Is your business ready for the European Union’s strictest — and newest — data protection law, the GDPR?
Even if your business is in Singapore, Australia, or anywhere outside the EU, the GDPR may still apply to you. And it comes into effect on 25 May this year.
Here’s our guide on the basics of GDPR, why it applies outside the EU, and how it affects common web practices.
Use the table of contents to skip sections.
What is GDPR?
The GDPR (General Data Protection Regulation) is a data protection legal framework. It protects EU residents by dictating how personal data is collected, stored, and used. It also gives individuals significant control over their personal data.
With recent breaches in personal data, like Facebook and Cambridge Analytica incident, the GDPR comes as a timely solution.
Personal data: Any information that can be used to identify someone, either directly or indirectly. Some examples include name, email address, IP addresses, cookies, financial details, and location data.
GDPR concerns: websites and data protection
Cookies/IP addresses & GDPR: Every website (and blog) rely on cookies that gather user information to function correctly and securely. Some of this information includes location data and IP addresses, which can potentially be used to identify a person (i.e. personal data).
As such, the GDPR applies to websites that get EU visitors as well.
Opt-in Forms & GDPR: Likewise, almost every website and blog display opt-in forms for newsletters, service subscriptions, and more. The GDPR considers a person’s name, contact information, address, credit card details, and more, personal data.
The later section will show examples of GDPR compliance relating to common website elements.
Why must businesses outside the EU comply with GDPR?
Operating your business or website outside of the EU? The GDPR still matters.
So long as your business (or organisation) holds personal data of EU residents, you have to adhere to the GDPR’s strict requirements.
This includes personal data collected when someone from the EU:
- visits your website (i.e. cookies and IP address)
- signs up for your email list (i.e. name and email)
- gets your product/service (i.e. billing details)
- accepts your free offer (i.e. name and contact details)
To find out if the GDPR applies to your organisation, answer these three questions.
The consequences of not complying with the GDPR
The deadline for GDPR compliance is May 25, 2018.
This data protection law prescribes hefty fines of up to 4% of a business’s global revenue 0r €20 million (whichever is higher).
Moreover, businesses that don’t follow data protection best-practices, which the GDPR extensively covers, stand to lose their customers’ trust (hint: Cambridge Analytica and Facebook).
Doesn’t Singapore’s PDPA already cover data protection?
So… your business already complies with Singapore’s Personal Data Protection Act (PDPA). What else is there to do?
How is the GDPR any different?
The PDPA is limited in scope and lacks individual rights to personal data, like other data protection laws in the APAC region.
Conversely, the GDPR gives EU residents control over their personal data. It also dictates strict notification procedures in the event of a data breach.
Continue reading for the plain English summary of the 88-page original GDPR framework (dry technical legalities). Do note that this is not an official EU Commission or government resource and doesn’t constitute legal advice.
The EU’s GDPR Summarised
#1 Obtain explicit consent to use personal data
Your business has to get explicit consent to collect and use personal data from an individual in the EU. The individual cannot be under the age of 16.
Consent must be:
- Freely-given: The person has to take action to agree (i.e. no such thing as “agree by default”). The person must also be able to — and know how to — withdraw their consent.
- Specific & informed: Tell people the specific personal data you’re collecting, why you need it, and how it will be used. Also, inform them about the third-parties you can share their data with.
- Clear & upfront: Use plain language, and keep the request for consent separate from the terms and conditions page. The GDPR does not allow organisations to disguise their intentions with legal jargon and technical language.
In other words, if you’ve collected personal data for the express purpose of billing, you’re not allowed to use the personal data for marketing purposes. To do that, you have to seek consent separately.
#2 Facilitate rights to personal data
The GDPR give individuals the rights to:
- Get a copy of their personal data, the purpose it was collected for, and whom the data had been disclosed to.
- Correct inaccurate personal data.
- Erase personal data in some situations.
- Restrict or object to the processing of personal data in some situations (e.g. when it is illegal, when it is used for direct marketing, etc.).
