BY Stephen Cavey | 23 June 2020
Personal Data Protection Act (PDPA) of 2012 is a data protection law of Singapore that was created to better protect the personal data of individuals in Singapore. Composed of various rules governing the collection, use, disclosure, and care of personal data, PDPA recognizes the rights of individuals to protect their personal data. This includes the right to access and correct their data upon request, and for organizations to show a legitimate and reasonable purpose for its collection.
Additionally, in the revised PDPA of 2019, it became illegal for organizations to collect, use, or disclose Singapore National Registration Identity Card (NRIC) numbers, which is the main identity document used in Singapore.
Under the Singapore PDPA, you must abide by the following obligations:
Since PDPA is a relatively new data protection law, education is key in remaining compliant. Here are some of the most frequently asked questions.
Under the Personal Data Protection Act of 2012, personal data or personally identifiable information (PII) refers to any piece of data about an individual who can be identified by that data. This includes NRIC numbers and photographs of individuals or a combination of personal data such as name, age, and personal address.
What it doesn’t include is business contact information like job title, business telephone number/email address/fax number/address, or any other business-related information.
While PDPA is highly localized and centered in Singapore, it applies to any international business that operates or does business in the Republic. Additionally, international businesses that do transactions with employees or customers in Singapore are mandated to follow the Personal Data Protection Act’s guidelines.
There are some key differences between the PDPA and the EU’s GDPR. GDPR is considered much more strict and always requires explicit and clear consent that is freely given. On the other hand, PDPA permits “deemed consent.” For example, consent is up for debate and an individual can be deemed to have given consent to the collection of their personal data if, for example, they have voluntarily provided personal data to an organization.
GDPR also has a principle that is specific to data minimization which obliges organizations to minimize the collection of personal data whenever possible, and to only collect data when it is truly necessary and serves a specific purpose.
GDPR also allows individuals to express more rights to their data than PDPA, including the right to access, correct, block, and even erase their data. PDPA, on the other hand, is fairly limited in regards to the right to correct data. GDPR also requires that personal data be accurate and up to date. The same obligation is not present in PDPA.
Failure to comply with PDPA can lead to fines up to $1 million. Irrespective of where your business is based, you must have a plan in place to maintain compliance if you do business within the Republic. As with all good data management, we would recommend assigning a single source to ensure compliance such as a Data Protection Officer (DPO) who can continuously monitor and measure personal data risks across servers, laptops, CRM systems, cloud storage, and more.
The first step to becoming PDPA compliant is knowing where your Singapore personal data resides. With a data discovery tool like Ground Labs’ Enterprise Recon software, you can identify NRIC data across your organization’s entire digital ecosystem with accurate data results in just a short amount of time. With peace of mind that you know where all your data resides, you can ensure PDPA compliance, avoid hefty fines, and maintain customer trust.
Ready to learn more about how to maintain PDPA compliance with Enterprise Recon? Schedule a demo today.
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.
Please submit the form below and we’ll contact you to schedule a discovery call. Want to skip the email? Go here to schedule a meeting directly on our calendar.