In 2016, the European Union Member States issued a new body of rules on data protection - the General Data Protection Regulation 2016/679, which will come into force on 25 May 2018.

Extra-territorial application

The GDPR has extra-territorial effect, and applies to organisations which are not established in the EU, but which offer goods or services to individuals in the EU, or which monitor the behaviour of individuals in the EU. This means that Singapore based organisations such as hotels, banks, insurance companies and e-commerce websites which offer goods or services to individuals located in the EU will all have to ensure that their practices and processes are compliant with the GDPR, failing which, there is risk that they may be subject to the penalties under the GDPR.

Penalty

The penalty for non-compliance with the GDPR is a fine of up to 4% of the global annual turnover or €20,000,000, whichever is higher. There is a tiered approach to penalties, and this is the maximum fine that can be imposed for the most serious breaches of the GDPR, for example, if the necessary consents have not been obtained from individuals, or where the core data protection principles have not been complied with.

Where a Singapore organisation does not have a presence within the EU, this may not be seen as a huge risk as it may be unlikely that the European data protection authorities would act to penalise an organisation without a presence in the EU. However, where a Singapore organisation has a presence in the EU, the risks are very real.

Singapore organisations providing services to EU data controllers

A Singapore organisation which processes personal data for data controllers within the EU would also have to ensure that its practices and policies meet the requirements in the GDPR as the GDPR requires data controllers in the EU to only appoint those data processors which provide sufficient guarantees to implement processes that meet the requirements of the GDPR and which ensure the protection of the rights of the data subject.

Salient requirements of the GDPR

The GDPR provides that personal data shall be processed in accordance with the following principles:

  1. personal data must be processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’);
  2. personal data must be collected and used only for specified, explicit and legitimate purposes (‘purpose limitation’);
  3. personal data collected must be limited to what is necessary (‘data minimisation’);
  4. personal data collected must be accurate (‘accuracy’);
  5. data must not be kept in personally identifiable form for any longer than is necessary for the purposes for which the personal data is processed (‘storage limitation’);
  6. personal data must be secured and protected against unauthorised access, accidental loss, destruction or damage (‘integrity and confidentiality’).

The GDPR provides individuals with a number of rights: right to be informed, right of access, right to rectification, “right to be forgotten”, right to restrict processing, right to data portability and right to object. The data controller must, without undue delay (generally, within one month), take the action legitimately requested by data subjects.

The GDPR also imposes a significant number of new practices on data controllers including the need to maintain of records of how it processes personal data, the appointment of a Data Protection Officer, the need to conduct Data Protection Impact Assessments, and the requirement to take greater care in the selection and engagement of their data processors.

What Singapore organisations should do

Singapore organisations should take appropriate measures to comply with the GDPR (depending on their level of exposure) such as:

  • Reviewing practices and processes to ensure that all personal data is processed in accordance with the principles set out in the GDPR;
  • Reviewing practices and processes to give effect to the expanded rights of data subjects provided in the GDPR;
  • Reviewing privacy policies, data protection and retention policies to ensure that these provide individuals with the level of protection required by the GDPR

Singapore organisations having a presence in the EU would have to ensure that they are in full compliance with the GDPR, failing which the risk of a penalty would be high.

Singapore companies offering data processing services to EU data controllers would also have to ensure that they comply with the GDPR, failing which the continuity of their business with EU data controllers may be at risk.

At the lowest end of the scale, Singapore companies offering goods or services to, or which monitor the behaviour of individuals within the EU should also endeavour to comply with the GDPR, as far as is practicable.