Are you prepared for the EU General Data Protection Regulation?
Data privacy has been recognized as a pertinent area of concern amongst regulators and the public in this increasingly data-driven world. Indeed, the EU Parliament had been working toward harmonizing data privacy laws across Europe in a bid to empower EU citizens in the protection of their data, with its efforts culminating in the enactment of the EU General Data Protection Regulation (“GDPR”), which took effect on 25 May 2018.
This update looks at the impact of the GDPR on Singapore.
Why should Singapore organizations be concerned?
The GDPR will apply to Singapore organizations processing the personal data of individuals residing in the EU, where the organization engages in activities relating to: 1) the offer of goods or services to individuals in the EU (irrespective of whether payment is required); and 2) the monitoring of behavior of individuals in the EU. It is immaterial that the Singapore organization is not located within the EU.
Further, if a Singapore organization processes personal data of individuals in the EU for another entity that determines the purposes, conditions and means of the processing of the personal data, then the Singapore organization would be subject to the GDPR as well.
What constitutes personal data under the GDPR?
Under the GDPR, personal data means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition has been broadly termed to take into account changes in technology and the way organizations collect information about people. Organizations should not therefore limit their interpretation of ‘personal data’ to traditional markers of identification, such as names and identification numbers.
What are the responsibilities of a Singapore organization under the GDPR?
Broadly speaking, the responsibilities of an entity regulated under the GDPR include implementing appropriate measures to ensure that only personal data necessary for the specific purpose is processed or designating a data protection officer in cases where regular monitoring of individuals is required or special categories of personal data are being processed.
The obligations under the GDPR should be taken seriously, as recalcitrant organizations can be fined up to 4% of their annual global turnover or 20 million euros. Due to the many facets of the GDPR, Singapore organizations should seek proper advice on the applicability of the GDPR and the implementation of operational procedures to achieve GDPR compliance.