16 May 2018 (Singapore) – UPCOMING EUROPEAN UNION (EU) GENERAL DATA PROTECTION REGULATION (GDPR)
On 27 April 2016, the European Council and Parliament on 27 April 2016 adopted GDPR, the successor to Directive 95/46EC. The GDPR applies directly in all EU Member States from its effective date, 25 May 2018. It repeals and replaces Directive 95/46EC and Member State implementing legislation.
Significantly, he GDPR expands its territorial reach to data controllers and processors outside the EU in respect of the offering of goods or services to EU residents. Fines of up to 4% of total annual worldwide turnover or € 20,000,000 may be imposed.
Rather than rehashing the key points of GDPR or engaging in a profound comparative study of the GDPR, Directive 95/46EC and/or the Singapore Personal Data Protection Act, we set out 5 areas where we think you and your team should focus on to ensure compliance. In particular, we think that startups have most to gain from this exercise as early implementation would result in unparalleled cost savings as compared with undertaking the same years later taking into account the baggage of legacy IT systems.
- Maintain data protection agreements with third party data processors/managers
This is consistent with the existing approach.
- Establish a systematic review of compliance over time
This is to initiate reviews in accordance with events (the implementation of new procedures, business departments and services), or on a periodic basis. We recommend a review every two years. As a follow up to the above, activities, departments, services should be ranked according to compliance risk so that their type and frequency of review can be determined.
- Standard Operating Procedures
You need to plan the response plan to a data breach event. Your data protection agreements should compel your partners to assist to fulfil the steps that you need to perform in such an event. You should appoint a professional data protection officer to respond to data subject requests. Your data subjects can request for personal data updates, queries, access and deletion. The use of a professional third party will result in a heightened urgency in dealing with such requests and also in the event of breach.
- Create one storage point of personal data
By ensuring that only a single point of storage, you will avoid the costly exercise of re-rationalising the IT strategy in the future. You will combine the use of pseudonyms or serialisation of data subjects. Further, there should be a concerted effort to reduce the collection of personal data to the minimum to achieve the objectives of the business.
We can help you achieve cost effective compliance in your business. Email us at winstonwong@flintbattery.com.
Flint & Battery is an international law practice comprising offices in Dhaka, Jakarta, London, Perth and Singapore. For more information, please visit Flint & Battery’s website www.flintbattery.com or write to us at winstonwong@flintbattery.com.
Keywords: GDPR, General Data Protection Regulation, European Union, EU, Personal Data, Data Protection, Directive 94/46EC, PDPA, PDPC, Personal Data Protection Act, data subject, data breach, DPO, Data Protection Officer, compliance, standard operating procedures.