How Singapore SMEs should prepare for EU general data protection regulation

SINGAPORE'S small and medium enterprises (SMEs) that have business dealings with clients based in the European Union (EU) will need to keep an important date in mind - May 25, 2018.

That is the day the new legal framework, the European Union (EU) General Data Protection Regulation (GDPR), will come into force across the EU to protect all EU citizens and residents from privacy and data breaches by giving them greater control over the organisations that can use their personal data.

This means that, in about 10 months, all organisations - whether in the EU or anywhere else - must adhere to the GDPR regulation as long as they collect and process personal data of EU citizens and residents.

Given that the EU accounts for 10 per cent of Singapore's total trade and with bilateral trade standing at about S$91 billion in 2015, the importance of being GDPR-ready cannot be discounted.

A global study by Veritas Technologies reported that 92 per cent of organisations in Singapore were concerned about not complying with the GDPR when it comes into effect next year; 56 per cent of businesses were afraid of being unable to meet the regulatory deadlines.

Failure to comply can have serious consequences, especially for SMEs. The GDPR introduces a tiered approach to fines. For example, a company which does not have its records in order can be fined 10 million euros (S$16.07 million) or 2 per cent of its total global turnover of the preceding financial year, whichever is higher.

Fines are also imposed if the firm fails to notify the supervising authority and the data subject about a breach, or if it fails to conduct a Privacy Impact Assessment (PIA).

Organisations in breach of the GDPR can be fined up to a maximum of 4 per cent of their annual global turnover or 20 million euros of the preceding financial year, whichever is higher.

GDPR requirements

With the GDPR introducing some fairly stringent requirements in relation to the protection of personal data, SMEs need to be familiar with what the new regulations are.

Firstly, organisations covered by the GDPR must employ a Data Protection Officer (DPO), who is responsible for ensuring that the organisation collects and secures personal data responsibly.

Secondly, individuals have more rights over how organisations use their personal data. They have the "right to be forgotten" if they either withdraw their consent for the use of their personal data or if keeping their personal data is no longer required.

Organisations must immediately report breaches in data security to the relevant data protection authority in the EU. Ideally, the report should be made within 24 hours of the discovery of the breach; if that is not possible, within 72 hours.

Keep in mind that consent for a particular use of the personal data must now be explicitly given before this data can be used for that purpose. The previous practice of taking silence or a failure to opt out to be "deemed consent" is no longer considered as valid consent.

This new requirement will be applied retroactively; personal data previously collected without meeting this new requirement cannot be used unless express consent is obtained.

An organisation with fewer than 250 employees is not required to comply with the GDPR. However, the GDPR still applies to SMEs with fewer than 250 employees that either routinely process personal data that is likely to result in a risk to the rights and freedoms of EU data subjects or process special categories of data relating to criminal convictions and offences. The special categories of data include health data, information on individuals' racial or ethnic origin, political affiliations, religious beliefs, genetic and biometric data and sexual orientation.

The GDPR will apply to both controllers and processors of data. A data controller determines the purposes, conditions and means of processing the personal data; a data processor processes personal data on behalf of the controller. The GDPR places more legal obligations and liabilities on controllers than on processors. Controllers will need to ensure that their contracts with processors require the processors to comply with the obligations under the GDPR.

Under the GDPR, personal data is any information that relates to a natural person or data subject that can be used to directly or indirectly identify that person. Such information can include a name, a photo, an e-mail address, bank details, posts on social media websites, medical information, or a computer IP address.

Preparing to be GDPR-ready

With personal data being used widely from marketing to customer relationship management, SMEs will need to rethink the way they manage and protect personal data in order to comply with the GDPR.

For a start, they need to appoint a DPO, who need not be a full-time employee, and whose function can be outsourced depending on the organisation's needs.

Ensure that all personal data is stored responsibly and securely, and all data-security arrangements are regularly reviewed and updated. Measures such as PIAs, which assess where privacy risks exist and how to minimise them, are essential, especially for controllers.

Review the consent that was given when the personal data was collected. If the data was collected under "opt out" or other mechanisms which are no longer valid under the GDPR, the organisation must cease using the personal data unless further express consent is obtained.

The organisation must update its privacy policies as the GDPR requires them to inform individuals of their new rights under the GDPR.

Last but not least, the organisation should put in place plans to deal with a data breach. This will mean knowing what personal data the organisation is holding, where it is stored, who has access to it, and how to spot breaches when they occur, as well as to whom the breach must be reported.

The organisation should also consider installing new technology that can provide a comprehensive approach to data identification and security. Understanding what personal data is held and where this is stored will help in monitoring compliance and the processes involved in dealing with the personal data.

Given the heavy fines for non-compliance, Singapore SMEs must ensure that they have implemented privacy by design internally and externally, and put in place policies that ensure internal and external compliance with the obligations of the GDPR.

  • The writer is head and partner, Intellectual Property & Technology, RHTLaw Taylor Wessing