How does GDPR affect Singapore businesses (and websites)?

Is your business ready for the European Union's strictest -- and newest -- data protection law, the GDPR?

Even if your business is in Singapore, Australia, or anywhere outside the EU, the GDPR may still apply to you. And it comes into effect on 25 May this year.

Here's our guide on the basics of GDPR, why it applies outside the EU, and how it affects common web practices.

Use the table of contents to skip sections.

What is GDPR?

The GDPR (General Data Protection Regulation) is a data protection legal framework. It protects EU residents by dictating how personal data is collected, stored, and used. It also gives individuals significant control over their personal data.

With recent breaches in personal data, like Facebook and Cambridge Analytica incident, the GDPR comes as a timely solution.

Personal data: Any information that can be used to identify someone, either directly or indirectly. Some examples include name, email address, IP addresses, cookies, financial details, and location data.

GDPR concerns: websites and data protection

Cookies/IP addresses & GDPR: Every website (and blog) rely on cookies that gather user information to function correctly and securely. Some of this information includes location data and IP addresses, which can potentially be used to identify a person (i.e. personal data).

As such, the GDPR applies to websites that get EU visitors as well.

Opt-in Forms & GDPR: Likewise, almost every website and blog display opt-in forms for newsletters, service subscriptions, and more. The GDPR considers a person's name, contact information, address, credit card details, and more, personal data.

The later section will show examples of GDPR compliance relating to common website elements.

Why must businesses outside the EU comply with GDPR?

Operating your business or website outside of the EU? The GDPR still matters.

So long as your business (or organisation) holds personal data of EU residents, you have to adhere to the GDPR’s strict requirements.

This includes personal data collected when someone from the EU:

• visits your website (i.e. cookies and IP address)
• signs up for your email list (i.e. name and email)
• gets your product/service (i.e. billing details)
• accepts your free offer (i.e. name and contact details)

To find out if the GDPR applies to your organisation, answer these three questions. 

The consequences of not complying with the GDPR

The deadline for GDPR compliance is May 25, 2018.

This data protection law prescribes hefty fines of up to 4% of a business's global revenue 0r €20 million (whichever is higher).

Moreover, businesses that don't follow data protection best-practices, which the GDPR extensively covers, stand to lose their customers' trust (hint: Cambridge Analytica and Facebook).

Doesn’t Singapore’s PDPA already cover data protection?

So... your business already complies with Singapore’s Personal Data Protection Act (PDPA). What else is there to do?

How is the GDPR any different?

The PDPA is limited in scope and lacks individual rights to personal data, like other data protection laws in the APAC region.

Conversely, the GDPR gives EU residents control over their personal data. It also dictates strict notification procedures in the event of a data breach.

Continue reading for the plain English summary of the 88-page original GDPR framework (dry technical legalities). Do note that this is not an official EU Commission or government resource and doesn't constitute legal advice.

The EU's GDPR Summarised

#1 Obtain explicit consent to use personal data

Your business has to get explicit consent to collect and use personal data from an individual in the EU. The individual cannot be under the age of 16.

Consent must be:

• Freely-given: The person has to take action to agree (i.e. no such thing as “agree by default”). The person must also be able to -- and know how to -- withdraw their consent.
• Specific & informed: Tell people the specific personal data you’re collecting, why you need it, and how it will be used. Also, inform them about the third-parties you can share their data with.
• Clear & upfront: Use plain language, and keep the request for consent separate from the terms and conditions page. The GDPR does not allow organisations to disguise their intentions with legal jargon and technical language.

In other words, if you've collected personal data for the express purpose of billing, you're not allowed to use the personal data for marketing purposes. To do that, you have to seek consent separately.

#2 Facilitate rights to personal data

The GDPR give individuals the rights to:

• Get a copy of their personal data, the purpose it was collected for, and whom the data had been disclosed to.
• Correct inaccurate personal data.
• Erase personal data in some situations.
• Restrict or object to the processing of personal data in some situations (e.g. when it is illegal, when it is used for direct marketing, etc.).
• Receive and transmit their personal data in a structured machine-readable format to another organisation
• Not be subjected to automated decision-making in some situations (i.e. when it has a legal effect on the individual or adversely affects them).

