Singapore PDPA Revision of It’s Personal Data Protection Act

Singapore PDPA Revision of It’s Personal Data Protection Act

The Personal Data Protection Commission (PDPC) has revised Chapter 6 (Organisations) and Chapter 15 (Access and Correction Obligations) of the Advisory Guidelines on Key Concepts in the Personal Data Protection Act, or PDPA (the Guidelines).

Chapter 6 has been revised to provide clarity on the obligations of organisations and data intermediaries where personal data is transferred overseas.

 

  • Where an organisation engages a data intermediary to process personal data on its behalf and for its purposes, the organisation is responsible for complying with the Transfer Limitation Obligation, regardless of whether the personal data is transferred by the organisation to an overseas data intermediary, or transferred overseas by the data intermediary in Singapore.
  • The onus is on the transferring organisation to undertake appropriate due diligence and obtain assurances when engaging a data intermediary to ensure it is capable of doing so.

 

Chapter 15 has been revised to provide clarity on access requests to personal data received by organisations.

 

The PDPC has also introduced a new chapter on “Cloud Services” in the Guidelines on the PDPA for selected topics to provide clarity on the responsibilities of organisations using cloud services to process personal data in the cloud and the responsibilities of cloud service providers (CSPs) when processing personal data on behalf and for the purposes of organisations.

 

  • Where organisations need not accede to an access request Generally, an organisation must respond to an access request by providing access to the personal data requested, or by informing the individual of a rejection of the access request where it has valid grounds not to provide access. The Guidelines clarify that organisations are not required to accede to a request
    • if an exception (as set out in the Fifth Schedule of the PDPA) from the access requirement applies;
    • if applicant has not paid the fee for services provided to the applicant to enable the organisation to respond to the applicant’s request, provided the organisation has provided the applicant a written estimate of the fee; or
    • if any of the grounds in Section 21(3) of the PDPA are applicable such as where the provision of the personal data or other information could reasonably be expected to threaten the safety or physical or mental health of an individual other than the requesting individual, or to cause immediate or grave harm to the safety or physical or mental health of the requesting individual.
    • Access requests relating to legal proceedings Where personal data has been collected for the purpose of prosecution and investigations, etc, organisations are not required to accede to the access request pursuant to an exemption under the PDPA. Access need not be provided in respect of a document related to a prosecution if all proceedings related to the prosecution have not been completed.The Guidelines clarify that where personal data has been collected prior to the commencement of prosecution and investigations but is nevertheless relevant to the proceedings, an individual should obtain access through criminal and civil discovery avenues rather than through an access request under the PDPA. The PDPA does not affect discovery obligations under law that parties to a legal dispute may have (e.g., pursuant to any order of court).

Obligations 

 

    • Obligations of the organisation
      • When using cloud services, the organisation is responsible for complying with all obligations under the PDPA in respect of personal data processed by the CSP on its behalf and for its purposes.
      • As mentioned above, the organization that engages a CSP as a data intermediary to provide cloud services is also responsible for complying with the Transfer Limitation Obligation with respect to any overseas transfer of personal data in using the CSP’s cloud services, regardless of whether the CSP is located in Singapore or overseas.

 

    • Obligations of the CSP

 

      • Where the CSP is processing personal data on behalf and for the purposes of another organisation pursuant to a written contract, the CSP is considered a “data intermediary” and subject to the Protection and Retention Limitation Obligations under the PDPA in respect of the personal data that it processes or hosts for the organisation in data centres outside Singapore.
      • The CSP, as an organisation in its own right, remains responsible for complying with all data protection provisions in respect of its own activities which do not constitute processing of personal data under the contract.

 

Relentless Privacy and Compliance Services Ltd provides organisations with local and Global data privacy consultancy ensuring your organisation remains compliant wherever your operational data processing takes place.

 

PDPA Service

Global Data Privacy Strategy Your Guide

Global Data Privacy Strategy Your Guide

When the EU’s General Data Protection Regulation (GDPR) went into effect May 25, 2018, it triggered a wave of privacy legislation around the globe. And businesses everywhere have been scrambling to prepare.

Every organization doing business in the EU must comply with GDPR requirements. In addition, other regions—Brazil, Australia, Japan and Turkey, to name a few—have passed new privacy laws that businesses worldwide also now must follow. In the U.S., California announced the California Consumer Privacy Act (CCPA), which has gone into effect Jan. 1, 2020. Other states are following suit with regulations as well.

While the U.S. has yet to initiate a nationwide privacy policy, the Federal Trade Commission (FTC) began a series of probes into the practices of various large, high-tech companies. The scrutiny and resulting congressional hearings related to Facebook and Google highlighted just how much personal data is now out there and how much of it is being bought and sold, unbeknownst to consumers. In recent weeks, the FTC expanded its probe to include internet service providers AT&T, Comcast, Verizon and T-Mobile, which could signal a national privacy regulation is not that far off and should spur organizations in all industries to start making data privacy a priority—if anyone is still dragging their feet.

The sheer number of regulations that companies must comply with has rapidly increased in a short period of time, with geographically specific policies adding layers of complexity to most organizations’ data security operations. Businesses everywhere are waking up to the need to bolster their approach to how they handle employee and customer data. GDPR compliance was really just the beginning.

Consumers too are spurring organizations into action, demanding to know that their data is being treated securely. These consumers have raised the bar in terms of what they expect from organizations. Failures now mean class action lawsuits, as British Airways discovered after a hacker stole payment card data associated with 380,000 transactions. The GDPR not only requires organizations to notify authorities within 72 hours when they suspect a breach, but it also gives Europeans compensation rights.

 

Data Privacy: How to Get Started

 

Thinking about information policies is one thing, but knowing how to begin to refine them is another entirely. Adding to the complexity in global regulations is the enormous amount of data that your organization generates daily. Business is built on and carried out with information. We draw up plans and presentations and spreadsheets. We write reports and send emails, all of which can contain sensitive business information as well as personally identifiable information (PII). Some of it belongs to the business itself, some belongs to employees or to our customers.

