November 22, 2019
It is a known fact that Singaporeans love acronyms, but how many of us know what this one stands for - GDPR?
Remember when everyone was all up in arms over Facebook and its data privacy practices? Or when SingHealth was hit by a cyber attack and 1.5 million patients’ non-medical personal data got stolen? Well, that’s because we understood on a fundamental level how important protecting our personal data is. Valuable information such as our names, physical addresses, dates of birth and even banking details could be at risk of ending up in the hands of cyber criminals. With such sensitive information, hackers could steal our identities and our money - a terrifying thought indeed.
So, back to GDPR - the General Data Protection Regulation. It was created to regulate how companies protect EU citizens’ personal data and came into effect almost a year ago, on the 25th of May 2018. But what does this have to do with you as a Singaporean SME owner/company?
If you market goods and services to EU residents (which is quite likely, in this globalised era), then you are subject to the GDPR too, regardless of where your company is based. Even your website must comply - especially if you are collecting regulated data from European users- if not, access to your site might be blocked in European states.
Here are a few ways you can ensure that you’re on the right track:
Designate a data protection officer
Without a structured data protection programme in place, it might be difficult to keep track of whether or not you’ve followed the best practices and who has given their consent (or not). Sift through your current mailing lists and remove those who have not clearly specified their consent - take note to reach out to them to secure consent next time.
If you are an SME that mostly deals with locals however, this might not be necessary.
Check that all channels have a consent process in place
Whichever channel you use to collect data, do ensure that there is an option for your customers to indicate consent. The language used must be easy to understand and clear.
Train your employees well and stress the importance of the GDPR
While you might think that only certain departments might need to concern themselves with the GDPR, it is definitely important that all your employees are aware of the significance of the GDPR - especially the repercussions of not adhering to it.
The heavy fines for non-compliance should be enough to scare anyone into action:
For minor infringements, up to 10 million Euros (SGD 15,870,200.56), or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Minor infringements include a failure to notify data breaches, to implement technical control or data protection by default.
For major infractions, up to 20 million Euros (SGD 31,740,401.11), or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Major infractions include violating the conditions for consent or failing to adhere to the regulations regarding the transfer of personal data to a third country or an international organisation.
In the event of a data breach, the organisation must report it within 72 hours to affected individuals and a supervisory authority. This is why it is imperative to have an action plan in place. Ensure that your marketers are ready to handle the flood of queries on social media that might break out and keep all affected parties informed. Go into as much detail as possible - your customers’ trust in you has been temporarily broken, and the only way to fix that is to be as transparent as you can. Lastly, remember to state how you intend to move forward from here and assure all those involved that compliance will be a top priority in the future.
As Butleric’s POS and Super App help merchants collect and analyse a large amount of data, being GDPR-and-PDPR-compliant (we will cover PDPR in a separate post, so stay tuned!) is a top priority. If you are still unclear about what the GDPR entails and how exactly it affects your business, feel free to reach out to us! We’ll be glad to share our knowledge with you to ensure that everyone has the right to personal data protection.