15 May 2018

How everyday tasks will be affected by GDPR

On 25 May 2018, the General Data Protection Regulation (GDPR) comes into effect in the EU, affecting how businesses around the world should handle personal data. Companies anywhere in the world that commit GDPR breaches must pay fines of up to €20 million, or 4% of worldwide annual revenue, whichever is higher.

The regulation will affect businesses of all sizes including those in Singapore, due to its extra-territorial reach, says Sage, which helps businesses with the technology to manage everything from money to people.

According to EY, only 10% of Singapore companies have a GDPR compliance plan in place, far below the global average of 33%. While the reality is that most companies will not be fully compliant by 25 May, we should still start taking steps in the right direction today, Sage said.

Everyday tasks that will be affected include:

Sending office greeting cards

Businesses that send greeting cards, such as Christmas cards, to customers in Europe will be affected. "If you do not have express consent to contact each customer, mailing to home addresses – considered personal data – may not be legitimate under the GDPR. E-cards will have to suffice," Sage said.

Forwarding a candidate’s resume for a second opinion

Candidates’ resumes are considered personal data, and thus protected under the GDPR. Instead of forwarding them as is, Sage advises anonymising them by removing names, addresses, phone numbers and any other personally identifiable information.

Ticking a box to join a mailing list
Under the GDPR, silence and inactivity will no longer suffice as consent, so pre-ticked boxes on websites that enable customers to receive marketing information. "Privacy policies should also be revised, because businesses’ requests for consent to use personal information must be intelligible and in clear, plain language," says Sage. 

Sage states that the GDPR makes it a business imperative for all organisations to demonstrate compliance with its data processing principles. "In some cases, companies may need to formally appoint a Data Protection Officer (DPO) before carrying out any large-scale processing of personal data," the company said.

Data breach management under the GDPR now makes disclosure the top priority. "Personal data that is accidentally or unlawfully lost, destroyed, altered or damaged, must be reported to supervisory authorities within three days. All individuals impacted must also be informed if the breach is high risk and likely to lead to financial loss, identity theft or fraud," Sage notes.