Information-handling has gotten cumbersome for most organizations. Businesses are generating so much data that companies don’t even know where all their data resides or what type of information all those files and folders contain. While structured data—such as credit card information and Social Security numbers—can be fairly easily tracked and protected, unstructured data is much more difficult to safeguard.

Unstructured data is information buried deep within the documents and emails mentioned above. It includes details about people and business sometimes written in prose or as notes, so it’s not easily plucked out and secured. One of the biggest obstacles to a well-defined information-handling strategy is that many organizations struggle to accurately identify sensitive data as employees use and share it in their day-to-day work.

Organizations need to create and deploy reliable processes for improving information-handling to help people understand what data they’ve got, where it is stored and how sensitive it is. They also need tools to help ensure that it is protected.

The risks of poor information handling are enormous, from enabling a large-scale hack to allowing unfortunate employee errors. So what can organizations do to avoid fines, customer liability and expensive breach recoveries?

 

5 Things Businesses Can Do

 

Organizations need to nurture an internal culture for data categorization and risk assessment. Executives and business stakeholders as well as IT leaders must fully understand the security and privacy risks associated with the data they create, consume and handle. Everyone needs tools and processes built into their day-to-day workflow to help easily recognize privacy risks and deploy safeguards.

Here are five basic ways organizations can implement stronger information-handling policies and prepare to meet the complex range of privacy regulations out there:

 

Understand the regulations: In short – Do your homework. Get to know the regulations your organization must follow. How does each regulation define personal information? What are the safeguards they require? Where are the commonalities between regulations? Use these details as a starting point for developing a global privacy policy that considers sensitive data from all angles and all regions.

Know where PII resides: Because so much structured and unstructured data is created daily, it can be difficult to know where personal information is located. As noted earlier, unstructured data is usually buried in emails, Word files, presentations and other documents. According to a recent article in the Harvard Business Review, 80% of data analysts’ time is spent simply discovering and preparing data and less than 1% of an organization’s unstructured data is analyzed or used at all. Without knowing what personal data employees generate and where it resides, organizations will have difficulty complying with regulations.

Understand internal politics around data: Different companies have different organizational structures. That said, most have a data team that may be led by a chief data officer (CDO). These executives are tasked with responsibility for the complete life cycle of organizational data. Additionally, they typically understand its value and they know how it functions within the business. Most companies also have a data security team, led by a chief information security officer (CISO). These executives oversee locking down data and systems to ensure sensitive information is not stolen or inadvertently shared publicly. They are ever-alert to the next big malware attack and work to keep security technologies up to date across the company. They also manage employee access rights and other internal data security initiatives.

But when it comes to regulations, who oversees what? Regulation requirements can be confusing, and compliance will require a collaboration between data and security teams. It is critical to understand what the company needs to do to meet regulation requirements and then work together to design a path toward compliance. It is essential to name executive ownership of the data privacy program and map out how that person will ensure regulation compliance across the organization. That person will ultimately be accountable in the event of regulatory questions, punitive consequences or data breaches.

Implement data security solutions that streamline compliance processes: Privacy regulation compliance begins by getting a better handle on data. Data identification and categorization tools can provide an understanding what types of data is within an organization; how sensitive each type is and also how each type should be treated to comply with data privacy policies. Rather than add another layer of complexity onto operations, these tools should streamline processes by integrating with any other security tools your organization already uses—such as data loss prevention (DLP) technologies, cloud access security brokers (CASB) and enterprise digital rights management (EDRM) tools.

Consider tools that employ machine learning: It may sound complicated, but machine learning can have the opposite effect on consistent implementation of privacy policies consistently across an organization. With these types of tools, a data steward trains machine learning algorithm to help users identify and label data as they create documents and send emails. Based on the type of data a user is dealing with, the tool then gives an instruction for how to handle the information according to regulations and policies. As policies evolve, the data steward retrains the algorithms to help make the data categorization tools more effective. As the tools become smarter and smarter, certain aspects of policy management can be automated.

Ultimately, businesses must be able to identify sensitive information across their enterprise—at creation and at rest. They need to encrypt and protect that information when it is in motion, whether it’s being emailed or uploaded to a cloud repository. And they need to apply identity and access technologies to ensure that all data is being shared with the appropriate people.

By getting ahead of the game and implementing a foundation of data privacy policies that include identification and categorization for better information-handling, organizations can ensure they will be ready to meet any regulations regardless of which region initiated them.

Place your Global Data Protection   with Relentless Privacy and Compliance Services the Data privacy partner of choice.

 

 

Global Privacy Services

State of Virginia Introduces New Privacy Legislation

State of Virginia Introduces New Privacy Legislation

On January 8, 2020, the “Virginia Privacy Act” (HB 473), was introduced for consideration to the General Assembly of Virginia. The proposed legislation includes notice requirements similar to the California Consumer Privacy Act’s (CCPA), provides consumers with rights similar to those under the EU’s General Data Protection Regulation (GDPR), and unlike either the CCPA or the GDPR, mandates data controllers to perform and document a privacy risk assessment for every processing activity.

 

Scope of the act.

 

The proposed legislation would apply to any entity that:

 

(i)  conducts business in Virginia or produces products or services intentionally targeted to Virginia residents, and

(ii) either:

a.  controls or processes personal data of 100,000 or more consumers (which is defined as Virginia residents but excludes residents acting in a commercial or employment context); or

b.  derives over 50 percent of gross revenue from the sale of personal data and processes or controls personal data of not fewer than 25,000 customers.

The legislation defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” but excludes publicly available or deidentified data, and exempts personal data governed by the Health Insurance Portability and Accountability Act of 1996, the Fair Credit Report Act, Gramm-Leach-Bliley Act, Driver’s Privacy Protection Act, and contained in employment records.

