Personal Data Protection Act (PDPA) of 2012 is a data protection law of Singapore that was created to better protect the personal data of individuals in Singapore. Composed of various rules governing the collection, use, disclosure, and care of personal data, PDPA recognizes the rights of individuals to protect their personal data. This includes the right to access and correct their data upon request, and for organizations to show a legitimate and reasonable purpose for its collection.
Additionally, in the revised PDPA of 2019, it became illegal for organizations to collect, use, or disclose Singapore National Registration Identity Card (NRIC) numbers, which is the main identity document used in Singapore.
What Are The PDPA Obligations?
Under the Singapore PDPA, you must abide by the following obligations:
- Consent: Collecting, using, or disclosure of personal data is generally prohibited.
- Purpose Limitation Obligation: Using personal data of an individual is only permitted for purposes that a reasonable person would consider appropriate.
- Notification Obligation: Individuals must be informed of the purposes for which their data is being collected.
- Access and Correction Obligation: Individuals have the right to request access to their personal data.
- Accuracy Obligation: Efforts need to be made to ensure the collection of personal data is accurate and complete.
- Protection Obligation: Data subjects must be protected and reasonable security arrangements need to be made for all personal data.
- Retention Limitation Obligation: Personal data must cease immediately as soon as you can assume that the purpose for collecting the personal data is no longer being served by keeping it.
Frequently Asked Questions about Personal Data Protection Act (PDPA):
Since PDPA is a relatively new data protection law, education is key in remaining compliant. Here are some of the most frequently asked questions.
What is Considered Personal Information Under PDPA 2012?
Under the Personal Data Protection Act of 2012, personal data or personally identifiable information (PII) refers to any piece of data about an individual who can be identified by that data. This includes NRIC numbers and photographs of individuals or a combination of personal data such as name, age, and personal address.
What it doesn’t include is business contact information like job title, business telephone number/email address/fax number/address, or any other business-related information.
Who Does PDPA Apply to?
While PDPA is highly localized and centered in Singapore, it applies to any international business that operates or does business in the Republic. Additionally, international businesses that do transactions with employees or customers in Singapore are mandated to follow the Personal Data Protection Act’s guidelines.
What is the Difference between PDPA and GDPR?
There are some key differences between the PDPA and the EU’s GDPR. GDPR is considered much more strict and always requires explicit and clear consent that is freely given. On the other hand, PDPA permits “deemed consent.” For example, consent is up for debate and an individual can be deemed to have given consent to the collection of their personal data if, for example, they have voluntarily provided personal data to an organization.
GDPR also has a principle that is specific to data minimization which obliges organizations to minimize the collection of personal data whenever possible, and to only collect data when it is truly necessary and serves a specific purpose.
GDPR also allows individuals to express more rights to their data than PDPA, including the right to access, correct, block, and even erase their data. PDPA, on the other hand, is fairly limited in regards to the right to correct data. GDPR also requires that personal data be accurate and up to date. The same obligation is not present in PDPA.
Maintaining PDPA Compliance with Data Discovery Software
Failure to comply with PDPA can lead to fines up to $1 million. Irrespective of where your business is based, you must have a plan in place to maintain compliance if you do business within the Republic. As with all good data management, we would recommend assigning a single source to ensure compliance such as a Data Protection Officer (DPO) who can continuously monitor and measure personal data risks across servers, laptops, CRM systems, cloud storage, and more.
The first step to becoming PDPA compliant is knowing where your Singapore personal data resides. With a data discovery tool like Ground Labs’ Enterprise Recon software, you can identify NRIC data across your organization’s entire digital ecosystem with accurate data results in just a short amount of time. With peace of mind that you know where all your data resides, you can ensure PDPA compliance, avoid hefty fines, and maintain customer trust.
Ready to learn more about how to maintain PDPA compliance with Enterprise Recon? Schedule a demo today.