GDPR and PDPA: What’s the Difference?

Camyl Besinga
17 Apr 2018

Data Privacy

GDPR is going live next month. It’s got everyone around the world scrambling to make sure they’re compliant. Even the beleaguered Mark Zuckerberg has his team working on it, assuring senators and viewers of his testimony at the US Congress that Facebook will be GDPR-compliant in May.

 Mark Zuckerberg at US Congress hearing

Are you ready for GDPR, or the EU’s General Data Protection Regulation? After all the adjustments you may have already made for Singapore’s Personal Data Protection Act (PDPA) in 2014, you may think that you already have your customers’ personal data protected. But the GDPR is quite different from the PDPA.

We’ve come up with comparative charts below to give you a quick glance into the similarities and differences of each, so you can see how this will affect your organisation.

Fast Facts on Singapore’s PDPA and the EU’s GDPR

  PDPA GDPR

Took/will take effect on

Do Not Call registry: 2 Jan 2014

Data protection obligations: 2 Jul 2014

25 May 2018
Who are governed by these policies?

Covers virtually all businesses in Singapore

Applies to any organisation established within and outside of the EU, so long as:

  • the organisation offers goods or services to individuals in the EU, or
  • monitors their behaviour within the EU
  • processes and holds personal data of individuals residing in the EU, regardless of the organisation’s location
What is it about?

“The [Personal Data Protection Act (PDPA) of Singapore governs] the collection, use and disclosure of individuals’ personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.”


(Source)

“The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise the data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organisations across the regions approach data privacy.”


“The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.”


(Source)

"Caution" cone resting on keyboard

At a glance: PDPA

The PDPA has two main provisions:

  • 9 data protection obligations: 
    • Consent: needed before personal data is collected, used, or disclosed
    • Purpose limitation: an organisation must inform an individual of its purpose for collecting, using, or disclosing personal data; also, the collected data must not be used for anything other than the initial intended purpose.
    • Notification: individuals must be notified of the purpose before they may give their consent to have their personal data collected, used, or disclosed.
    • Access and correction: individuals have the right to request access to their personal data in an organisation’s possession or control, and be allowed to correct any error to his/her personal data.
    • Accuracy: an organisation should make reasonable effort to collect accurate and complete personal data, especially if any decisions made using the personal data affects the individual, and if the personal data will be disclosed to another organisation.
    • Protection: reasonable security arrangements must be made to prevent unauthorised access, use, disclosure, copying, modification, and disposal of personal data in an organisation’s possession or control
    • Retention limitation: An organisation may only keep personal data until a certain period, after which it must remove or delete documents containing such permanently.
    • Transfer limitation: personal data may not be given outside of Singapore unless the recipient country has data protection standards commensurate to that of the PDPA
  • The National Do Not Call Registry
    • Names registered into the national DNC Registry may not receive unsolicited marketing messages (voice calls, text messages, or fax) from any registered organisation in Singapore.

(Source)

GDPR: A quick look

These are the key changes introduced to the GDPR:

  1. Increased territorial scope: regardless of where you are in the world, if your company processes personal data of subjects residing in the EU, then the GDPR should apply to you.
  2. Penalties: An organisation that doesn’t comply can be fined up to a maximum of 4% of annual global turnover, or €20 million (whichever is greater).
  3. Consent: Individuals must be given a request for consent form that is intelligible and easily accessible. 
  4. Breach notification: Data controllers must notify supervisory authority, private individuals affected, or the organisation to which it reports of any privacy breaches without undue delay/within the first 72hrs of having become aware of the breach.
  5. Right to access: Data subjects must be able to easily access their personal data in the possession or control of data controllers, free of charge, and must be provided a copy in electronic format.
  6. Data erasure: Data subjects have the right to have their personal data forgotten: erased, ceased to be disseminated, or have third parties halt processing of their personal data by the data controller.
  7. Data portability: Data subjects should be able to receive the personal data they have consented to provide in a “commonly used and machine readable format” and have the right to transmit that data to another controller
  8. Privacy by design: Data protection must be included at the onset of designing of systems, and not just as an addition.
  9. Appointment of Data Protection Officers will only be for organisations:
    1. whose core activities consist of data processing operations,
    2. that do systematic monitoring of data subjects on a large scale, 
    3. that regularly process special categories of data or data relating to criminal convictions and offences

The GDPR has stricter measures than the PDPA for requesting and providing consent, so be sure to take a closer look into this section of the policy.