Notice & Consumer Rights. Under the proposed legislation, a “controller” (“person that, alone or jointly with others, determines the purposes and means of the processing of personal data”) must be transparent about their processing activities and make available in a form that is reasonably accessible to consumers a clear, meaningful privacy notice that includes:

  • the categories of personal data collected by the controller;
  • the purposes for which the categories of personal data are used and disclosed to third parties, if any;
  • a list of the rights that consumers may exercise pursuant to § 59.1-574, which include the right to access, correction, deletion, restriction of processing, objection to processing;
  • the categories of personal data that the controller shares with third parties, if any; and the categories of third parties, if any, with whom the controller shares personal data.

Controllers are required to process consumer rights requests “without undue delay” and no later than 30 days from a verified request with an option to extend that period an additional 60 days depending on the number and complexity of requests, similar to the standard under the EU’s GDPR.

Selling. If a controller sells personal data to data brokers or processes personal data for targeted advertising, it shall disclose such processing, as well as the manner in which a consumer may exercise the right to object to such processing, in a clear and conspicuous manner. The definition of “sale” in the proposed legislation is more limited than under the CCPA, and is aligned with the “sale” definition in Nevada’s new law effective October 1, 2019, to mean “the exchange of personal data for monetary consideration by a controller to a third party for purposes of licensing or selling personal data at the third party’s discretion to additional third parties.”

Risk Assessments. The proposed legislation also requires that controllers perform a risk assessment of each of its data processing activities that involves personal data, and requires the controller make the risk assessment available to the Attorney General upon request. Such risk assessments must identify and weigh the benefits of such processing the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks.

Enforcement. Pursuant to the proposed legislation, controllers would have 30 days to cure any alleged violation of the Act. However, violations and enforcement of the Act would be subject to the Virginia Consumer Protection Act, which permits a private cause of action for violations of the Act to recover actual damages, or $500, whichever is greater, and if the trier of fact finds that the violation was willful, it may increase damages to an amount not exceeding three times the actual damages sustained, or $1,000, whichever is greater. The Act would permit the allocation of liability to processors according to comparative fault principles.

 

Relentless Privacy and Compliance provides expert services for clients across the globe.

 

HIPAA a Guide For US and International Businesses

HIPAA a Guide For US and International Businesses

With more and more data breaches hitting the headlines, The Health Insurance Portability and Accountability Act (HIPAA) has garnered more than its fair share of attention in recent years, but what exactly is it? More importantly, how does this US privacy law impact your business? Read on to find out…

In today’s digitally driven society, there’s nary a single day-to-day task remaining that can’t be made simpler in exchange for the handing over of our personal information.

Whether it’s ordering groceries online or getting a ride from an Uber, watching a movie or managing personal finances, the wealth of technological innovations we’ve seen over the past few decades has certainly made life easier for most people, but only on the proviso that those people hand over all manner of data.

As any number of recent, high-profile security breaches can attest to, that data can prove incredibly valuable to criminals should it fall into the wrong hands, not to mention causing some serious problems for organisations who are the victims of such breaches.

All of this, of course, makes data protection a serious concern for any organisation, though none more so than those in the healthcare industry where, beyond the usual categories of personal data that many businesses collect, all manner of sensitive information may be gathered, stored, and processed. So, it’s no surprise that, in the US at least, rules to safeguard that data have been in place for some time. Together, those rules form a single piece of legislation.

 

It’s name?

 

The Health Insurance Portability and Accountability Act (HIPAA)

Signed into law on August 21st, 1996 by then-president Bill Clinton, HIPAA introduced several new measures designed to streamline, simplify and standardise healthcare processes in the United States.

Among other things, these measures included some important privacy rules which not only affect healthcare organisations in the United States, but indeed any organisation which handles or processes the protected health information (PHI) of US citizens, regardless as to where in the world that organisation might be based.

But what exactly are these rules?  What does your business need to know about them? More importantly, what -if anything- do you need to do about them?

At Relentless Privacy & Compliance, we work with businesses across the globe to help them enjoy frictionless compliance with international privacy laws, and to optimise data protection processes and procedures in a way which generates long-term added value both businesses themselves and their customers.

Today, we draw on our wealth of experience in supporting businesses with achieving HIPAA compliance to answer these key questions, and to outline what you really need to know about the health information privacy rules affecting your business.

 

The HIPAA Privacy Rule Explained

 

When President Clinton signed HIPAA into law, he effectively ushered in a number of new rules governing healthcare transactions in the United States.

One of these rules was The Standards for Privacy of Individually Identifiable Health Information, better known simply as the HIPAA Privacy Rule. In essence, this rule aims to protect patient privacy by limiting how PHI is used or disclosed. It makes healthcare professionals responsible for providing individuals with an account of each instance that they disclose PHI for administrative and billing purposes, who that PHI is disclosed to, and why. Much as with data subject requests under the General Data Protection Regulation (GDPR), the rule also gives individuals the right to request and receive a copy of their own PHI, though unlike GDPR, HIPPA does give healthcare organisations the option to charge administrative fees to cover the cost of copying and mailing those records.

 

Other requirements of the HIPAA Privacy Rule

 

As with other privacy regulations, the HIPAA Privacy Rule doesn’t concern itself merely with data access. It also provides organisations with several administrative obligations, including:

Appointing a privacy official (often called a Chief Privacy Officer or CPO for short) who is responsible for developing, implementing and overseeing privacy policies and procedures.

  • Ensuring that all staff, as well as volunteers and trainees, are fully trained on all privacy policies and procedures.
  • Implementing a process that allows people to make a complaint about privacy policies and procedures should they need to.
  • Ensuring that any harmful effects of a data breach are mitigated as much as possible.
  • Ensuring that appropriate administrative, technical, and physical safeguards are in place to minimise the risk of a potential breach

On the subject of safeguarding, much of this is covered by The Security Standards for the Protection of Electronic Protected Health Information or the HIPAA Security Rule as it’s more frequently known This rule requires health care providers to identify the threats to information systems which contain PHI and put in place the appropriate physical and electronic measures needed to minimise and counter those threats.

