New EU General Data Protection Regulation (GDPR) Law to Affect Physical Data Rules in Singapore

Singapore, 22 May 2018 – Shred-it Singapore, a data protection company providing secure information destruction services, has published a white paper titled “Future-Proofing Secure Data and Document Destruction in Singapore: Are You GDPR Ready?” addressing key areas of the GDPR and how it pertains to businesses and consumers in the country. The GDPR outlines new rights for consumers and lays out the responsibilities for organisations and the rules they must follow for collecting, processing, safeguarding and disposing of their customers’ personal information.
This white paper also serves as a reminder of the responsibility organisations have towards the handling of their customers’ information and the amount of control customers should hold over their personal data. Coming into effect on 25 May 2018, the GDPR is a new legislation adopted by the European parliament and council to bring greater strength and consistency to those residing in European Union (EU) countries regarding their personal data.
“[With this new legislation], individuals are given more control over the personal information organisations hold about them, while organisations are tasked with a new set of rules to follow when handling the personal information of their customers. For Singaporeans and non-EU residents not protected under this legislation, it is a sombre reminder that more needs to be done to give them adequate insight and control over their own personal data” said Duncan Brown, General Manager, Shred-it Singapore & Regional Market Development EMEA/APAC, Stericycle. 

How GDPR will affect organisations in Singapore 
Organisations impacted by the new legislation include Singapore businesses with branches in the EU, organisations offering services to or employing those who reside in the EU, anyone who handles, processes or stores data of EU residents or has equipment such as their servers located in the EU. 1.8 million tourists from the EU[1] visited Singapore in 2017, and as a top trading partner of Singapore, a significant number of organisations here are likely required to put measures in place to comply with this new legislation. Organisations will require an overhaul of their existing data governance and management policies, involving in-depth changes to current workflows and technology.

Differences between GDPR and PDPA
The main differences between the GDPR and the Personal Data Protection Act (PDPA), is the amount of control individuals are able to exercise over organisations holding onto their data. Consumers will have the right “to be forgotten” and request for the deletion or removal of their personal data from company records at any time. Organisations will not be allowed to retain personal information beyond the stated purpose for which they obtained the data. In the event of a data breach, organisations need to notify their data subjects within 72 hours of the discovery of the breach. The removal of “implied consent” and “opt out” models of marketing will give individuals additional reassurance on the security of their personal information as organisations must ensure data is purged in a timely manner.
Individuals will have better means to take proactive steps in ensuring proper data protection thanks to the potentially severe consequences of non-compliance. “With potential fines of the higher of 20 million Euros – that’s about S$32 million! – and 4% of global turnover, the GDPR will become the global standard for data protection for any organisation with an international outlook” said Ms Lyn Boxall, Director of Lyn Boxall LLC.
  
Increase in physical data breaches locally
As organisations work to be GDPR-ready, Singaporeans are likely to also benefit from the added security from the new processes and procedures. Singaporeans should also know their rights when it comes to data protection and their recourse in case of a data breach and insist on more protection where local regulations fall short.
As the largest document destruction company in the world, Shred-it has been a leading voice in setting the standard for industry best-practices for information security and workplace privacy. The publication of the white paper is, at its heart, a reminder that the complex legislations of the GDPR is of concern not just to European businesses and consumers, but a warning bell for individuals laid bare and at the mercy of anyone looking to profit unjustly from their personal information.
 

¹Singapore Tourism Board. 2018. International Visitor Arrivals Statistics. [ONLINE] Available at: https://www.stb.gov.sg/statistics-and-market-insights/marketstatistics/iva%202017%20(final).pdf. [Accessed 9 May 2018].