deepagopi2011 - Fotolia

Over half of Singapore organisations not prepared for GDPR

A Veritas study has found that 56% of organisations in the city-state fear they will be unable to comply with the EU’s upcoming data protection regulation

Singapore organisations are among the least prepared in the world for the European Union (EU) General Data Protection Regulation (GDPR) that will impose will restrictions on any organisation that deals with the personal data of EU residents.

According to a global study by Veritas, 56% of respondents in Singapore – compared with 37% in the US and over 60% in Japan and South Korea – fear they will be unable to meet the regulatory deadline. The GDPR will come into effect in May 2018.

Over 90% of Singapore organisations are also concerned over the potential GDPR fallout, with 20% fearing that their business could shut down due to non-compliance. Organisations – including those outside the EU – that fail to comply with the GDPR could face potential fines as high as $21m or 4% of annual turnover, whichever is greater.

Businesses are also worried about the impact that non-compliance could have on their brand image, especially if and when a compliance failure is made public, potentially as a result of the new obligations to notify those affected by data breaches.

In Singapore, 20% of respondents fear that negative media or social coverage could cause their organisations to lose customers, slightly above the global average of 19%. An additional 10% are very concerned that their brand value could decline as a result of negative coverage.

Understanding the data that organisations have, where that data is located and its relevance to the business is a critical first step in GDPR compliance.

Following the global average of 32%, about a third of Singapore respondents say their current technology stack is unable to manage their data effectively, hindering their ability to search, discover and review data.

In addition, 42% of Singapore respondents say their organisations cannot accurately identify and locate relevant data. Some 43% admit there is no mechanism in place to determine which data should be saved or deleted based on its value.

Under the GDPR and Singapore’s Personal Data Protection Act (PDPA), companies can retain personal data if it is still being used for the purpose for which the data was collected. However, they must delete that data when it is no longer needed for that same purpose.   

Read more about GDPR

Outside the EU, data controllers that determine the purpose and means of data processing, and data processors that process data on behalf of data controllers, are likely to be most affected by the GDPR.

While Singapore is the EU’s largest trading partner in the ASEAN region, it is uncertain how many companies that fulfil the GDPR’s definition of data controllers and processors are in the city-state. These could be Singapore companies that sell goods or services to EU residents through the web, as well as their data intermediaries.

Although the road to GDPR compliance for Singapore companies that have already put in place processes to comply with the PDPA may be less steep, the new EU law imposes additional requirements such as allowing the right to be forgotten and mandatory breach notification that are currently not included in the PDPA.

While Singapore companies are already required to appoint a data protection officer under the PDPA, those that regularly deal with personal data of EU residents would also need to appoint a representative in the EU to serve as point of contact for all regulatory matters.

Read more on Privacy and data protection