Few Singapore firms ready to comply with EU data rules

Published: 11.06.2018 Related countries:  Singapore Singapore

Poll finds just 10% have plans to deal with stricter privacy laws

Taxi operator ComfortDelGro is preparing for the roll-out of stricter privacy laws in Britain, where it runs a fleet of 7,900 taxis.

For instance, it will have to erase the personal data of customers who ask for this, among other new rules, when Europe's General Data Protection Regulation (GDPR) takes effect on May 25.

But unlike ComfortDelGro and a small number of others, not many Singapore firms are making plans to comply with the GDPR.

This, even though the new rules will apply to any organisation that collects the personal data of European Union citizens and residents, whether or not it operates in the EU.

ComfortDelGro spokesman Tammy Tan told The Straits Times that its British operations started preparing for GDPR compliance in the middle of last year. "We will be ready by the time the new rules kick in on May 25."

It is among the 10 per cent of Singapore companies that have GDPR compliance plans, consultancy firm EY found in a February poll of 745 executives from 19 countries, including 40 from Singapore. This is well below the global average of 33 per cent.

GDPR requirements are plenty and stricter than Singapore's Personal Data Protection Act (PDPA), which was fully implemented in July 2014.

For instance, the GDPR gives consumers the right to ask for their personal data to be erased, which does not exist under the PDPA.

Singapore companies that are required to comply with the GDPR are likely to face higher compliance costs in the short term, said Mr John Ho Chi, advisory partner at consultancy firm Ernst & Young. This includes having the manpower to process customer requests and ensure data is deleted promptly.

Also, unlike the PDPA, the GDPR protects business contact details such as those printed on business name cards.

While marketers can contact Singapore residents using their business card details, this is not allowed under the GDPR without explicit consent from EU residents.

This requirement will affect many sectors, especially those with business in Europe. These include Singapore Airlines and CapitaLand, which owns the Citadines brand of serviced residences in Britain, Germany and France.

In addition, unlike the PDPA, the GDPR explicitly prohibits the processing of "sensitive personal data" such as one's race, religion and political beliefs without proper justification, said Mr Philip Chong, Deloitte South-east Asia executive director (Risk Advisory).

For instance, recruitment firms may not ask for such sensitive information if the data is not relevant to the hiring process, he added.

Deemed consent, allowed under the PDPA, is another feature that is prohibited under the GDPR.

Privacy lawyer Bryan Tan from Pinsent Masons MPillay said: "Disclaimers such as, 'By taking part in this competition, you are deemed to have consented to the use of your personal data', will not fly with the EU privacy watchdog."

Finally, the GDPR will have the teeth to fine companies up to 4 per cent of their annual global turnover or €20 million (S$32 million) if they are found to have breached the rules. In comparison, the maximum fine under the PDPA is $1 million.

"The GDPR catches attention in Singapore because of the size of the potential penalties," said Ms Lyn Boxall, director of boutique fintech advisory law firm Lyn Boxall.

She also warned companies not to operate under the fallacy that the GDPR does not affect them if they do not have a presence in the EU.