 

Who Has to Comply With HIPAA?

 

Both the HIPAA Privacy Rule and HIPAA Security Rule apply to a wide range of what the law calls “covered entities.”

These covered entities include:

Health plans

such as HMOs, Medicare, Medicaid, and health maintenance companies.

Health care providers

Such as doctors, dentists, surgeons, pharmacies, nursing homes and podiatrists.

Healthcare clearinghouses

Such as billing services or other organisations who collect data from one organisation, process it, and deliver it to another organisation.

 

It doesn’t end there, either.

 

HIPAA  Business Associates

In 2017, the HIPAA Omnibus Rule was introduced. Along with modifying existing HIPAA rules to better reflect the advancements in modern technology made since 1996, the Omnibus Rule also decreed that business associates (and their subcontractors) would now be held to the same standards for protecting PHI as the companies they work for. In this case, HIPAA defines a business associate as any individual or organisation who works with or provides services to a covered entity who uses PHI.

In 2016, the HSS Office for Civil Rights (OCR) further clarified that this extends to include cloud service providers such as data storage services and even smartphone apps.

 

How Does this Affect Non-US Businesses?

 

While most actual covered entities are likely to be based in the United States, the increasing cost benefits of outsourcing certain data processing and storage tasks to offshore firms means there are many more non-US businesses who find themselves falling under the category of HIPAA business associate. If you store, collect or process the PHI of US citizens on behalf of a HIPAA covered entity, this means that you are equally as accountable for ensuring that you are HIPAA compliant as the businesses you work with or for.

But what exactly does HIPAA compliance actually look like, and how do you go about achieving it?

HIPAA Compliance for Covered Entities and Business Associates

Before you do much of anything, it’s worth checking whether your existing compliance measures for other privacy regulations can be used to help you with HIPAA compliance. It may be, for example, that many of the systems and processes you have in place to ensure frictionless compliance with GDPR can be used to help you adhere to HIPAA rules. Conversely, if your business is already compliant with HIPAA but you’re currently in the process of risk assessing for GDPR compliance, you may find that there is little -if any- need to duplicate your efforts.

Take data subject access requests. It may be that the system you have in place for responding to those requests under GDPR will work just as effectively for HIPAA, and vice versa.

Likewise, both regulations require that you have strict physical, technological and administrative data protection measures in place, and both require at least some level of express consent or authorisation from a user in order to process their data.

Depending on the nature of your business, you may also find that some of the requirements of the HIPAA-mandated Chief Privacy Officer and those of a Data Protection Officer as required by GDPR are similar, if not the same. Potentially, this could mean combining both roles into one position.

 

Setting Agreements With Business Associates

 

Of course, getting your own house in order is only half the battle.

If you use third-parties to process data, then no matter where in the world those third-parties are based, you’re going to have to ensure that you have a sufficient HIPAA Business Associate Agreement (BAA) in place with them.

This is a binding contract between your business and your business associate that contains vital information including:

  • A description of how the business associate is required and permitted to use PHI.
  • An agreement that the business associate will not use or disclose PHI in any way other than as specified in the contract or required by law.
  • An agreement that the business associate will use specific and appropriate PHI protection safeguards.
  • A requirement for the covered entity to take reasonable action for curing a data breach by the business associate fi and when it comes known. If they can not do this, the covered entity will be required to terminate the BAA contract.
  • A requirement that any data breach is reported to the OCR if the contract can’t be terminated.

What You Need to Know as a Business Associate

 

Having signed the BAA with the covered entity you provide services to, it’s important to be aware that, under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, you could be subjected to audits by the OCR and liable to pay penalties for non-compliance. Though the penalties may be severe, this doesn’t have to be as scary as it sounds.

Whether you’re a covered entity or a business associate, no matter where you are in the world, Relentless Privacy & Compliance are on hand to help you optimise your processes, policies and workplace culture in order to enjoy frictionless compliance with HIPAA, GDPR, and other international privacy legislation.

 

We can do this by providing training, consultation, by providing you with an affordable alternative to hiring a Chief Privacy Officer in-house or offering hands-on support to help you design and develop your data protection systems.

Book your free, initial consultation online today, or call us now on +44 07732841440.

Singapore Data Protection: How PDPA Impacts Your Business

Singapore Data Protection: How PDPA Impacts Your Business

Thanks to its close relationships with the EU, the US, and with other Asian countries, Singapore remains a major player on the world stage. For many domestic and international businesses alike, these close relationships create an obligation to ensure frictionless compliance with Singapore’s data protection laws.

 

 What exactly are those laws? More importantly, what does your organisation need to do about them? Read on to find out…

 

When the General Data Protection Regulation came into force in May 2018, it did much more than force organisations to address privacy compliance as it related to their operations within the European Union itself.

It also prompted many of those organisations to examine data protection laws in other areas where they operate and reevaluate whether the processes, policies and procedures they had in place were still effective and sufficient in adhering to those laws.

Namely, it forced those organisations to ask three key questions about international privacy compliance:

●   Are we doing all we can to ensure complete compliance with laws in every area where we do business?

●    What similarities are there between the separate data protection laws we need to comply with?

●    How can we best utilise those similarities to better ensure global compliance?

 

One of the first countries many organisations looked at as part of this ongoing assessment was, of course, Singapore.

 

The Southeast Asian Island ships an estimated $373.2 billion US dollars worth of products internationally each year, with nearly $25 billion of that alone going to the United States and almost as much going, collectively, to EU member states.

All said, this makes it the EU’s 14th largest global trading partner and its largest overall trading partner from the Association of South-East Nations (ASEAN).

