Why the GDPR matters for ASEAN

The European General Data Protection Regulation, or EU GDPR, was first adopted in 2016, before becoming fully enforceable in 2018.

It is a comprehensive data protection law that has had far-reaching impact, beyond Europe itself, where it governs data protection and privacy in both the European Union and the European Economic Area.

Due to the fact that European lawmakers tend to convene in Belgium, the impact of the EU GDPR has at times been dubbed as the “Brussels Effect”.

And given the consequence that many data protection laws in non-EU countries have been influenced, to varying degrees, by the EU GDPR, including China's Personal Information Protection Law (PIPL), and various data privacy regulations throughout the ASEAN region, it is no wonder that data protection professionals and organisations that do business with the EU need to be well acquainted with this seemingly far-away set of laws.

Additionally, several of today's protection compliance requirements were influenced by GDPR in Asia.

What are the latest trends in enforcement cases in the EU?

There has been an upward trend in the number of enforcement cases in the EU, and average fines have also been increasing through the years. In 2021, for example, 23 companies in the EU were fined more than 1M EUR, which is 40% higher than the previous year.

With ASEAN laws having many similarities to the GDPR, these enforcement cases can guide organisations in their data protection efforts. They also point to possible future trends ASEAN regulators may adopt. Not only do they provide insights as to what regulators find important, but also help companies identify gaps in their processes. As Charles Ng, former CFO of COMO group Singapore said in a recent webinar discussion, “The cheapest way to learn is to learn from other people’s mistakes.”

Here is a list of GDPR enforcement cases we can learn from:

1. Hospitality and Travel: Booking.com

In 2018, Booking.com violated the GDPR by failing to notify regulators of a data breach within 72 hours of discovery. Booking.com also failed to notify the data subjects, which resulted in data subjects being unable to cancel their credit cards to stop fraudulent transactions.

2. Healthcare: Medicals Nordic

In 2021, Medicals Nordic was fined more than 80,000 EUR for using Whatsapp groups to transmit patients' personal data, which led to unauthorised access to patients' social security numbers and other health information.

3. Online Retail: Morele

In 2020, Morele was fined 645,000 EUR for insufficient organisational and technical safeguards to protect its customers' personal data. A breach exposed the personal data of 2.2M customers.

4. Retail: Ilva

Ilva violated the GDPR's Storage Limitation principle by failing to delete customer data beyond a specified period of time. Though initially fined 200,000 EUR in 2019 based on legal grounds, it was reduced to 13,400 EUR by European regulators since the data was not sensitive and no data subject was harmed, among other mitigating circumstances.

The GDPR impact on Singapore

While the GDPR is an EU regulation, its applicability extends beyond EU borders, impacting organisations globally, including those based in Singapore.

Applicability of GDPR to Singaporean Organisations

The GDPR applies to organisations in Singapore if they engage in specific activities that interact with individuals in the EU. There are two primary scenarios where GDPR compliance becomes necessary for entities in Singapore:

1. Offering Goods or Services: If a Singapore-based organisation offers goods or services to individuals in the EU, regardless of whether payment is involved, it must comply with GDPR. This can include e-commerce platforms that cater to EU customers or any business that markets its products to the EU audience. For instance, if an organisation has a website tailored to the vernacular language of an EU nation, publishes prices in euros, or offers shipping to EU countries, these actions may trigger enforceable obligations under the GDPR.

2. Monitoring Behaviour: Organisations that monitor the behaviour of individuals located in the EU must also adhere to GDPR provisions, such as tracking users’ online activities, gathering data through cookies or other tracking technologies, or profiling individuals for targeted advertising purposes.

Implications of Compliance

For Singaporean organisations and public agencies that fall under the scope of the GDPR, compliance entails several responsibilities and reasonable expectations:

1. Data Protection Measures: Organisations must implement appropriate technical and organisational measures to protect personal data they process ensuring data security and safeguarding against breaches.

2. Rights of Individuals: GDPR grants rights to the privacy of individuals regarding their personal data, such as the right to access, rectify, or erase their data. Organisations must establish processes to facilitate these individual rights, otherwise, they face litigation and possible financial penalties.

3. European Representative: If a Singaporean organisation processes the personal data of EU citizens on a large scale, they may be under the legal obligation to appoint a representative in the EU to act as a point of contact for EU data subjects and supervisory authorities.

4. Data Protection Impact Assessments (DPIAs): Organisations engaging in high-risk personal data processing activities may need to conduct DPIAs for evaluative purposes and determine the potential impact on the privacy of individuals.

As globalisation increases and businesses expand their reach across borders, understanding the implications of regulations like the GDPR is crucial for Singaporean organisations. The extraterritorial nature of the GDPR means that Singaporean businesses must be proactive in ensuring compliance to mitigate risks of hefty fines and reputational damage.

The Singapore equivalent of GDPR

The Singapore Personal Data Protection Act (PDPA) emerged as a critical framework for data protection in Singapore, drawing significant inspiration from the European GDPR. Enacted in 2012 and fully implemented by 2014, the PDPA was designed to enhance consumer trust in the digital economy by regulating the collection, use, and disclosure of personal data. The act aims to create a lawful basis for the correct and balanced use of data for innovation and growth while ensuring individuals' privacy rights are protected.

