By Lionel Tan, Firm: Rajah & Tann Singapore LLP

Since the implementation of the GDPR in Europe the Singapore Government has taken several measures to help businesses based in Singapore better understand how its provisions affect them.

Singapore is widely considered to be a leading business hub in the Asia-Pacific region and numerous multinational corporations have established their headquarters in Singapore. Their business operations might include potential data transfers between their European and Singapore offices, or the targeting of European subjects to proffer goods and services. Furthermore, with Singapore being the EU’s largest trading partner in the Association of Southeast Asian Nations (ASEAN), it is inevitable that many businesses and organisations based in Singapore will be affected by the GDPR.

Government response

The Personal Data Protection Commission (PDPC), Singapore’s data protection regulators, have responded by publishing a factsheet to help businesses better understand the GDPR when applied to the Singaporean context.

This included outlining the criteria of who comes under the GDPR. As explained in the factsheet, the main criteria includes organisations that process data which relates to:

  • offering goods and services to individuals in the EU;
  • monitoring the behaviour of individuals in the EU.

Key considerations for ascertaining whether the organisation is offering goods or services to individuals in the EU were also included, and this included the use of a language or currency that is generally used in one or more EU Member States, with the possibility of ordering goods and services in that language.

The PDPC also distilled the key requirements of the GDPR, helping Singapore firms coming under the GDPR better understand how to comply with it. Key requirements highlighted included:

  • basis of processing (Article 6);
  • rights of Individual (Articles 15, 16, 17, 18, 20, 21 & 22);
  • accountability and Governance (Articles 25, 35 and 37);
  • data breach notification (Articles 33 and 34);
  • administrative fines (Article 83).

The PDPC also published online FAQs to help businesses better understand whether the GDPR applies to them, and if so, what Singapore firms need to do to comply with its provisions. The PDPC stressed that requirements for the local Personal Data Protection Act (‘PDPA’) differ from that of the GDPR, and that compliance with the PDPA does not equate to compliance with the GDPR.

To help businesses based in Singapore better understand the extent of applicability of GDPR in their own business operations, the PDPC also included real-life scenarios of businesses where GDPR is likely to apply.

At the moment, Singapore does not have the right to data portability under the PDPA. The right to data portability is one of the eight rights enforced under the GDPR. To allow for a measure of congruence between the GDPR and the local PDPA, the PDPC, as part of an ongoing review of the PDPA, is considering introducing a Data Portability Obligation under the PDPA. The PDPC, with the Competition and Consumer Commission of Singapore (CCCS), has published a discussion paper on data portability to help businesses and other stakeholders better understand the benefits. The PDPC has also held a public consultation on this issue, seeking feedback and input from various stakeholders to assist in creating data portability provision under the PDPA.

Private sector response

According to the Global Forensic Data Analytics Survey 2018 done by Ernst & Young advisory services, nine out ten companies in Singapore do not have a plan to cope with GDPR.

Professional associations and higher education institutions based in Singapore are offering certification programs and workshops to help professionals and businesses better understand the various aspects of becoming GDPR compliant.