Top 12 Tips to Make Your Company GDPR-Compliant

data privacy and protection

The Global Data Protection Regulation (GDPR) which took effect last 25 May 2018 is by far the most robust step to ensuring data privacy and protection.

The European Commission together with the Council of the European Union and the European Parliament requires all companies operating or doing business with all EU countries and jurisdictions to adhere to the stipulated regulations.

How GDPR Affects Companies in Singapore

Although the GDPR is primarily mandated to all businesses operating in Europe, it can also affect all companies in Singapore through the following:

  • If your company conducts business in Europe or with EU-regulated companies and is involved in data handling
    If your product and/or service can only be accessed through provision of personal information from individuals with EU nationality or residence
  • If your target consumers are EU citizens and requires collection of personal data
  • If your company offers any form of data processing services to data controllers with EU-regulated companies
  • If your company deals with outsourcing service providers or subcontract project vendors whose clients are EU individuals or entities

The EU GDPR vs. Singapore PDPA

The Personal Data Protection Act (PDPA) of Singapore has many similarities with the GDPR in terms of personal data handling and processing. However, there are some PDPA inherent characteristics that are not GDPR compliant, namely:

  • There is no specific definition of Sensitive Personal Data
  • Data used for business purposes, such as contact information, is not deemed as Sensitive Personal Data
  • Expressed and explicit consent is not required for the collection, use, and disclosure of certain personal data classified as sensitive
  • The individual is not provided the choice to ‘opt-out’ in the provision of requested data
  • There is no required minimum age of consent

Consequences of Non-Compliance

Under the PDPA, an S$5,000-10,000 fine awaits any person for data breach and/or privacy policy violations while organisations or businesses found guilty of such act will receive S$50,000-100,000 fine.

Under the GDPR, there are no penalties for guilty individuals as compliance is expected from the involved companies. Data breach and/or privacy policy violations will incur between €10 million and €20 million or up to 4 per cent worldwide annual revenue for the past financial year, whichever is greater.

It’s important to note that through the GDPR implementation, there exists a higher threshold of accountability for data handling and for more evolved protection of consumers’ rights and freedoms.

In order for your company to be fully compliant with the GDPR, consider these top 12 tips:

  1. Logical Explanation

    You have to understand – and be able to fully explain – why customer data is involved in any kind of business transaction with the company. According to the GDPR, you owe the customers a clear and thorough explanation of what data you will need from them, who will have access to the data, and where it will be kept.

  2. Legal Basis

    Data collection, storage, and processing within your company must have legitimate and lawful reasons for doing so. Clear customer consent is at the crux of these EU-sanctioned regulations, namely:

    1. Right to collect and use their personal information
    2. Notification of individuals and/or entities with access to their personal information
    3. Ability to alter incomplete and inaccurate personal information
    4. Privilege to withhold or cancel selected personal information
    5. Freedom to refuse data collecting, holding, or processing under certain situations
    6. Immunity against any type of automated information collection, storage, and processes
  3. Data Protection Officer (DPO)

    In order to have full compliance to the GDPR, you must assign a Data Protection Officer (DPO) whose main task is to uphold accountability in the process of personal data procurement and security.

    A DPO does not have to be a full-time employee and can be outsourced depending on the complexities of the company needs; however, the assigned individual must have updated knowledge of data privacy compliance in order to carry out the duties responsibly.

  4. Compliance Training

    Your employees must receive relevant training to be compliant-ready to all details concerning the implementation of GDPR within your company.

    It would be for everyone’s best interest to have written policies and procedures as well as constant verbal cues that will remind them to be aware of its significance to your business operations.

    This will greatly reduce potential privacy breaches – which are usually attributed to human error – to ensure that your customer database will be completely safe and secure at all times.

  5. Comprehensive Data Encryption

    Let’s make this one thing clear: comprehensive data encryption, strictly speaking, is not mandatory under the GDPR.

    However, this seems to be an obvious and rather straightforward step to ensuring all customer personal information is properly handled by those who will have access to it.

    Whether it is for GDPR compliance or not, data encryption is a purposeful action that will maintain high levels of data security but more importantly, will prevent possible breaches and potential processing that is against the GDPR mandate.

  6. Highly Regulated Privacy Settings

    Whether your company deals with products and/or services whose target customer base includes people from the EU, the privacy settings for your data protection system must be at the highest level by default to ensure strict regulation compliance throughout the entire data processing cycle.

  7. Policy Creation and/or Development

    You have to have GDPR-approved company policies pertaining to transport of EU-specific data to countries and jurisdictions without the endorsement of the European Commission.

    This is crucial to gain customer confidence as your company provides guarantee that there are appropriate safeguards in place during the relay or transfer of their personal data.

  8. Customer Consent Review

    The GDPR requires all companies to have valid proof that there is intentional or voluntary customer consent during acquisition of personal data.

    If in the past your organisation is involved in personal data procurement using non-GDPR approved mechanisms, e.g. automated information collection and retrieval, you must immediately cease to handle and store all such facts and figures – not unless you obtain distinct approval from those concerned.

  9. Privacy Policy Update

    One step closer to being a GDPR-compliant company is to update your privacy policy not only for compliance sake but for giving existing customers and prospective clients full disclosure of their new rights and privileges.

  10. Notification of Breach

    Under the GDPR, the Data Protection Officer (DPO) is legally obligated to report all breaches, regardless of nature or depth, to the authorised supervisor within 24 to 72 hours upon discovery of such offense.

    When significant negative impact is involved, concerned individual/s must receive the same warning. However, this does not have to be the case if the DPO has already taken appropriate action that will render breached data unintelligible or useless to those who might take advantage of it.

  11. Contingency Plan

    Set a contingency plan that will be best suited for different eventualities including massive privacy breach and other worst-case scenarios to ensure that your client information won’t have any value to hackers or unscrupulous individuals with evil intentions.

  12. Compliance Exclusion

    Companies with less than 250 employees are not mandated to be GDPR-compliant. However, the GDPR is still applicable to start-ups and SMEs that are involved in the procurement, processing, and transfer of personal data on a regular basis because it involves risking the rights and freedoms of individuals from EU countries.

Corporate Services Singapore as your Most Trusted Administrator

Preparing for GDPR compliance of your company is a multi-step process that can consume valuable time and efforts. Let Corporate Services Singapore act as your most trusted administrator to steer your business away from data breaches and legal pitfalls but more importantly, to ensure you remain on top of regulatory compliance.

Posted in Corporate Services.