Ultimately, what this close relationship between the two areas means is that there almost as many EU-based enterprises with interests in Singapore as there are Singapore-based companies with interests in the European Union.

 

So far, we’ve helped scores of businesses both in Singapore and elsewhere to create frictionless compliance with GDPR, but what about when it comes to Singapore’s data protection laws?

●    How do those laws affect your business?

●    What compliance measures do you need to put in place?

●    How can you put those measures in place in a way that aligns with GDPR and other international privacy laws affecting your organisation?

Today, we draw on our years of experience in providing data protection consultancy in Singapore, the EU and around the world to answer all of those questions and more.

First, however, let’s start with the one question that’s perhaps most important of all.

 

What is Singapore’s data protection law?

 

Data protection in Singapore is governed by the Personal Data Protection Act (PDPA).

Drawing on other laws and guidelines such as the former UK Data Protection Act and the Asia-Pacific Economic Cooperation (APEC) Privacy Framework, the PDPA was passed into law in October 2012 and rolled out in four distinct phases over the course of the next two years in order to give businesses plenty of time to achieve compliance.

The last of these phases was introduced on July 2nd, 2018 and has been in force ever since.

 

How does PDPA impact businesses?

 

At the heart of PDPA is an effort to balance the privacy rights of individuals with the rights and requirements of businesses to use the personal data of those individuals for legitimate reasons.

What’s important to note here -especially if your only familiarity with the concept of personal data comes from GDPR- is how Singapore treats that personal data differently from Europe.

Both GDPR and PDPA class personal data as anything which identifies or could identify an individual. However, there’s a notable difference in the way the rules apply to that data.

Under GDPR, there are one set of rules governing the collection, use and disclosure of all personal data, including general data types like a person’s name, address, or contact details. There is also then a second set of rules concerning sensitive personal information, or what it calls special category data.

The Information Commissioner’s Office (ICO) has a list of all the data types that are classed as special category data, though to give you a quick example, this applies to things like biometric data (fingerprints etc), genetics, and health records.

PDPA, meanwhile, doesn’t differentiate between categories of data, so bio-metric data is treated every bit the same as someone’s address or telephone number.

PDPA also considers the following to be types of personal data.

●    A person’s voice (such as that captured in a recording)

●    Photographs or video footage of a person

●    DNA profile

●    National Registration Identity Card (NRIC) number.

 

What about B2B data?

 

If there’s one question we get asked the most here at Relentless Privacy & Compliance, it’s how data protection laws apply to information collected in a business-to-business (B2B) setting, such as a person’s office telephone number or their company email address.

Again, GDPR and PDPA differ here.

Concerning GDPR and B2B data, the ICO has this to say:

“If you can identify an individual either directly or directly, the GDPR will apply – even if they are acting in a professional capacity.

 “For example, if you have the name of a business contact on file or their email address identifies them (such as firstname.lastname@company.com), the GDPR will apply.

 “It only applies to loose business cards if you intend to file them or input the data into a computer system.”

PDPA takes a different approach.

It does not class business contact information as personal data unless a person decides to use that data for personal reasons.

For example, if a person registers for a gym membership for personal use but signs up using their company email address, that address would be deemed to be personal data and would have to be dealt with in accordance with PDPA.

 

How does PDPA protect personal data?

 

Now that we have a better idea as to what PDPA classes as personal data, let’s look at what it actually does to protect that data.

In essence, there are two primary mechanisms that businesses need to be aware of:

●    The Do Not Call (DNC) Registry

●    Data Protection Obligations

 

The Do Not Call (DNC) Registry

 

The DNC is essential three individual registries covering telephone contact, text messages, and fax messages.

Individuals can register a landline, mobile, or fax number with the appropriate registry. Once they do, organisations are not allowed to contact them on that number for marketing purposes.

If your business uses telemarketing or similar strategies within Singapore, this means that you will have to apply for a DNC Registry checking account, which costs $30 SGD (roughly £17 GBP) for companies based within Singapore and $60 SGD (£33 GBP) for international business.

From there, you’ll be required to submit the list of numbers that you plan on contacting so that they can be checked against the registry.

If a number comes back as being on the Registry, you will not be able to contact that number.

If it isn’t on the registry, you can contact that number for marketing purposes for up to 30 days, after which time you will have to resubmit a checking request.

The one exception to this rule is if you can prove that an individual has given you express consent to contact them via a number which is included on the DNC Registry.

 

Data Protection Obligations

 

Outside of the DNC, PDPA lists nine core obligations that organisations must meet when collecting, processing and disclosing data.

These include:

1: Consent

Consent must be gained from an individual in order to collect, process or disclose their data. Similar to the “Right to Be Forgotten” under GDPR, individuals can withdraw their consent at any time and organisations must comply with this withdrawal.

2: Purpose

Businesses must only collect use, or disclose an individual’s personal data for the specific purpose that the individual has consented for.

3: Notification

The business must inform the individuals of the purposes that the data will be collected, used, or disclosed.

4: Access and correction

Similar to data subject access requests, individuals have the right to request what data of theirs your organisation possesses or has control of. They can also request details on how that data has been used or disclosed within the past year. Organisations are legally obligated to comply with those requests, and to amend any errors or omissions unless it is reasonable not to.

5: Accuracy

Businesses must make every reasonable effort to ensure that personal data they collect is accurate and complete if that data is going to be used to make decisions which affect the individual who the data relates to, or if that data is going to be disclosed to another organisation.

6: Protection

Reasonable security measures must be put in place to protect any personal data which is collected. This must include technical, organisational, and any other measures as appropriate.

7: Retention

Organisations must only retain personal data for as long as is necessary to carry out business or legal functions.

8: Transfer

If personal data is being transferred internationally, including being stored with cloud services based overseas, then the transfer must meet specific requirements laid out by PDPA.

9: Openness

Organisations must make information publicly available about the policies and procedures it uses to ensure PDPA compliance

If you’re familiar with GDPR, you’ll no doubt see some similarities between the two laws when it comes to data protection obligations.