(Source)

Cursor on "Security" link

 

Definitions of Key Concepts

Concept PDPA GDPR
Personal data

“Data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access. This includes unique identifiers; photographs or video images of an individual; as well as any set of data, which when taken together would be able to identify the individual.” (Source)

Exclusions:

  • Data used for business purposes (i.e., business contact info)
  • Data belonging to an individual deceased for over 10 years

“Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

 

Only data that is necessary to an organisation’s purpose should be collected. (data minimisation)

Consent

"Express Consent": consent expressed in writing

"Deemed Consent": 

  • When an individual voluntarily provides his/her personal data to an organisation and it is reasonable for the individual to do so
  • Voluntarily provided data to one organisation can be passed on to another organisation for a particular purpose

(Source)

 

Exceptions:

Consent is not needed for the following uses and circumstances:

"Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"

  • Requires positive opt-in (no pre-ticked boxes or default consent)
  • Expressly and explicitly given in a very clear and specific statement
  • Consent requests should be separate from other terms and conditions.
  • Get separate consent for separate purposes. Vague or blanket consent is not acceptable.
  • Third-party controllers who will rely on consent should be named
  • Individuals should be informed how they may withdraw their consent, and the steps to withdrawal should be easy.
  • Consent to processing a precondition of a service should not be made.
For a more thorough checklist on asking for, recording, and managing consent, click here.
Sensitive personal data

Not specifically defined

Personal data revealing:

  • racial or ethnic origin,
  • political opinions,
  • religious or philosophical beliefs
  • trade union membership,
  • genetic data,
  • biometric data for the purpose of uniquely identifying a natural person,
  • data concerning health, or
  • data concerning a natural person’s sex life or sexual orientation.
Such data is prohibited from being collected, used, or disclosed.
Age of consent

Minimum age not stipulated in the PDPA

Threshold set at 16 years old, but may be lowered by member states to between 13 to 16 years old.

Purpose
  • Should be considered appropriate to the circumstances by a "reasonable person" (Section 18)
  • No need to specify the activities an organisation will be undertaking in relation to the data collected; however, objectives and reasons for collecting such should be provided to the individuals from whom you wish to gain consent (Source

 

Strictly limited to:

  • “specified, explicit and legitimate purposes” (Article 5)
  • public archiving, historical, scientific, or statistical purposes must not be incompatible with the initial purposes (purpose limitation)


Pile of Euro bills


Fines and Penalties for Noncompliance

  PDPA GDPR
Penalties for persons or individuals in breach of the policy Fines not exceeding S$5,000-10,000 (depending on the offence) or imprisonment of up to 12 months

Not indicated, as compliance is expected from firms, not individuals

 

Penalties for organisations in breach of the policy

Fines not exceeding S$50,000-100,000 (depending on the offence)

 

(Source)

While fines are administered by individual member states' supervisory authorities using a 10-point criteria, offenders may be fined from €10 million to €20 million, or 2 to 4% worldwide annual revenue, whichever is greater. (Source)

Need the Complete Text?

For the complete text of each policy, refer to the links below:

Singapore's PDPA

EU's GDPR

Get GDPR-Compliant

Not only are the fines painful to shoulder, but noncompliance could also have a devastating effect on your company's image and reputation. Take the necessary steps to familiarise your staff with the key points and changes, and how you can protect the data you collect, use, disclose for your customers. 

 

Need A GDPR Compliant Website or Microsite?

 Talk To Us ›

 

Image Sources & Credits

Header image; Caution cone on laptop; Security link; Euro banknotes: Pexels

Mark Zuckerberg: Getty Images via TheAustralian.com.au



More insights

Modern websites need modern browsers

To enjoy the full experience, please upgrade your browser

Try this one