Compliance 101: PDPA vs GDPR vs ICP (China/HK → SG HQ)

China/HK leadership guide to website compliance from a Singapore HQ—PDPA basics, GDPR overlays, ICP considerations, consent, and documentation.

Compliance 101 for China/HK: PDPA vs GDPR vs ICP from a Singapore HQ

If you’re a China/HK director or market-entry lead building your APAC web presence from Singapore, you need a simple, defensible way to run your website with clear consent, transparent privacy notices, and documented data flows. This briefing is operational (not legal advice). It helps your teams ship and maintain a compliant site while knowing when to escalate to counsel.

Read this first: scope and leadership responsibilities

Scope: corporate marketing website operated from Singapore HQ with content/localisation for APAC markets.
Leadership’s job: assign owners, approve policies, and ensure quarterly reviews; bring counsel in for edge cases (e.g., deep China presence, special categories of data).
Outcome: a site that captures leads safely, respects user rights, and survives audits.

PDPA baseline: what every Singapore HQ website must do

PDPA expects purpose-limited collection, consent, accuracy, protection, and retention discipline.

Consent on forms (purpose-specific)

Every form (contact, demo, newsletter, careers) states purpose and links to Privacy.
Consent checkboxes where appropriate; consent stored in CRM/MA with timestamp and purpose.

Privacy notice: purpose, retention, contact

Publish a plain-language privacy page: what you collect, why, how long, who has access, and how to exercise rights.
Provide a contact (email) for data subject requests (access, correction, withdrawal).

Operational note: Put the current policy version/date in the footer; log changes.

GDPR overlays when you touch EU data

If your Singapore HQ site processes EU personal data (e.g., demo requests), apply GDPR overlays:

Lawful basis, DPAs, SCCs at a glance

Document the lawful basis (e.g., consent or legitimate interests) for EU contacts.
Ensure DPAs with vendors processing EU data; list processing locations.
For cross-border transfers, use the appropriate safeguards (e.g., SCCs) with risk assessments recorded.

Tip: Keep a one-page register of vendors, data categories, regions, and retention.

ICP & PIPL: when China hosting is in play (quick context)

Many B2B firms serve awareness-level pages to mainland users via SG + CDN.
If you require deeper in-market presence (e.g., local hosting, local ICP filing), treat it as a separate projectwith local legal/ops.
Align with PIPL principles when processing China personal data: consent, minimisation, and transfer assessments.

Leadership guardrail: Don’t mix China hosting decisions with your Singapore HQ launch—keep projects distinct to avoid delays.

Cross-border data mapping: flows, storage, access, backups

Draw a data-flow diagram: website → CRM → marketing automation → analytics → storage/backup.
Record regions for storage and backups (SG, AU, EU, US), who can access, and how long data is retained.
Maintain access logs and least-privilege roles; rotate keys/secrets.

Consent & cookies: practical setups that pass muster

Use a consent banner that allows accept/reject/manage and defers non-essential tags until consent.
Maintain a cookie list with purpose and expiry; update whenever vendors change.
Keep tag manager rules aligned with consent state; document testing steps.

Documentation pack your board and auditors expect

Privacy Policy (versioned) and Cookie Policy.
Consent language on forms; CRM evidence of consent.
Data inventory and vendor register with regions/DPAs/SCCs.
Retention schedule and access logging approach.
Incident response runbook, breach notification steps, and training records.

Roles, SLAs, and quarterly reviews

Owners: Privacy (policy), IT (access), Marketing (forms/copy), Legal (review), Security (WAF/MFA/backups).
SLAs: form changes within 48h; policy updates within 10 business days of legal changes; monthly patching.
Quarterly review: audit users, test consent flows, re-validate vendor list, and update policy versions.

FAQs

Do we need a .cn site for China?
Not necessarily for awareness; many B2B firms operate via SG + CDN. Deeper local presence requires separate legal/ops tracks.

How detailed must our privacy page be?
Clear and plain: purpose, retention, access/correction, contact. Link it on every form.

What if we use EU-based tools?
List them in your vendor register; maintain DPAs and SCCs as needed; document transfer safeguards.

Who handles data requests?
Assign a named owner (not a group inbox). Track requests and response times.