learn how you can incorporate an ITAD strategy into your business today.
