What Do You Need to Know About GDPR and PDPA?

By |2021-08-23T15:16:50+08:00July 9th, 2019|Categories: Compliance|Tags: , |
  • Overview

  • Giving consent

  • Limitations on the data that can be collected

  • Collection of sensitive data

  • Deletion and access to data

  • Breach notification

  • Financial penalty

Lots of financial institutions and hospitality industries have been targeted by different cyber attacks as they hold something so valuable for the intruders, its clients’ Personal Identifiable Information (PII). When the hackers got hold of this information, they can already do whatever they want with it. And if they will be lucky enough to obtain privileged accounts, company’s system and network can be crippled.

This is one of reasons why different countries established their own data privacy acts. Personal information of the users must be protected from modern threat landscapes. Whether the user is a client of a bank or a common customer of a retail store, their data must be kept in private.

If the European Union (EU) has General Data Privacy Regulation (GDPR), Singapore has Personal Data Protection Act (PDPA). You may be marveling why would you bother thinking about GPGR when South East Asia is miles and miles away from Europe.  Unfortunately, GDPR, like PDPA, will hold you accountable once one of its citizens’ information was leaked.

Now, let us dig in deeper within the two.


The primary goal of these acts is to ensure that the legally gathered data from the users were stored in a place where it cannot be exploited.

GDPR was written on April 2016 and was expected to be practiced by May 25, 2019 while PDPA was created on October 2012 and is expected to come about by July


In terms of consent, PDPA’s condition is quite conflicting as it requires object’s consent in Section 13 before gathering data. But then it was followed by the statement that even without object’s consent as long as the objects give it without being hard-pressed, it can be considered as legally taken.

Furthermore, in PDPA consent may be unnecessary if the data is already available in public or use for literary purposes. However, in GDPR, consent must be accepted and known to the object first, no matter what.


There is no restriction on the numbers of personal data that can be collected by PDPA compared to GDPR. GDPR, on the other hand,  only requires information which has its purpose.  In addition, 16 years old is the minimum age that is considered equipped enough to provide consent in GDPR.  It may be lowered between 13-15 years old depending on the circumstances. However, there is no threshold age defined in PDPA.

Collection of sensitive data

In GDPR, data such as race, political affiliations, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or sexual orientation is not allowed to be collected and disclosed.

No article defined in PDPA about the collection of data.

Deletion and Access to Data

PDPA does not allow the object to delete the data that he/she had provided with the organization while GDPR allows the object to have full access to their data.

Breach Notification

Once breached occurs, it is stated in GDPR that organization must be able to report the incident to the data privacy commission within 72 hours upon being aware of it. When the breach is pretty damaging, the organization must be held accountable without having any second thought.

There is no definite clause about breach notification in PDPA.

Financial Penalty

A punishment fee ranging from 10 million euros up to 4% of the company’s annual revenue will be required upon discovering that the organization failed to comply with GDPR.

PDPA, on the other hand, requires organizations to pay a penalty of up to $1 million. Non-compliant organizations will also be liable to a  $10,000 fine and imprisonment for up to 3 years, or both. If the offence was not remediated and it still continues even after being convicted, there will be a fine of up to $1,000 per day.

No matter what the differences between the two data privacy acts their goal still coincides as they both aim to protect and secure the data of their citizens from unauthorized access.