September 25, 2017

RHTLaw Taylor Wessing congratulates Chow Tai Fook Charity Foundation (Singapore) Limited on its successful registration as a Grant-making Philanthropic Organisation

RHTLaw Taylor Wessing congratulates Chow Tai Fook Charity Foundation (Singapore) Limited (“Foundation”) on its successful registration as a Grant-making Philanthropic Organisation (“GPO”) under the IRAS Tax Deduction Scheme with effect from 7 September 2017. As a registered GPO, the Foundation may issue tax deduction receipts to its donors with respect to donations made to it. For further information, please contact Partner Kaylee Kwok.
September 25, 2017

Intellectual Property & Technology Partner Jack Ow invited to speak at the DatacenterDynamics>Zettastructure Digital Infrastructure Conference

RHTLaw Taylor Wessing Intellectual Property & Technology Partner Jack Ow was invited as a speaker for a cybersecurity panel discussion at DCD>Zettastructure Digital Infrastructure Summit organised by Datacenter Dynamics. The conference is part of the organiser’s South East Asia Datacenter Week. This marks the 2nd of its global conference series. Jack contributed to the panel discussion titled “Cyber-security in the Hybrid IT environment” by sharing legal and regulatory considerations in cybersecurity  for a hybrid IT environment. The other panellists comprised David Nagrosst, CISSP, Head of Sales, APJ of Cyxtera Technologies; Jason Wells, CEO of QCC Global (Asia); John Lee, Partner at Digital Paws and Paul Lothian, Director of KPMG Cybersecurity Practice. The two-day conference from 20-21 September 2017 was held at the Marina Bay Sands Expo and Convention Centre featuring various discussion panels, presentations, interactive workshops, roundtables, data centre tours and an expo showcasing the latest technologies.
September 22, 2017

Intellectual Property & Technology Partner Jack Ow was featured in Asia Business Law Journal on the increasingly stringent legal frameworks concerning data protection and cybersecurity in the APAC region

Intellectual Property & Technology Partner Jack Ow was featured in the article ‘Space Invaders,’ published in Asia Business Law Journal on data protection and cybersecurity of technology in the legal sector. The article was first published on 19 September 2017. With the recent increase in cyber attacks, Asia Business Law Journal explores how the once abstract concepts of data protection and cybersecurity are quickly gaining traction. There is a clear trend that legal frameworks are becoming more stringent in Asia Pacific (APAC) countries. One such example is Singapore’s recent draft Cybersecurity Bill, in which Jack commented, “The Cybersecurity Bill gives the Cyber Security Agency (CSA) powers to require any person to assist and co-operate in investigations, and also to take steps to prevent and respond to cybersecurity threats and cybersecurity incidents.” Regulations concerning the transfer of personal data across jurisdictions are likewise becoming more stringent. “Where international transfers of personal data are concerned, then it is an express requirement under the Personal Data Protection Act (PDPA) that the transferring party must ensure, before transferring personal data overseas, that the receiving foreign party is bound by legally enforceable obligations to provide a standard of protection that is at least comparable to the standard of protection prescribed in Singapore,” Jack advised. While many believe APAC countries could consider adopting standards to facilitate cross-border data transfer through a harmonisation of the various regimes, Jack rationalised that with differing levels of economic development, harmonisation is likely to face a stumbling block. However, he shared a reason for optimism. “The cross-border exchange of digital goods, services and even ideas between Asian economies could very well be a key driver toward harmonisation in order to facilitate and regulate intra-Asia trade.” Please click here to view the full article, as published in the Asia Business Law Journal.
September 21, 2017

“Failure to comply can have serious consequences,” shares Head of Intellectual Property & Technology Jonathan Kok in his opinion piece on the European Union General Data Protection Regulation as featured in The Business Times