Naturally, this creates some opportunity to streamline compliance measures which can result in long-term cost savings and greater efficiency.

Data protection consultancy can help you identify key areas for such streamlining.

What role does a Data Protection Officer play in PDPA?

 

One key area of difference between PDPA and GPDR is within the role of the Data Protection Officer (DPO).

Under GDPR, only certain organisations are required to hire a DPO according to certain criteria.

Our recent guide to hiring a DPO for your organisation lists what these criteria are.

Under PDPA, however, all businesses are required to appoint a DPO, even if they are an SMB or sole trader.

This DPO can be someone whose sole responsibility within an organisation is to manage data protection or it can be someone who combines DPO responsibilities with other key organisation tasks.

Businesses also have the option of outsourcing that role to a third-party DPO service.

The Singapore government has set guidelines for the role of DPO, or Relentless Privacy & Compliance can help you determine the best option for appointing a DPO for your business.

 

Who does PDPA apply to?

 

With all this being said, the one remaining question concerns whether or not your business needs to comply with Singapore’s data protection law in the first place.

Like China’s Data Protection Standard, like GDPR, and like the California Consumer Privacy Act, PDPA applies to any and all organisations who deal with the personal data of individuals who are based in the area where that law applies.

This is regardless as to where that business is primarily located.

In other words, if you collect, use, or disclose the personal data of people in Singapore, PDPA applies to you, even if you’re not based in that country.

There are, of course, a small number of exceptions.

If you are a public agency (such as a government authority), then you are exempt from PDPA. Likewise, if your business collects, uses or discloses data on behalf of a public agency, then you too are exempt.

 

What to do if PDPA applies to your business

 

The most effective approach for any business faced with complying with multiple international privacy laws is to look at how you can avoid duplicating your efforts and create systems, policies and procedures which ensure frictionless compliance across the board.

For example, hiring a DPO to comply with PDPA could be as simple as extending the responsibilities of your existing GDPR DPO, while the technical security measures you have in place for one law could be equally as effective to help you comply with another.

If you’re not sure where to start with this, the good news is that Relentless Privacy & Compliance are here to help.

We provide a full range of Global  data protection consultancy services tailored to ensure that, no matter where you are in the world, you can enjoy frictionless compliance with:

 

Other international privacy services. We can help with:

●    Serving as your DPO

●    Mapping between GDPR, PDPA and other laws to reduce the costs and complications of compliance

●    Acting as your organisation’s GDPR EU Representative in the EU if you’re based overseas.

And much more.

To find out how we can help you,Find Out More or call now on +44 121 5820192

Manufacturers of IOT devices face new privacy security laws in California and Oregon

Manufacturers of IOT devices face new privacy security laws in California and Oregon

Manufacturers of smart microwaves, light bulbs, and other connected devices will face new security requirements in California and Oregon in 2020.

The two states are the first ones to specifically regulate the security of internet of things devices, with laws taking effect Jan. 1 2020. Other states are likely to follow, privacy and tech attorneys say.

Internet of things security is a growing concern as the number of connected devices increases. The International Data Corporation estimates that 41.6 billion internet of things devices could be operating by 2025.

Companies rushing to get devices out into the wild and  haven’t thought about security, and it’s creating  massive risks that have been growing exponentially in recent years,.

The laws include different definitions for connected devices.

 

California

 

California’s law applies to any device or object that connects directly or indirectly to the internet and is assigned an internet protocol or Bluetooth address.

 

Oregon

 

The Oregon law similarly covers devices or objects with those requirements, but only those that are used “primarily for personal, family, or household purposes.”

Manufacturers must equip connected devices with “reasonable” security features, but neither law precisely defines the term. That may pose compliance challenges for companies, attorneys said.

California’s law exempts connected devices subject to security requirements under federal law, regulations, or federal agency guidance. Under Oregon’s law, compliance with security requirements in federal laws or regulations is considered to be reasonable security.

Connected devices sold in California and Oregon will have to be equipped with reasonable security features that are appropriate to the device’s nature, function, and data it collects or transmits, and be designed to protect the device and the information from unauthorized access, use, or disclosure.

 

Stay up to date with all the latest data privacy news by Subscribing to the Relentless Privacy Blog 

ePrivacy Law What is it and When will it Arrive?

ePrivacy Law What is it and When will it Arrive?

Most are now, or should be, familiar with GDPR. In addition to that legislation, what is known as the ePrivacy Regulation was supposed to be set at the same time. That has been postponed and it seems will not enter into law until 2021. If you own a business and have heard about the ePrivacy Regulation but are unsure what it all means, you’ve come to the right place.In this post we will look at what it is, who it affects and what penalties there are for breaching it.

 

What is the ePrivacy Regulation?

 

The ePrivacy Regulation is a stronger law all EU member states will have to follow. It replaces the current ePrivacy Directive. While it was set to uphold EU Charter, Article 7 regarding family and private life, there was never stipulations that ensured all member states implemented it in the same way. Member states were allowed selectivity when it came to which parts they adopted and enforced.

With technology being such a huge and integral part of people’s lives now and the interconnectivity of devices that connect to the internet, there is a greater risk to violation of individual’s privacy. That is why the ePR was necessary.

 

ePR v GDPR

 

While the GDPR concerns data protection in general, it doesn’t cover electronic communications. Whereas the ePR focuses on electronic communications. In legal terms, it is referred to Lex specialis. This basically means while the same definitions are used in both, the ePR overrides the GDPR when electronic communication data privacy issues are raised

 

What Does the ePrivacy Regulation Cover?

