What do you need to know about GDPR and PDPA

Overview

Giving consent
Limitations on the data that can be collected
Collection of sensitive data
Deletion and access to data
Breach notification
Financial penalty

Lots of financial institutions and hospital industries are targets of different cyber attacks as they hold something so valuable for the intruders, their clients’ Personal Identifiable Information (PII). When hackers get this information, they can do whatever they want with it, and if they are lucky enough to obtain account privileges, the company’s system and network can cripple.

This is one of the reasons why different countries have data privacy acts. Businesses should protect the personal information of the users from modern threat landscapes. Whether the user is a client of a bank or a common customer of a retail store, their data must be safe in private.

If the European Union (EU) has General Data Privacy Regulation (GDPR), Singapore has Personal Data Protection Act (PDPA). You may be marvelling why you would bother thinking about GPGR when South East Asia is miles and miles away from Europe. Unfortunately, GDPR, like PDPA, will hold you accountable once one of its citizens’ information leaks.

Now, let us dig deeper into the two.

The primary goal of these acts is to ensure that there are no exploits for storing the legal collection of data from users.

GDPR was written in April 2016 and was expected to be practised by May 25, 2019, while PDPA was created in October 2012 and is expected to come about by July.

In terms of consent, PDPA’s condition is quite conflicting as it requires the object’s permission in Section 13 before gathering data. It follows the statement that even without the object’s permission, as long as persons are willing to give out data, collecting data is still illegal.

Furthermore, in PDPA, consent may be unnecessary if the data is already available to the public or used for literary purposes. However, in GDPR, businesses must know the consent of the object first, no matter what.

There is no restriction on the number of personal data that a business can collect under PDPA compared to GDPR. GDPR, on the other hand, the law only requires information with its purpose. In addition, GDPR requires a minimum age of 16 years to be able to provide consent, but it is also possible for 13 and 15 years olds to give consent, depending on the circumstances. However, PDPA defines no age threshold.

In GDPR, it does not allow the collection and disclosure of data such as race, political affiliations, religious or philosophical beliefs, trade union membership, genetic data, biometric data, and data concerning health or sexual orientation. However, PDPA has no guidelines for collecting data regarding this.

PDPA does not allow the object to delete the data that he/she provides to the organization, while GDPR allows the object to have full access to their data.

Breach Notification

Once a breach occurs, GDPR states that an organisation must be able to report the incident to the data privacy commission within 72 hours of being aware of it. When the breach is pretty damaging, the organization holds to be accountable without having any second thoughts.

There is no definite clause about breach notification in PDPA.

Financial Penalty

A punishment fee ranging from 10 million euros up to 4% of the company’s annual revenue will be required upon discovering that the organization failed to comply with GDPR.

PDPA, on the other hand, requires organizations to pay a penalty of up to $1 million. Non-compliant organizations will also be liable to a $10,000 fine and imprisonment for up to 3 years or both. If the offence is not remediated and it continues even after being convicted, there will be a fine of up to $1,000 per day.

No matter what the differences between the two data privacy act, their goal still coincide as they both aim to protect and secure the data of their citizens from unauthorized access.