SINGAPORE (June 4): The European Union’s much-discussed General Data Protection Regulation (GDPR) kicked in on May 25. Companies now need to get consent to process personal data from all EU citizens they serve and make it easy for them to withdraw that consent. Companies also have to design systems that protect customer data, and inform customers promptly when a breach occurs.
These new rules could have implications on locally listed companies and, by extension, their shareholders. The GDPR applies not just to EU-based companies but to anyone serving EU citizens, which means local companies have to take data security much more seriously.
Organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million ($31 million), whichever is greater. This is much more than the $100,000 maximum fine imposed in Singapore for breaches of the Personal Data Protection Act. The Cybersecurity Act — which was passed in February and requires critical information infrastructure owners in the energy, water, banking and finance, healthcare, transport, government, infocomm, media, and security and emergency services industries to report breaches — also has a maximum penalty of $100,000.