 

All communications are protected, whether they’re transmitted electromagnetically, optically, by radio or wire. This means all communications sent via electricity cable systems, fixed networks, cables and satellites are covered

The regulation will also have a focus on

OTT Services and Metadata – Over the Top (OTT) service providers like Skype, WhatsApp and Google are more prominent now than ever. The ePR is set to set stricter confidentiality rules for big internet communications companies that will make them more accountable when the law is breached.
Cookies – The ePR looks to simplify the process involving cookies, streamlining consent so that the responsibility is with web browsers rather than websites.
Unsolicited Marketing – Stricter rules will be put in place regarding unsolicited marketing via SM and email, as well as cold-calling via telephone.
Public Wi-Fi and IoT – The regulation will also cover all other forms of communication tech, specifically data communication through IoT devices and networks.

 

What Penalties Will There Be for Breaches?

 

There are penalties for breaches laid out in Article 23 and these are the same sanctions applicable under GDPR. They can range from a maximum of 10,000,000 Euros or 2% the worldwide annual turnover to as much as 20,000,000 Euros or 4% of worldwide turnover annually. Each fine depends, as it does with the GDPR, on the various mitigating factors, including scale and whether it was deliberate or not.

Whether your business is affected or not, depends on your strategies. For instance, if electronic communications are integral to your business, you’ll need to assess your current setup and make changes to ensure it falls in line with the regulation.

It may also be worth anticipating threats. For instance, if your business involves publishing and third-party advertising cookies, there may be a drop in your revenue, where user’s browsers have been set to block specific identifiers. Therefore, you may need to persuade users to enable cookies when using your site.

All in all, EPR is not something you should ignore. As you can see from the above, non-compliance fines are high, and your business’s reputation could be damaged too. There is still a lot of time though, and if you need any help with compliance, you can speak to our team  here at Relentless on info@relentlessdataprivacy.com.

Relentless Services Enquiry

Opt-in

10 + 12 =

Guide to Singapore Data Protection Act PPDA

Guide to Singapore Data Protection Act PPDA

Data Protection in Singapore: How PDPA Impacts Your Business

 

Thanks to its close relationships with the EU, the US, and with other Asian countries, Singapore remains a major player on the world stage. For many domestic and international businesses alike, these close relationships create an obligation to ensure frictionless compliance with Singapore’s data protection laws.

 

What exactly are those laws? More importantly, what does your organisation need to do about them? Read on to find out…

 

When the General Data Protection Regulation came into force in May 2018, it did much more than force organisations to address privacy compliance as it related to their operations within the European Union itself. It also prompted many of those organisations to examine data protection laws in other areas where they operate and reevaluate whether the processes, policies and procedures they had in place were still effective and sufficient in adhering to those laws.

Namely, it forced those organisations to ask three key questions about international privacy compliance:

  • Are we doing all we can to ensure complete compliance with laws in every area where we do business?
  • What similarities are there between the separate data protection laws we need to comply with?
  • How can we best utilise those similarities to better ensure global compliance?

One of the first countries many organisations looked at as part of this ongoing assessment was, of course, Singapore.

The Southeast Asian Island ships an estimated $373.2 billion US dollars worth of products internationally each year, with nearly $25 billion of that alone going to the United States and almost as much going, collectively, to EU member states.

All said, this makes it the EU’s 14th largest global trading partner and its largest overall trading partner from the Association of South-East Nations (ASEAN).

Ultimately, what this close relationship between the two areas means is that there almost as many EU-based enterprises with interests in Singapore as there are Singapore-based companies with interests in the European Union. In fact, in the run-up to the GDPR deadline on May 25th, 2018, Singaporean enterprises made up a significant percentage of the client base of our own international data protection consultancy here at Relentless Privacy & Compliance.

So far, we’ve helped scores of businesses both in Singapore and elsewhere to create frictionless compliance with GDPR, but what about when it comes to Singapore’s data protection laws?

  • How do those laws affect your business?
  • What compliance measures do you need to put in place?
  • How can you put those measures in place in a way that aligns with GDPR and other international privacy laws affecting your organisation?

Today, we draw on our years of experience in providing data protection consultancy in Singapore, the EU and around the world to answer all of those questions and more.

First, however, let’s start with the one question that’s perhaps most important of all.

 

What is Singapore’s data protection law?

 

 

Data protection in Singapore is governed by the Personal Data Protection Act (PDPA).

Drawing on other laws and guidelines such as the former UK Data Protection Act and the Asia-Pacific Economic Cooperation (APEC) Privacy Framework, the PDPA was passed into law in October 2012 and rolled out in four distinct phases over the course of the next two years in order to give businesses plenty of time to achieve compliance.

The last of these phases was introduced on July 2nd, 2018 and has been in force ever since.

 

How does PDPA impact businesses?

 

At the heart of PDPA is an effort to balance the privacy rights of individuals with the rights and requirements of businesses to use the personal data of those individuals for legitimate reasons. What’s important to note here -especially if your only familiarity with the concept of personal data comes from GDPR- is how Singapore treats that personal data differently from Europe Both GDPR and PDPA class personal data as anything which identifies or could identify an individual. However, there’s a notable difference in the way the rules apply to that data Under GDPR, there are one set of rules governing the collection, use and disclosure of all personal data, including general data types like a person’s name, address, or contact details. There is also then a second set of rules concerning sensitive personal information, or what it calls special category data.

The Information Commissioner’s Office (ICO) has a list of all the data types that are classed as special category data, though to give you a quick example, this applies to things like biometric data (fingerprints etc), genetics, and health records.

PDPA, meanwhile, doesn’t differentiate between categories of data, so biometric data is treated every bit the same as someone’s address or telephone number.

 

PDPA also considers the following to be types of personal data.

 

  • A person’s voice (such as that captured in a recording)
  • Photographs or video footage of a person
  • DNA profile
  • National Registration Identity Card (NRIC) number.

 

What about B2B data?

 

If there’s one question we get asked the most here at Relentless Privacy & Compliance, it’s how data protection laws apply to information collected in a business-to-business (B2B) setting, such as a person’s office telephone number or their company email address.  Again, GDPR and PDPA differ here.

