On 25th May 2018, Europe’s GDPR (general data protection regulation) laws were put into effect, to help guard users’ personal data which companies must store, process and share, as and when needed.
Singapore had passed a similar law to accomplish the same in 2012 known as PDPA (personal data protection act), which went into full effect in 2014. Both laws bear some similarities and certain distinctions and were set out with similar personal and extraterritorial scopes.
However, it must be kept in mind that GDPR applies to private and public bodies, while Singapore’s PDPA does not include public agencies and organisations who represent public agencies within the scope. Furthermore, GDPR defines specific personal data categories while in PDPA, there is no such distinction between specific personal data categories, or between automated and non-automated data processing methods, for that matter.
GDPR vs. PDPA: Understanding Key Differences
For the most part, GDPR has stricter laws as it emphasises more on data subjects’ rights and levies heavy fines on companies which fall under non-compliance. So it is crucial to understand as a business that complying with PDPA rules will certainly help, but doesn’t make you GDPR-compliant – if you’re selling goods/services to EU customers (and vice versa), irrespective of where those customers are based originally.
With that said, here are some of the key differences and similarities between both laws:
Both laws are generally quite comprehensive and apart from only a few terminology differences, both Singapore PDPA and GDPR have similar concepts of a data processor and data controller and outline specific guidelines for businesses to appoint a DPO (data processing officer). But unlike GDPR regulation, Singapore PDPA does explicitly require Data Protection Impact Assessment (DPIA) to be performed, although the Advisory Guidelines on Key Concepts still recommend DPIA under specific circumstances.
In addition, the amended PDPA Bill published in mid-May 2020, introduced many key reforms, such as compulsory data breach notification and data portability provisions, which actually brings PDPA laws more in line with GDPR.
Both legislations have certain restrictions and exceptions in terms of cross-border transfer of personal data to an outside country as well as international businesses, including the establishment of legal grounds to govern where and how those cross-border transfers can be legally carried out.
You might also find further similarities when it comes to individuals’ rights. For example, in both regulations, data controllers must inform data subjects so as to why their personal data is being collected and processed. They must also provide the data subjects with the right to withdraw consent for all such data processing and to access their data whenever they wish. However, the key distinction here is that Singapore PDPA laws do not grant data subjects the right to request deletion of their personal data.
Both Singapore PDPA and GDPR allow supervisory authorities with a broad range of investigative and corrective powers and have clearly outlined major financial penalties (including possible jail time in case of GDPR) for non-compliance. With that said, the maximum allowable penalty for breaking GDPR laws is much higher than PDPA, particularly in terms of monetary fines.
There are also other noteworthy distinctions such as:
Under GDPR, data subjects are given the right to access all data collected by any organisation free of charge, while in Singapore, businesses in most cases will impose a reasonable fee.
Data subjects who fall under GDPR regulation can request to access their personal data in a machine-readable format, which can also be transferred easily to another data processor if required. This makes it much easier for data subjects to change between service providers, something which PDPA does not afford data subjects.
GDPR requires businesses in Singapore to appoint EU representatives, and under specific circumstances, DPOs, when processing personal data. Furthermore, Singaporean businesses must designate individuals who are responsible for ensuring that the said business has complied with all PDPA regulation, although they need to be established in Singapore.
Acquiring consent has been one of the hottest topics of discussion as of late – receiving consent from data subjects works differently under PDPA vs. GDPR. For instance, one of the key differences is that the GDPR does not acknowledge or recognise deemed consent.
The GDPR has set procedures in place in case of a personal data breach where a supervisory authority must be notified, while also communicating the breach personally to the corresponding data subject. With the PDPA, no such procedure is in place.
Keep in mind that the above is merely an outline of the most significant differences when it comes to Singapore PDPA vs. GDPR. To conclude, the GDPR may be seen as having stricter laws then the former. Penalties for non-compliance are significant and calculated as a percentage of the business’s annual turnover – up to 4% or £4 million, whichever is higher.