Translating the GDPR for Singapore and APAC

Posted on 25/06/2018 by


GDPR! you may have by now heard all the buzz around GDPR.  You can learn more about this and peruse the full 88 page GDPR document here:


Save your time by reading my 5 minute summary of how GDPR translates to Singapore/APAC and going for an early coffee break:

Translating the GDPR for Singapore and APAC

Considering the recent Facebook-Cambridge Analytica fiasco, the safety of our collected data becomes more salient. This week as Europe rolls out the GDPR, here is what needs and will happen behind the scenes.

What is personal data?

Any data relating to an individual’s life be it in the public, private or professional domain which may be used to identify them directly or indirectly.

What is the GDPR?

A collectively designed regulation by the 28 European Union countries, providing a common standard to be applied for all EU citizens.

The regulation replaces the 1995 Data Protection Directive which has been deemed as insufficient and outdated to protect the individuals.

It addresses the export of personal data and EU citizens will be able to gain heighted perspective of who has accessed, handled and where their data has been stored.

Organisations must provide EU citizens the rights to:

  • Access and obtain a copy of their processed data
  • Know who has had access to their processed data
  • Rectify any inaccurate data concerning themselves
  • Erase their collected data
  • Object or restrict their data processing in select circumstances.
  • Not be subjected to automated decision processes.

What will change?

Data protection habits: How and what data you delete and keep will undergo a drastic change. It may be worthwhile for your organisation to invest in headcount for a Data Protection Officer.

In the event of data breaches, notification must be made to affected parties without undue delay within 72 hours.

How is this different from the PDPA?

Singapore’s PDPA allows companies to retain personal data if it used for similar purposes.

About 70% of Singapore’s PDPA is covered within the GDPR. Some data such as business contact information is not considered PDPA, is under the GDPR..


PDPA: An amount not exceeding $10,000 for each offence.

GDPR: An amount up to €20,000,000 or 4% or worldwide annual turnover of preceding financial year (whichever is higher)

Who is affected?
To be affected by the GDPR, a company must:
  • Specifically target EU citizens via currency or language and collect their data.
  • Buy or sell products and services within the EU and collect their data.
  • Have a presence within the EU and collect their data.

A company whom has European customers may be unaffected if its focus is not towards the EU. For example: A Singaporean establishment whom has EU citizens purchasing goods for their consumption is not GDPR bound.

Companies whom subcontract assignments may be at-risk if vendors are not compliant with the GDPR. Beware! Because while work can be subcontracted, the responsibilities cannot be outsourced.

In summary, the breach of personal data can be external or internal. While the focus currently in markets is on cybersecurity, your security may be waterproof but your privacy springing leaks. It may be time to re-examine your policies and protection practices.

As the adage goes: “it is better to be safe, than sorry”. What may be at risk may be more than just your finances, but also your businesses’ reputation and integrity.