Concerning GDPR and B2B data, the ICO has this to say:

 

“If you can identify an individual either directly or indirectly, the GDPR will apply – even if they are acting in a professional capacity.  “For example, if you have the name of a business contact on file or their email address identifies them (such as firstname.lastname@company.com), the GDPR will apply. “It only applies to loose business cards if you intend to file them or input the data into a computer system.”

 

PDPA takes a different approach.

It does not class business contact information as personal data unless a person decides to use that data for personal reasons. For example, if a person registers for a gym membership for personal use but signs up using their company email address, that address would be deemed to be personal data and would have to be dealt with in accordance with PDPA.

 

How does PDPA protect personal data?

 

Now that we have a better idea as to what PDPA classes as personal data, let’s look at what it actually does to protect that data. In essence, there are two primary mechanisms that businesses need to be aware of:

 

The Do Not Call (DNC) Registry

 

The DNC is essential three individual registries covering telephone contact, text messages, and fax messages.

Individuals can register a landline, mobile, or fax number with the appropriate registry. Once they do, organisations are not allowed to contact them on that number for marketing purposes.

If your business uses telemarketing or similar strategies within Singapore, this means that you will have to apply for a DNC Registry checking account, which costs $30 SGD (roughly £17 GBP) for companies based within Singapore and $60 SGD (£33 GBP) for international business. From there, you’ll be required to submit the list of numbers that you plan on contacting so that they can be checked against the registry. If a number comes back as being on the Registry, you will not be able to contact that number.  If it isn’t on the registry, you can contact that number for marketing purposes for up to 30 days, after which time you will have to resubmit a checking request. The one exception to this rule is if you can prove that an individual has given you express consent to contact them via a number which is included on the DNC Registry.

 

Data Protection Obligations

 

 

Outside of the DNC, PDPA lists nine core obligations that organisations must meet when collecting, processing and disclosing data.  These include:

 

1: Consent 

Consent must be gained from an individual in order to collect, process or disclose their data.

Similar to the “Right to Be Forgotten” under GDPR, individuals can withdraw their consent at any time and organisations must comply with this withdrawal.

2: Purpose 

Businesses must only collect use, or disclose an individual’s personal data for the specific purpose that the individual has consented for.

3: Notification

The business must inform the individuals of the purposes that the data will be collected, used, or disclosed.

4: Access and correction

Similar to data subject access requests, individuals have the right to request what data of theirs your organisation possesses or has control of. They can also request details on how that data has been used or disclosed within the past year. Organisations are legally obligated to comply with those requests, and to amend any errors or omissions unless it is reasonable not to.

5: Accuracy

Businesses must make every reasonable effort to ensure that personal data they collect is accurate and complete if that data is going to be used to make decisions which affect the individual who the data relates to, or if that data is going to be disclosed to another organisation.

6: Protection

Reasonable security measures must be put in place to protect any personal data which is collected. This must include technical, organisational, and any other measures as appropriate.

7: Retention

Organisations must only retain personal data for as long as is necessary to carry out business or legal functions.

8: Transfer

If personal data is being transferred internationally, including being stored with cloud services based overseas, then the transfer must meet specific requirements laid out by PDPA.

9: Openness

Organisations must make information publicly available about the policies and procedures it uses to ensure PDPA compliance  If you’re familiar with GDPR, you’ll no doubt see some similarities between the two laws when it comes to data protection obligations.  Naturally, this creates some opportunity to streamline compliance measures which can result in long-term cost savings and greater efficiency. Relentless Data Privacy consultancy can help you identify key areas for such streamlining.

 

What role does a Data Protection Officer play in PDPA?

One key area of difference between PDPA and GDPR is within the role of the Data Protection Officer (DPO).

Under GDPR, only certain organisations are required to hire a DPO according to certain criteria.  Our recent guide to hiring a DPO for your organisation lists what these criteria are.

Under PDPA, however, all businesses are required to appoint a DPO, even if they are an SMB or sole trader.

This DPO can be someone whose sole responsibility within an organisation is to manage data protection or it can be someone who combines DPO responsibilities with other key organisation tasks. Businesses also have the option of outsourcing that role to a third-party DPO service.

The Singapore government has set guidelines for the role of DPO, or Relentless Privacy & Compliance can help you determine the best option for appointing a DPO for your business.

 

Who does PDPA apply to?

 

With all this being said, the one remaining question concerns whether or not your business needs to comply with Singapore’s data protection law in the first place.

Like China’s Data Protection Standard, like GDPR, and like the California Consumer Privacy Act, PDPA applies to any and all organisations who deal with the personal data of individuals who are based in the area where that law applies. This is regardless as to where that business is primarily located. In other words, if you collect, use, or disclose the personal data of people in Singapore, PDPA applies to you, even if you’re not based in that country. There are, of course, a small number of exceptions. If you are a public agency (such as a government authority), then you are exempt from PDPA. Likewise, if your business collects, uses or discloses data on behalf of a public agency, then you too are exempt.

 

What to do if PDPA applies to your business

 

The most effective approach for any business faced with complying with multiple international privacy laws is to look at how you can avoid duplicating your efforts and create systems, policies and procedures which ensure frictionless compliance across the board.

For example, hiring a DPO to comply with PDPA could be as simple as extending the responsibilities of your existing GDPR DPO, while the technical security measures you have in place for one law could be equally as effective to help you comply with another. If you’re not sure where to start with this, the good news is that Relentless Privacy & Compliance are here to help.

 

We can help with:

  •       Serving as your DPO    
  •       Mapping between GDPR, PDPA and other laws to reduce the costs and complications of compliance
  •       Acting as your organisation’s data protection representative in the EU if you’re based overseas.

And much more.

Contact Us about our PDPA Services

Opt In

12 + 13 =

Privacy Preference Center

      Necessary

      Advertising

      Analytics

      Other