The General Data Protection Regulation and the Personal Data Protection Act are essentially similar, but still quite different in some aspects. In general the GDPR can be considered stricter than the PDPA. the Regulation emphasizes more on the rights of data subjects and provides significant fines for companies which fail to comply with it. It is crucial to understand that strictly applying the rules of the PDPA helps but doesn’t make your business compliant with the GDPR. If you sell goods or services to customers in the EU, regardless of their citizenship, you should comply with the GDPR and not the PDPA.
- The right to be forgotten (the right for a data subject to request from a data processor to erase his personal information) is included in the GDPR but not recognized by the PDPA. The PDPA recognizes the right of correction of personal data which is also included in the GDPR but essentially different from the right of erasure of the data.
- Under the GDPR, data subjects have the right to access all their personal data collected by a company free of charge while in Singapore companies may impose a reasonable fee.
- Data subjects in the EU have the right to request that their personal data be presented to them in a machine-readable format which can easily be transferred to another data processor. The important aspect here is the transfer of data which makes it easier for data subjects to change one service provider with another.
- The GDPR requires companies in Singapore to appoint representatives in the EU and under certain circumstances Data Protection Officers (DPOs) when processing private data. In Singapore companies must also designate individuals to be responsible for ensuring that the organisation complies with the PDPA compliance but they should be established in Singapore and not in the EU.
- Receiving consent from the data subjects under the two acts is slightly different (Acquiring consent has been one of the hottest topics of discussion after the adoption of the GDPR). One of the main differences is that the GDPR doesn’t recognize deemed consent.
- The GDPR implies a procedure for personal data breach notification to a supervisory authority and communicating the breach with the data subjects. No such procedure is provided by the PDPA.
These are just outlines of the most important differences between the GDPR and the PDPA. In general, the GDPR can be considered stricter than the PDPA. Fines imposed under the GDPR are also quite significant and are often calculated as percentage of the annual commercial turnover of the company. However, imprisonment is not among the punishments provided for in the GDPR while individuals guilty of offenses may be liable on conviction to imprisonment for a term not exceeding 12 months.