In this two part series, Lawyer Yeong WanHsi discusses the various data protection regimes which have been implemented across the globe, the types of protection that they provide and the legal considerations which companies should bear in mind.
In the second part of this series, WanHsi elaborates on the various data privacy policies and data protection obligations companies must comply with.
Practical Considerations for Companies
Given the differing requirements under the GDPR and the PDPA, companies have to be mindful that their consumer data practices and privacy policies are updated and are in compliance with the GDPR. In this regard, we shall look at some measures companies may undertake to ensure compliance.
Consent
Under the PDPA, consent is required to process personal data, but there are a number of exceptions where deemed consent forms a legitimate basis for processing data. The GDPR on the other hand defines consent more strictly, i.e. it has to be ‘freely given, specific, informed and unambiguous indication of the data the subject wishes by which he/her, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her.’ Essentially, express consent is required under the GDPR.
Therefore, in order to comply with both regimes, express consent must be obtained from customers/clients before data is collected, which is a higher standard as required under the GDPR. Companies should actively obtain such express consent and refrain from relying upon ‘deemed consent’ for the processing of personal data.
As a matter of good practice, consent requests should be prominent, concise, separate from other terms and conditions, and easy to understand. Companies should avoid the use pre-ticked boxes, opt-out boxes or other default opt-in settings. Records should also be kept to evidence consent (who consented, when, how, and what data subjects were consenting to) as part of the compliance requirements. In addition, it is also imperative that customers/clients are able to easily withdraw their consent at any time they choose.
Privacy Information
When a company collect personal data from an individual, it is required to provide the individual with privacy information at the time the data is obtained. Privacy information should include:
- Name and contact details of the company
- Name and contact details of EU representative
- Contact details of DPO
- Purposes of processing
- Lawful basis of processing
- Legitimate interests for the processing
- Recipients or categories of recipients of the personal data
- Details of transfers of the personal data to any third countries or international organisations
- Retention periods for the personal data
- Rights available to individual in respect of the processing
- Details of whether individuals are under a statutory or contractual obligation to provide the personal data
- Details of the existence of automated decision-making, including profiling
The above information should be easily accessible by the individual, and is typically achieved via the publication of privacy policies on the respective company website. In addition, companies may also provide individuals with privacy information through mobile and smart device functionalities such as pop-ups, voice alerts and mobile device gestures, dashboards that inform people how the company is going to use their data and allow them to manage what happens with it, or short notices containing key privacy information that have additional layers of more detailed information.
It is also advisable for companies to regularly review their policies to ensure it remains accurate and up to date, update and seek the express consent of their users if there are new purposes for the use of personal data, and proactively bring any amendments to attention of their users.
Personal Data Requests
Companies should note that their customers/clients have an explicit right under the GDPR and the PDPA to request personal data held by the company and demand that such data be rectified or erased for any reason. Thus, companies should put in place appropriate procedures to be able to comply with requests from individuals to erase, transfer or restrict the processing of their personal data. One way this may be achieved is via electronic correspondence between users and companies. Notwithstanding the foregoing, it is highly recommended by the GDPR that organisations should be able to provide remote access to a secure self-service system that would provide direct access to an individual’s own information.
Information provided should be concise, transparent, intelligible, and use clear and plain language. The access request must be processed without undue delay, at the latest within one month of receipt of the request. If there are doubts about the identity of the person making the request, it may be possible to seek further information. However, it is important that companies only request information that is necessary to confirm the identity of the person making the request.
Data Breach Notifications
A data breach could mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It is immaterial whether the breach is accidental or deliberately caused. Examples of breaches include access by an unauthorised third party, sending personal data to an incorrect recipient, and loss of availability of personal data.
The GDPR makes self-reporting of breaches to a company’s lead supervisory authority mandatory so long as the data breach is likely to result in any risk to an individual’s rights and freedoms. The report must be made no later than 72 hours after the company has become aware of the breach. Individuals are also required to be informed about the breach without undue delay, as soon as possible. The PDPC has proposed changes to the PDPA to include a 72-hour breach notification requirement. Hence, companies should devise and implement comprehensive data breach reporting procedures in order to comply with the GDPR, and be well ahead of the proposed changes to the PDPA.
Central Data Processing Record
Companies should ensure that there is a central record of all processing of personal data which contains the mandatory information under the GDPR:
- Name and contact details of the organisation (including details of DPO)
- Purposes of processing
- Description of the categories of individuals and categories of personal data
- Categories of recipients of personal data
- Details of data transfers including documenting the transfer mechanism safeguards in place
- Retention schedules
- Description of technical and organisational security measures
Documenting processing activities is important, not just because it is a legal requirement, but it supports good data governance and assists in demonstrating compliance with other aspects of the GDPR.
Data Controller
Companies that determine the purposes and means of the processing of personal data are data controllers. Practically, this would encapsulate in one way or another almost all companies that provide some form of service to its customer/client.
Data controllers will be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data. Amongst other things, companies should employ organisational and technical measures such as allocating responsibilities for data protection, conducting DPIAs, have in place risk mitigation plans and implement pseudonymization (the processing of personal data in such a manner that personal data can no longer be attributed to a specific user without the use of additional information).