RHTLaw Taylor Wessing Head of Intellectual Propoerty & Technology Jonathan Kok authored an opinion piece titled "How Singapore SMEs should prepare for EU general data protection regulation" published in The Business Times. The article was first published in The Business Times on 19 September 2017. How Singapore SMEs should prepare for EU general data protection regulation Source: The Business Times © Singapore Press Holdings Ltd. Date: 19 September 2017 Author: Jonathan Kok SINGAPORE'S small and medium enterprises (SMEs) that have business dealings with clients based in the European Union (EU) will need to keep an important date in mind - May 25, 2018. That is the day the new legal framework, the European Union (EU) General Data Protection Regulation (GDPR), will come into force across the EU to protect all EU citizens and residents from privacy and data breaches by giving them greater control over the organisations that can use their personal data. This means that, in about 10 months, all organisations - whether in the EU or anywhere else - must adhere to the GDPR regulation as long as they collect and process personal data of EU citizens and residents. Given that the EU accounts for 10 per cent of Singapore's total trade and with bilateral trade standing at about S$91 billion in 2015, the importance of being GDPR-ready cannot be discounted. A global study by Veritas Technologies reported that 92 per cent of organisations in Singapore were concerned about not complying with the GDPR when it comes into effect next year; 56 per cent of businesses were afraid of being unable to meet the regulatory deadlines. Failure to comply can have serious consequences, especially for SMEs. The GDPR introduces a tiered approach to fines. For example, a company which does not have its records in order can be fined 10 million euros (S$16.07 million) or 2 per cent of its total global turnover of the preceding financial year, whichever is higher. Fines are also imposed if the firm fails to notify the supervising authority and the data subject about a breach, or if it fails to conduct a Privacy Impact Assessment (PIA). Organisations in breach of the GDPR can be fined up to a maximum of 4 per cent of their annual global turnover or 20 million euros of the preceding financial year, whichever is higher. GDPR requirements With the GDPR introducing some fairly stringent requirements in relation to the protection of personal data, SMEs need to be familiar with what the new regulations are. Firstly, organisations covered by the GDPR must employ a Data Protection Officer (DPO), who is responsible for ensuring that the organisation collects and secures personal data responsibly. Secondly, individuals have more rights over how organisations use their personal data. They have the "right to be forgotten" if they either withdraw their consent for the use of their personal data or if keeping their personal data is no longer required. Organisations must immediately report breaches in data security to the relevant data protection authority in the EU. Ideally, the report should be made within 24 hours of the discovery of the breach; if that is not possible, within 72 hours. Keep in mind that consent for a particular use of the personal data must now be explicitly given before this data can be used for that purpose. The previous practice of taking silence or a failure to opt out to be "deemed consent" is no longer considered as valid consent. This new requirement will be applied retroactively; personal data previously collected without meeting this new requirement cannot be used unless express consent is obtained. An organisation with fewer than 250 employees is not required to comply with the GDPR. However, the GDPR still applies to SMEs with fewer than 250 employees that either routinely process personal data that is likely to result in a risk to the rights and freedoms of EU data subjects or process special categories of data relating to criminal convictions and offences. The special categories of data include health data, information on individuals' racial or ethnic origin, political affiliations, religious beliefs, genetic and biometric data and sexual orientation. The GDPR will apply to both controllers and processors of data. A data controller determines the purposes, conditions and means of processing the personal data; a data processor processes personal data on behalf of the controller. The GDPR places more legal obligations and liabilities on controllers than on processors. Controllers will need to ensure that their contracts with processors require the processors to comply with the obligations under the GDPR. Under the GDPR, personal data is any information that relates to a natural person or data subject that can be used to directly or indirectly identify that person. Such information can include a name, a photo, an e-mail address, bank details, posts on social media websites, medical information, or a computer IP address. Preparing to be GDPR-ready With personal data being used widely from marketing to customer relationship management, SMEs will need to rethink the way they manage and protect personal data in order to comply with the GDPR. For a start, they need to appoint a DPO, who need not be a full-time employee, and whose function can be outsourced depending on the organisation's needs. Ensure that all personal data is stored responsibly and securely, and all data-security arrangements are regularly reviewed and updated. Measures such as PIAs, which assess where privacy risks exist and how to minimise them, are essential, especially for controllers. Review the consent that was given when the personal data was collected. If the data was collected under "opt out" or other mechanisms which are no longer valid under the GDPR, the organisation must cease using the personal data unless further express consent is obtained. The organisation must update its privacy policies as the GDPR requires them to inform individuals of their new rights under the GDPR. Last but not least, the organisation should put in place plans to deal with a data breach. This will mean knowing what personal data the organisation is holding, where it is stored, who has access to it, and how to spot breaches when they occur, as well as to whom the breach must be reported. The organisation should also consider installing new technology that can provide a comprehensive approach to data identification and security. Understanding what personal data is held and where this is stored will help in monitoring compliance and the processes involved in dealing with the personal data. Given the heavy fines for non-compliance, Singapore SMEs must ensure that they have implemented privacy by design internally and externally, and put in place policies that ensure internal and external compliance with the obligations of the GDPR.