#3 Designate a data protection officer

Businesses/organisations, whose operations involve regular monitoring of individuals and/or processing sensitive personal data, have to appoint a data protection officer.

Please approach a GDPR consultant for further advice.

#4 Make sure default privacy is strict by design

People shouldn't have to jump through hoops to get stricter privacy practices (or settings). The GDPR requires the strictest privacy by default.

In the same vein, a business/organisation should take measures to collect and process data that is only necessary for the permitted purpose.

#5 Notification of data breaches

If a personal data breach does occur, the business/organisation must notify the relevant supervisory authority within 72 hours.

Also, if the breach poses a high risk to the rights and freedoms of the individual, the business/organisation has to notify those individuals promptly.

What should my business do?

Implementing the changes to be compliant with GDPR is extensive (88 pages of technicalities). You will have to audit your organisation's data collection and processing processes.

Because each business/organisation differs in operations and extent of data processing, there isn't a one-size-fits-all solution to GDPR compliance.

Hence, consider engaging a GDPR consultant or legal expert if your organisation caters to the global or EU market.

If you're just getting started, your business will unlikely be fully compliant with GDPR by 25 May. However, basic compliance is better than none. Work towards being fully compliant eventually.

What are the first steps you can take?

Staff awareness of GDPR basics

Make sure your staff and colleagues are aware of the basics of GDPR. Doing so would give each department an idea of what they have to do.

[caption id="attachment_8539" align="aligncenter" width="1024"] Staff awareness is the first step to GDPR compliance.[/caption]

Send our GDPR guide to staff members easily right now... (continue reading the next point below)

[cta id="8522" vid="0"]

Privacy Policy

Write your privacy policy in plain language. The information you provide has to be concise, transparent, and easily accessible.

[caption id="attachment_8425" align="aligncenter" width="1024"] Example: The University of Edinburgh's privacy policy is transparent with all matters of user privacy.[/caption]

Explain the following:

• What data is collected? (this includes cookies and IP address)
• Why is it collected?
• What are the legal grounds for collecting the data?
• How long will the data be stored?
• Who is collecting the data?
• Will any third-parties get access to the data?
• What rights does the individual have with regard to their personal data?
• How can the individual make a complaint (in case of issues)?

For more information on setting up your privacy policy, refer to GDPR Framework's privacy policy resource.

Tip for WordPress users:

If you're using WordPress to run your website/blog, use The GDPR Framework plugin as it contains a GDPR-compliant privacy policy template. The template also covers cookies and Google Analytics. Please make sure to edit the template.

Data collection and consent in product, service, or email list sign up forms [Examples shown]

When collecting and processing personal data, all sign-up and subscription forms (e.g. email newsletter, service subscription) must adhere to these standards:

