The General Data Protection Regulation (GDPR) is to a large sense, the strictest of data privacy laws globally, and failure to comply could cost your company millions. Being GDPR-ready is an ongoing approach to your business, not just a one-time project. With digitalization happening everywhere, you should not ignore data protection and privacy; especially if you run a business.
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation on data protection and privacy. It was first adopted on 14 April 2016, and became enforceable beginning 25 May 2018. The regulation became a model for many national laws outside EU, including Chile, Japan, Brazil, South Korea, Argentina and Kenya.
Even Singapore’s Personal Data Protection Act (PDPA) is seeking to emulate some parts of it to strengthen its standards, which can be seen in the recent Public Consultation on Personal Data Protection (Amendment) Bill.
The protection regulation applies generally to:
So if your company offers products or services to the EU region, which typically mean that you have to collect and process personal data of clients, employees, or other persons who are residents of the EU, you must comply with the GDPR requirements.
To be GDPR compliant, make sure your company keeps in line with the following data protection principles. Generally, the GDPR standards are similar to the Singapore PDPA protection approach; however, they are more detailed and comprehensive in nature when it comes to certain items.
The key requirements of the GDPR include the following:
You can process personal data if:
The GDPR states that organizations must employ a Data Protection Officer (DPO) where:
Also Read: Free Guide For Appointing A Data Protection Officer (2020)
If any data breaches occur, an organization has up to 72 hours to report the breach to a supervisory authority and the affected individuals if the personal data is likely to risk the rights and freedoms of those individuals.
The GDPR imposes an obligation on organizations to notify supervisory authorities in the event of a data breach. A breach of personal data is defined as an accidental or unlawful destruction, loss, alteration or unauthorized access/disclosure of personal data.
In case of data breach an organization must provide the following information:
Under the GDPR, where data is being transferred out of an EU nation, the country which the recipient organization is in must be approved by the European Commission to provide an adequate level of protection to personal data.
The following elements are considered when assessing the adequacy of the non-EU country, under the GDPR:
Singapore companies do often have European parent companies or are part of a bigger International group of companies. Personal data is transferred from European group companies to their Asian subsidiaries or counterparts.
If you’re worried about the cost of GDPR compliance in terms of implementation and maintenance, know that it’s a much less expensive option than ignoring your requirements.
The cost of GDPR compliance is incurred under the following categories:
There is no “market price” or fixed price to pay for ongoing operational compliance, and the amount largely depends on the size of your company and number of processes handling personal data. There may also be additional legal costs, which in some cases may be as high as 40% of the total GDPR compliance budget.
In case of an infringement of the provisions of the GDPR, high administrative fines are likely On a case-by-case basis, these fines can amount up to €20 million or up to 4% of the total global annual turnover of the preceding financial year, whichever is higher.
While Singapore businesses still struggle to implement the requirements necessary under the PDPA, the GDPR may soon make many of them subject to an even stricter data protection regime. Given the possibility of high financial penalties, decision makers are well advised to determine as soon as possible whether the GDPR is relevant for their businesses and what measures have to be implemented to be compliant.
Also Read: EU GDPR Articles: Key For Business Security And Success
One of the most frustrating compliance failures is the inability to prove that necessary measures have been implemented.
The GDPR requires organisations to document their compliance practices. That means it’s possible to implement all the solutions but fall foul of the Regulation simply by having no evidence of what you’ve done.
If you are unsure if your business needs to comply with the GDPR, or need help understanding or complying to certain aspects of it, contact Privacy Ninja for a non-obligatory chat on how we can help while keeping the maintenance cost of GDPR compliance low.
Outsource your DPO with Privacy Ninja and save time and money while making sure you are compliant with GDPR policies. Avoid penalties. We know what matters most to you, and that’s to focus on the growth of your business. Contact us now.
Privacy Ninja provides GUARANTEED quality and results for the following services:
DPO-As-A-Service (Outsourced DPO Subscription)
PDPA Compliance Training
PDPA Compliance Audit
Digital Transformation Consultancy
Data Protection Trustmarks Certification Readiness Consultancy
PDPA Data Protection Software
Vulnerability Assessment & Penetration Testing (VAPT)
Smart Contract Audit