GDPR and PDPA: What’s the Difference?
GDPR and PDPA: What’s the Difference?
There is now a concentrated push by policymakers and democratic groups to maintain the security of personal data (PD) of users that tech giants obtain in the process of their operations. The goal is not merely to protect certain information, but to preserve the constitutional rights and liberties about sensitive data security and privacy.
The PDPA of Thailand has come into effect in May 2020, two years after the European Union created a framework with the International Data Protection Regulation to introduce the GDPR. The Thailand’s PDPA has some parallels with specific GDPR clauses, including users’ rights to be consulted or the ability to view information obtained regarding them. The two data protection regulations also have major differences.
We have discussed these differences between the GDPR and PDA. Keep scrolling to read more.
Fast Facts on Singapore’s PDPA and the EU’s GDPR
| PDPA | GDPR | |
|---|---|---|
| Took/will take effect on | Do Not Call registry: 2 Jan 2014 Data protection obligations: 2 Jul 2014 | 25 May 2018 |
| Who are governed by these policies? | Covers virtually all businesses in Singapore | Applies to any organisation established within and outside of the EU, so long as:
|
| What is it about? | “The [Personal Data Protection Act (PDPA) of Singapore governs] the collection, use and disclosure of individuals’ personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.” (source) | “The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise the data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organisations across the regions approach data privacy.” “The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.” (source) |
What is GDPR?
The General Data Protection Regulation became active on 25 May 2018. It is a law of the EU on data security and privacy issues. In the European Union sense, a law does not have to be transcribed into national laws. However, GDPR is much wider and has international ramifications — for example, it even refers to businesses that are not citizens of any EU region.
While most of the basic values stay the same, the truth is that the application of GDPR is much more expansive and wide-reaching, which ensures that companies would need to change their data security practices accordingly-or possibly suffer severe repercussions.
The European Union data privacy law is applied to the following businesses.
- All EU registered companies.
- The EU registered company processing or collecting the private data of EU citizens.
- A business registered outside the European Union, processing or collecting the private data of EU citizens.
What is PDPA?
The PDPA acts became active in October 2012. This is Singapore’s law, which monitors the utilization of collected information and disclosure of personal or sensitive information. The central objective of the Personal Data Protection Act (PDPA) is to ensure that the processing of sensitive information is completed to demonstrate and respect the user’s privacy.
It also ensures that companies that collect personal data use it for business only by respecting the individual’s rights.
PDPA is protecting the following types of personal data.
- Full name
- Thumbprint
- Personal mobile telephone number
- NRIC or FIN
- Iris image
- Passport number
- Voice recording
- Photographs or videos
- DNA profile
Difference between GDPR and PDPA
- The GDPR grants member nations the ability to combine privacy rights with the right to freedom of speech and knowledge. At the same time, the DPA allows for an exception from such provisions for the privacy of sensitive data in favor of personal data collected for dissemination in the public’s interest.
- For processing the criminal information, GDPR ensures to have access to the concerned authorities. DPA act doesn’t ensure this access.
- The GDPR notes that users have the option not to be exposed to automatic decision-making or surveillance. At the same time, the DPA provides it because there are valid reasons for doing so, and measures are to preserve individual rights and dignity.
- The GDPR expands the scope of ‘identifier’ to cover IP addresses, internet cookies, etc. along with the DNA throughout private information description.
- Criminal penalties and punishments for violations of GDPR (the implementation of an indefinite penalty for the new crime of deliberately or rashly re-identifying people from confidential data)
