Main Comparison of PDPA and GDPR

Are you ready to accept the GDPR or EU General Data Protection Regulation? After you may have made all the adjustments to Singapore’s Personal Data Protection Act (PDPA) in 2014, you may think that you have protected your customers’ personal data. But GDPR is completely different from PDPA.

We have created a comparison chart below to give you a quick understanding of the similarities and differences of each chart so that you can understand how this will affect your organization.

Overview: PDPA

PDPA has two main clauses:

9 Data Protection Obligation:

Consent- is required before collecting, using or disclosing personal data

Purpose Restriction -the organization must notify the individual that you collect, use or disclose personal data; in addition, The collected data may not be used for any purpose other than the original purpose.

Notification – Before a person agrees to collect, use or disclose their personal data, they must be notified of its purpose.

Access and correction – individuals have the right to request access to personal data that the organization owns or controls and they are allowed to correct any errors in their personal data.

Accuracy – Organizations should make reasonable efforts to collect accurate and complete personal data, especially if any decision made with personal data affects the individual and if the personal data will be disclosed to another organization.

Protection – Reasonable security measures must be taken to prevent unauthorized access, use, disclosure, copying, modification and deletion of personal data that is owned or controlled by the organization

Retention restrictions – Organizations can only retain data personal for a certain period of time. after which you must permanently delete or delete documents containing this class.

Transmission restriction – Unless the receiving country has data protection standards equivalent to PDPA, no personal data will be provided outside of Singapore

National Do Not Call Registry

The name registered in the DNC National Registry will not receive marketing information unsolicited (voice phone, SMS or fax from any Singapore registered organization).

GDPR: A quick look

The following are the main changes introduced by the GDPR:

Greater territorial scope – No matter where you are, if your company processes the personal data of subjects living in the EU, then the GDPR should apply to you.

Sanctions – Organizations that do not comply with the regulations can be fined up to 4% of global annual turnover or 20 million euros (whichever is higher).

Consent – Individuals should receive a consent request form that is easy to understand and easy to access.

Violation notification – The data controller must notify the supervisory authority, the affected individual or organization of any violation of privacy within 72 hours after becoming aware of the violation, without unreasonable delay.

Access rights – The data subject must have free access to personal data owned or controlled by the person responsible for processing, and must provide a copy in electronic format.

Data deletion – Data subjects have the right to forget their personal data: delete, no longer disseminate or third parties stop processing their personal data by the data controller.

Data portability – Data subjects must be able to receive personal data that they agree to provide in a “common and machine-readable format” and have the right to transfer that data to another controller
Privacy design-data protection should be included in the system design early on, not just as a supplement.

The appointment of a data protection officer is only applicable to the following organizations:
– main activities include data processing operations,
– large-scale and systematic monitoring of data subjects,
– regular processing of special categories of data or data related to criminal convictions and crimes