Data Processor
Companies that process personal data on behalf of data controllers are known as data processors.
The responsibilities of data processors usually include acting only on the documented instructions of the data controller, ensuring that its employees who are processing the data are subject to a duty of confidence, employing appropriate measures to ensure the security of processing and only engaging sub-processors with the prior consent of the data controller.
Relationship between Data Controllers and Data Processors
It is a very common business practice in today’s commercial world for companies to outsource the processing of personal data collected by them to an external data processor. When a data controller engages/utilizes a data processor, it is a legal requirement under the GDPR to have a written contract between the parties to ensure that both parties understand their obligations, responsibilities and liabilities. Data processors are required to provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing of personal data will be in compliance with the requirements of the GDPR and ensure the protection of the rights of individuals that have provided their personal data.
An important note for data processors is that if a data processor is the one that determines the purpose and means of processing (rather than acting only on the instructions of the controller), then it will be considered as a controller and will have the same liability as a data controller.
Transfers subject to appropriate safeguards
Personal data may be transferred outside the EEA if the data exporter has put in place appropriate safeguards, or where a derogation applies. Primarily, an appropriate safeguard would be a legally binding and enforceable agreement between the data exporter and the party to whom data is being transferred to, containing standard data protection clauses adopted by the European Commission.
In the absence of appropriate safeguards, companies may still transfer personal data outside the EEA in specific situations i.e. derogations. A company may transfer data where its client/customer has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers. Other examples include where a transfer is necessary for the conclusion or performance of a contract, or where it is necessary for the exercise or defence of legal claims.
Data Protection Officer (“DPO”)
A DPO is an individual that oversees data protection responsibilities within an organisation to ensure compliance with data protection laws. Under the PDPA, companies are required to designate at least one individual to be the DPO.
Under the GDPR, companies are required to determine whether they fall within the mandatory DPO regime and, if so, how best to integrate this function into the company. A DPO’s task is defined in Article 39 of the GDPR – namely, to inform and advice about GDPR obligations and data protection laws, monitor compliance with the GDPR and data protection laws, to advise on and to monitor DPIAs, and to be the first point of contact for supervisory authorities and for any individual whose data is processed. The PDPC’s prescribed DPO responsibilities are very similar to the GDPR’s.
Companies should note that the role of DPO can be contracted out externally, based on a service contract with an individual or an organisation. Alternatively, the role could be a dedicated responsibility or an additional function within an existing role in the organisation. Further, a single DPO can also be appointed to act for a group of companies. Regardless of whether the DPO is contracted out or handled in-house, the key principle is that the DPO should be easily accessible. Hence, the DPO’s contact details should be readily available to employees and consumers/clients alike.
Data Privacy Impact Assessments (“DPIAs”)
A DPIA helps to systematically and comprehensively analyse an organisation’s data processing process and helps to identify and minimise data protection risks. It is a legal requirement under the GDPR to conduct a DPIA if a company plans to use systematic and extensive profiling with significant effects, process special category or criminal offence data on a large scale or systematically monitor publicly accessible places on a large scale. However, as a matter of good practice, a DPIA should also be conducted if an organisation plans to use new technologies, use profiling or special category data to decide on access to services, profile individuals on a large scale, process biometric data, process genetic data, match data or combine datasets from different sources, track individual’s location or behaviour, profile children or target marketing or online services at them, or process data that might endanger the individual’s physical health or safety in the event of a security breach.
Also recommended by Singapore’s PDPC, a DPIA should be conducted if a company’s processes are new or undergoing major change. A DPIA is best conducted in the early stages on a project, before processing takes place, and it should run alongside the planning and development process. Thus, companies should introduce processes to ensure that DPIAs are used where mandated by the GDPR and implement its policy for broader usage, as this will assist with complying with the general accountability requirements of the GDPR and PDPA.
Conclusion
At the corporate level, it is imperative for organisations to revise their internal procedures, measures and data protection policies to address the additional obligations imposed by GDPR. This is because contravening either the PDPA or the GDPR would result in significant financial penalties being imposed, especially for the contravention of the GDPR. Although the higher threshold for compliance may cause companies to incur higher costs, it is important to keep in mind that the EU is a lucrative market and ensuring compliance with both the PDPA and the GDPR would undoubtedly enhance consumer confidence in the company.
Have a question about data protection?
If you have any questions about the PDPA and would like to speak a lawyer, you can request a Quick Consult with WanHsi Yeong or lawyers with similar expertise for a transparent, flat fee of $49. You can expect a call back within 1-2 days on the phone to get legal advice and have your questions answered.
This article does not constitute legal advice or a legal opinion on any matter discussed and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and practice in this area. If you require any advice or information, please speak to a practicing lawyer in your jurisdiction. No individual who is a member, partner, shareholder or consultant of, in or to any constituent part of Interstellar Group Pte. Ltd. accepts or assumes responsibility, or has any liability, to any person in respect of this article.
This article is written by Yeong WanHsi of Arrowgates LLC and edited by Rishika Pundrik of Asia Law Network.