On 25 May 2018, the European Union enforced the GDPR – a data protection law that many people regard as the most stringent in the world. The question is, does the GDPR apply to companies in Singapore?
The reality is that GDPR applies outside the EU. This means that you have to comply, even if your business operates in Singapore. Read on to discover the basics of GDPR, its impacts, and why it applies to Singapore websites.
What is GDPR?
GDPR stands for General Data Protection Regulation. It is a law that regulates the collection, storage and use of personal data belonging to residents of the EU. Also, the GDPR grants individuals more control over their private information.
In this context, personal data refers to the bits of information that are useful in identifying and individual. These include name, email addresses, IP addresses, cookies, location details, and financial data, and so on.
The introduction of GDPR is seen as a solution to the many incidences of misuse of personal data by a large organisation. The most recent case is the infamous incident involving social media giant Facebook and Cambridge Analytica.
How Websites Collect Personal Data
Another way through which websites collect personal data is by using opt-in forms. When a user fills in these forms, they usually provide their name, email address, contact information, credit card details, and so forth, all of which count as personal data.
Why Should Singaporean Businesses Comply With GDPR?
The primary function of GDPR is to protect personal data belonging to EU residents. This means that if your website holds data sourced from EU citizens, you have to adhere to GDPR requirements, regardless of your location worldwide.
An Overview of GDPR Requirements
Get Explicit Consent to Use Personal Data
Your business must get explicit consent from individual aged more than 16 to collect and use personal data. In this regard, permission has to be freely given, and the individual can withdraw the consent any time they deem it right. They should also know how to remove the consent.
Concerning the use of data, you must inform the owner how you intend to use their information. If you are planning to share such data with a third-party, the owner must know and approve the sharing. Also, if you want to use data for billing and marketing, you have to seek separate consents for both.
Rights to Personal Data
Under GDPR, individuals have the right to access a copy of their data, the purpose for which it was collected, and all the parties that have obtained the information.
The law also stipulates that individuals can request your business to correct the data if it is inaccurate. Likewise, they can have the data deleted or restrict the processing of such data if its intended use is illegal or goes against their wishes.
Furthermore, individuals have the right to receive and share their data in a machine-readable format with other organisations. The user can also object the use of their information in automated decision-making processes in situations where it is likely to hurt them.
Appoint a Data Protection Officer
If your business deals with sensitive private information, the GDPR requires you to appoint a data protection officer. The role of this officer is to ensure that the integrity of personal data is upheld.
Implement Strict Data Privacy Measures
Your website should enable visitors to access privacy settings easily. According to GDPR, your website’s default settings should guarantee the privacy of personal data. In line with his requirement, your site should only collect data that is necessary for a specific purpose.
Notification of Data Breaches
If your organisation experiences a breach and personal data get lost, you must notify users and relevant authorities within 72 hours after the attack. In the case of the high-risk violations, the notification should be made earlier than the stipulated 72 hours.
How to Implement GDPR
Here are the steps you should follow if you want your business in Singapore to comply with the GDPR law.
Educate Your Staff
The first step of implementing GDPR is teaching your staff the basics. It makes it easier to adopt these regulations if all of your employees understand what it entails.
Ideally, this policy should explain what data you collect, why you collect it, and how you intend to use and store the data. You should also inform the user if a third-party had access to the data. Lastly, the policy should give users the provision to make complaints regarding the use of their data.
In instances where your site needs to collect data from users, the opt-in form must have ‘no’ as the default option. Any other format is invalid under GDPR requirements.
If you are looking to subscribe users to non-essential communications such as promotional emails, you should not bundle the mailing list with the terms and conditions. Furthermore, subscribing to such emails should always be optional unless they are mandatory for that particular service.
Finally, you must inform the user that they have the right to withdraw consent. The withdrawal process should also be straightforward.
What If I Fail to Comply With GDPR?
Failure to adhere to the GDPR requirements will attract a fine of up to 4% of a company’s global revenue or €20 million, whichever is higher.
Another implication of failing to comply with GDPR is a loss of trust between your business and its customers, as it was in the case of Facebook and Cambridge Analytica.
From a business perspective, GDPR is a useful addition. Customers are more likely to engage with a business that guarantees the safety of their private information.
Remember, the most crucial aspect of implementing GDPR is ensuring that your staff are familiar with its requirements.