A Closer Look at GDPR vs. PDPA Singapore

To understand the GDPR impact on Singapore, it's important to zoom into the similarities and differences between the two governance policies:

1. Consent Requirement: Much like the GDPR, the PDPA mandates that organisations must obtain explicit consent from individuals before collecting, using, or disclosing their personal data. This principle of consent emphasises transparency and empowers individuals to control their own information.

2. Purpose Limitation: The PDPA requires that personal data be collected only for specific, legitimate purposes, and organisations must inform individuals of those purposes, ensuring that only necessary data is processed.

3. Data Protection Obligations: Organisations under the PDPA must implement reasonable security measures to protect personal data from unauthorised access, use, or disclosure.

4. Rights of Individuals: The PDPA grants individuals rights similar to those found in the GDPR, such as the right to access their personal data and the right to request corrections of inaccuracies.

5. Accountability Framework: The PDPA establishes an accountability framework, requiring organisations to appoint a Data Protection Officer (DPO) to ensure compliance with the act. This framework is akin to the GDPR's requirement for data protection by design and by default, emphasising proactive measures in data governance.

The GDPR impact on Singapore significantly influenced the PDPA's development, to which it served as a robust model for data protection worldwide. Key reasons for this inspiration include:

1. Global Standards: The GDPR set a high standard for data protection, influencing many jurisdictions, including Singapore, to adopt similar frameworks. As businesses increasingly operate across borders, having common standards helps facilitate international trade and commerce.

2. Enhanced Consumer Trust: By adopting principles similar to those in the GDPR, the PDPA aims to enhance consumer trust in the digital economy. This is crucial for Singapore's ambitions to position itself as a global hub for technology and innovation.

3. Alignment with Global Practices: As Singaporean organisations engage with European partners and clients, aligning local regulations with the GDPR helps facilitate smoother business operations and compliance with international norms.

What lessons can we learn from the effect of PDPA and GDPR in Asia? Watch our panel discussion playlist on YouTube with ASEAN regulators from Singapore, the Philippines, and Thailand.

How is the post-pandemic era affecting the data protection landscape in Singapore?

The pandemic has accelerated digital transformation across all industries. Many have adopted a digital-first mindset to help improve business processes, streamline operations, and drive customer value.

And just as more organisations are adopting a digital-first mindset, organisations are also beginning to see that transformation comes with new threats to look out for, and new business risks to address.

“We are living in a very data-driven world. Our workforce is dispersed, and digital transformation has taken over. We also have a decentralised way of doing things, where we rely on a lot of third parties because of the convenience and cost, without considering the risks and procedures.”

- Charles Ng, former CFO of COMO group, Singapore

DPOs are thus transitioning from data protection to data governance. While data protection addresses the dangers of handling personal data, data governance seeks to decrease the risk and increase the value obtained from data, including personal data. There is a growing movement from risk management to using data for value creation in their business.

As a business leader in Asia, how do I begin my GDPR journey?

Step 1: Understand the GDPR Law

While the legal text of the GDPR is available online, it always helps to have legal and data protection experts explain the principles of the law and how it applies to you. Moreover, learning about related protection policies in other countries is an important step for a business leader who does transactions with different regions. For certain regions, for certain countries, there are different data privacy requirements.

These courses are not just for business leaders, but are ideal for:

1. All employees who need to have an understanding of data protection and European legal requirements as defined in the General Data Protection Regulation

2. Data Protection Officers

3. Privacy Officer

4. Legal Officer / Compliance Officer

5. Security Officer

6. Business Continuity Manager

The GDPR and Application on Asia course provides participants with an understanding of Europe’s data protection laws and regulations and how to apply them to Asia. It is a 2-day course which is credited towards SMU’s Advanced Certificate in Data Protection Principles.

Another option to consider is the CIPP/E certification (Certified Information Privacy Professional/Europe) offered by the International Association of Privacy Professionals (IAPP). It is a 3-day course with ANSI/ISO accreditation.

The CIPP/E encompasses pan-European and national data protection laws, key privacy terminology and practical concepts concerning the protection of personal data and trans-border data flows.

Achieving a CIPP/E credential shows you have the comprehensive GDPR knowledge, perspective and understanding to ensure compliance and data protection success in Europe—and to take advantage of the career opportunity this sweeping legislation represents.

Add a CIPM credential (Certified Information Privacy Manager) to the CIPP/E and you'll be uniquely equipped to fulfil the DPO key requirements of the GDPR. The CIPP/E relates to the knowledge a DPO must have concerning the European legal framework of the legislation, and the CIPM the theoretical aspects necessary to lead an organisation's data protection efforts.

Step 2: Understand how to apply it in your context

While the courses above do equip you to operationalise data protection principles in the workplace, many still struggle to apply it specifically in the context of their organisation’s processes.

If you are struggling in this aspect, engaging a data protection consultant will be a great help. Consultants will help guide you through identifying risks and gaps in your data protection management programme.

If you want to speak with a consultant, you may send an email to sales@straitsinteractive.com.

Step 3: Keep up with the latest news and trends

Data protection is an evolving field. New technologies bring new risks and threats to cope with, and regulations are also updated as time progresses. To keep up with the latest trends, it is helpful to have a community of data protection professionals to engage with and learn from.

Read about the Data Protection Trends in 2024, and insights from the team at Straits Interactive.

Communities like the DPEX Network help data protection professionals stay updated with the latest news in the field and foster collaboration between DPOs and business leaders in Asia.

Check out these success tips from a seasoned Data Protection Officer.