- Receive and transmit their personal data in a structured machine-readable format to another organisation
- Not be subjected to automated decision-making in some situations (i.e. when it has a legal effect on the individual or adversely affects them).
#3 Designate a data protection officer
Businesses/organisations, whose operations involve regular monitoring of individuals and/or processing sensitive personal data, have to appoint a data protection officer.
Please approach a GDPR consultant for further advice.
#4 Make sure default privacy is strict by design
People shouldn’t have to jump through hoops to get stricter privacy practices (or settings). The GDPR requires the strictest privacy by default.
In the same vein, a business/organisation should take measures to collect and process data that is only necessary for the permitted purpose.
#5 Notification of data breaches
If a personal data breach does occur, the business/organisation must notify the relevant supervisory authority within 72 hours.
Also, if the breach poses a high risk to the rights and freedoms of the individual, the business/organisation has to notify those individuals promptly.
What should my business do?
Implementing the changes to be compliant with GDPR is extensive (88 pages of technicalities). You will have to audit your organisation’s data collection and processing processes.
Because each business/organisation differs in operations and extent of data processing, there isn’t a one-size-fits-all solution to GDPR compliance.
Hence, consider engaging a GDPR consultant or legal expert if your organisation caters to the global or EU market.
If you’re just getting started, your business will unlikely be fully compliant with GDPR by 25 May. However, basic compliance is better than none. Work towards being fully compliant eventually.
What are the first steps you can take?
Staff awareness of GDPR basics
Make sure your staff and colleagues are aware of the basics of GDPR. Doing so would give each department an idea of what they have to do.
Send our GDPR guide to staff members easily right now… (continue reading the next point below)
Explain the following:
- What data is collected? (this includes cookies and IP address)
- Why is it collected?
- What are the legal grounds for collecting the data?
- How long will the data be stored?
- Who is collecting the data?
- Will any third-parties get access to the data?
- What rights does the individual have with regard to their personal data?
- How can the individual make a complaint (in case of issues)?
Tip for WordPress users:
Data collection and consent in product, service, or email list sign up forms [Examples shown]
When collecting and processing personal data, all sign-up and subscription forms (e.g. email newsletter, service subscription) must adhere to these standards:
Active opt-in: “No” (or unticked) must be the default. Silent or soft opt-in are invalid forms of consent under GDPR (see the below example). Users must expressly opt-in to consent.
Unbundled: Ask for consent for non-essential communications (e.g. promotional emails) separately. Bundling mailing list consent with the terms and conditions is invalid under GDPR. Moreover, it should not be a prerequisite of signing up unless necessary for the service.
Granular: Different uses of personal data requires separate consent.
Easy withdrawal of consent: Inform the user that they have the right to withdraw their consent at any time and explain the procedure to do this. The process to withdraw consent must be simple.
Further reading about GDPR
- GDPR and You (by the Data Protection Commissioner)
- EU GDPR Portal
- The UK Information Commissioner’s Office (ICO)
- General Data Protection Regulation (GDPR): demanding new privacy rights and obligations (by EY)
- Microsoft’s GDPR Trust Center
GDPR Consultants & Solutions
- EY: How we can help
- Deloitte – GDPR
- PWC: GDPR essentials and how PwC can help
- KPMG: GDPR – Are you ready?
Google Analytics and Social Media (GDPR)
WordPress Plugins for Basic GDPR Compliance
- GDPR plugin — Includes website footer overlay, cookie declaration, consent management, and rights management tool
- OneTrust Privacy Management Software (free edition) — Free tool to operationalise your privacy program for GDPR compliance
Takeaway: The EU GDPR & Singapore
- The GDPR is the strictest known framework for data protection (as of 2018).
- Although your organisation is not inside the EU, it may have to comply with the GDPR if it holds personal data of EU residents.
- If your business caters to the EU market (even if it is in the minority), consider engaging a GDPR consultant for advice.
- Get your staff to understand the basics of GDPR. That’s the most important thing!
Disclaimer: This is not an official EU Commission or government resource. Nothing in this article constitutes legal advice. Anyone who intends to rely on the information is solely responsible for verifying the information and obtaining independent expert advice if needed.