[gallery link="none" columns="4" ids="eyJ1cmwiOiJodHRwczpcL1wvYmxvZy52b2RpZW4uY29tXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDE4XC8wNVwvTmFtZWQtUGFydGllcy1lMTUyNTgzNDYwOTM3NS5wbmciLCJ0aXRsZSI6Ik5hbWVkIFBhcnRpZXMiLCJjYXB0aW9uIjoiIiwiYWx0IjoiIiwiZGVzY3JpcHRpb24iOiIifQ==,eyJ1cmwiOiJodHRwczpcL1wvYmxvZy52b2RpZW4uY29tXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDE4XC8wNVwvVW5idW5kbGVkLnBuZyIsInRpdGxlIjoiVW5idW5kbGVkIiwiY2FwdGlvbiI6IiIsImFsdCI6IiIsImRlc2NyaXB0aW9uIjoiIn0=,eyJ1cmwiOiJodHRwczpcL1wvYmxvZy52b2RpZW4uY29tXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDE4XC8wNVwvRGVsbC1TY3JlZW5zaG90LWUxNTI1ODMzNjk5MTUwLnBuZyIsInRpdGxlIjoiTmVnYXRpdmUgZXhhbXBsZTogQ29uc2VudCBjYW5ub3QgYmUgcHJlLXRpY2tlZC4gKEdEUFIpIiwiY2FwdGlvbiI6IiIsImFsdCI6Ik5lZ2F0aXZlIGV4YW1wbGU6IENvbnNlbnQgY2Fubm90IGJlIHByZS10aWNrZWQuIChHRFBSKSIsImRlc2NyaXB0aW9uIjoiIn0=,eyJ1cmwiOiJodHRwczpcL1wvYmxvZy52b2RpZW4uY29tXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDE4XC8wNVwvQ2lzdG9yLUdyYW51bGFyLWUxNTI1Nzc3MDg3MjQwLnBuZyIsInRpdGxlIjoiQ2lzdG9yIC0gR3JhbnVsYXIiLCJjYXB0aW9uIjoiIiwiYWx0IjoiIiwiZGVzY3JpcHRpb24iOiIifQ=="]

Active opt-in: “No” (or unticked) must be the default. Silent or soft opt-in are invalid forms of consent under GDPR (see the below example). Users must expressly opt-in to consent.

[caption id="attachment_8402" align="aligncenter" width="548"] Negative example: Consent cannot be pre-ticked.[/caption]

Unbundled: Ask for consent for non-essential communications (e.g. promotional emails) separately. Bundling mailing list consent with the terms and conditions is invalid under GDPR. Moreover, it should not be a prerequisite of signing up unless necessary for the service.

[caption id="attachment_8403" align="aligncenter" width="700"] Example: GDPR requires consent to be separate (unbundled)[/caption]

Granular: Different uses of personal data requires separate consent.

[caption id="attachment_8401" align="aligncenter" width="638"] Example: Separate consent is gotten for email and telephone communications[/caption]

Easy withdrawal of consent: Inform the user that they have the right to withdraw their consent at any time and explain the procedure to do this. The process to withdraw consent must be simple.

[caption id="attachment_8551" align="aligncenter" width="760"] Example: Uniqlo lets its users unsubscribe from promotional emails easily.[/caption]

GDPR Resources

Further reading about GDPR

• GDPR and You (by the Data Protection Commissioner)
• EU GDPR Portal
• The UK Information Commissioner's Office (ICO)
• General Data Protection Regulation (GDPR): demanding new privacy rights and obligations (by EY)
• Microsoft's GDPR Trust Center

GDPR Consultants & Solutions

• EY: How we can help
• Deloitte - GDPR
• PWC: GDPR essentials and how PwC can help
• KPMG: GDPR – Are you ready?
• Informatica
• Crayon

Google Analytics and Social Media (GDPR)

• Google Analytics (Data Retention)
• Facebook Businesses & GDPR
• Twitter's GDPR Hub

Wordpress Plugins for Basic GDPR Compliance

• GDPR Framework -- Includes privacy policy template and rights management tool
• GDPR plugin -- Includes website footer overlay, cookie declaration, consent management, and rights management tool

Other Tools

• OneTrust Privacy Management Software (free edition) -- Free tool to operationalise your privacy program for GDPR compliance

Takeaway: The EU GDPR & Singapore

• The GDPR is the strictest known framework for data protection (as of 2018).
• Although your organisation is not inside the EU, it may have to comply with the GDPR if it holds personal data of EU residents.
• If your business caters to the EU market (even if it is in the minority), consider engaging a GDPR consultant for advice.
• Get your staff to understand the basics of GDPR. That's the most important thing!

Disclaimer: This is not an official EU Commission or government resource. Nothing in this article constitutes legal advice.  Anyone who intends to rely on the information is solely responsible for verifying the information and obtaining independent expert advice if needed.

[cta id="8519" vid="0"]