Seminar on GDPR (General Data Protection Regulation): Q&A with Practitioners
With companies having to be GDPR compliant (if necessary) since 25 May 2018, the Cybersecurity and Data Protection Committee of the Law Society of Singapore held a “Seminar on GDPR: Q&A with Practitioners” on 9 October 2018.
The seminar followed the over-subscribed inaugural Cybersecurity Conference in July 2018, and was well attended by almost 120 lawyers, majority of whom were senior practising lawyers. The seminar opened with Jeffrey Lim (Vice Chair of the Committee) giving a brief overview of the aims of the seminar.
Quah Pern Yi (Associate, CMS Cameron Mckenna Nabarro Olswang (Singapore) LLP) led a discussion on whether, and the extent to which, GDPR will apply to organisations in Singapore. The discussion not only focused on whether corporations are affected, but also whether law firms will have to be GDPR complaint. Pern Yi discussed the effects of Article 3(2) of the GDPR and the meaning of “offering of goods and services” and “monitoring the behavior” under Recitals 23 and 24 of the GDPR. Pern Yi then provided some mock scenarios to illustrate the applicability of GDPR to non-EU established organisations. He ended the discussion with steps that non-EU established organisations have to take to ensure compliance.
After a short break, Lyn Boxall (Director, Lyn Boxall LLC) and I led the second discussion on the differences between the Singapore Personal Data Protection Act 2012 (PDPA) and the GDPR. The question we sought to address was: “Does being compliant with PDPA equates to being compliant with GDPR?” We provided an overview of the commonly believed similarities between the PDPA and GDPR to draw out the differences in compliance standards. The discussion took attendees from the difference in definition of “personal data”, to the distinction between purpose and lawful basis, a discussion on notification, retention, access and correction obligations under the PDPA and their counterparts under the GDPR, to the differing standards of Data Protection Officers required under both regimes. The discussion ended with comparing the breach notification regimes in Singapore and under the GDPR.
Finally, moderator Jeremy Lua (Associate, Norton Rose Fullbright) and panelists Jonathan Kao (Senior Associate, Bird & Bird ATMD LLP), Amira Nabila Budiyano (Senior Associate, Gateway Law) and Bryan Ghows (Director, Taylor Vinters Via LLC) led a closing panel discussion titled “Myths and Realities”. The panel discussed practical issues faced by Singapore lawyers in advising on international data privacy issues, and how Singapore lawyers can assist clients with navigating foreign legal obligations such as the GDPR and managing compliance costs.
This seminar marks the end of the series of events held by the committee in 2018. With the thirst for knowledge and discussion in this area of data protection as well as the constantly developing area of cybersecurity, the Committee looks forward to organising more of such sessions in 2019, so stay tuned! The Committee also welcomes in-house and non-practising members to join us in 2019.