Personal Data Protection Act (PDPA) in Singapore

What is the PDPA of Singapore?

Singapore’s Personal Data Protection Act (PDPA) provides a baseline standard of protection for the personal data and information of Singapore residents. It includes various requirements pertaining to the collection, use, disclosure, and ongoing care of personal data in Singapore.

The PDPA presents the opportunity for individuals to opt-out of receiving unwanted telemarketing messages from organizations by registering their telephone numbers with the Do Not Call (DNC) Registry.

While the original PDPA was passed in November of 2012, a new Amendment Act passed in November of 2020. The Amendment Act sought to include mandatory data breach notifications, an expanded consent framework and new offenses for the mishandling of personal data. Not all provisions under the Amendment Act have come into effect. For example, it’s unclear when the enhanced financial penalty regime which enables Singapore’s Personal Data Protection Commission (PDPC) to impose financial penalties of up to 10% or SGD 10 million of an organization’s annual turnover in Singapore (whichever is higher), will take effect.

In general, the PDPC is striving for a culture of accountability through programs like the Data Protection Trustmark Certification in 2019, a voluntary, enterprise-wide certification program for organizations to demonstrate accountable data protection practices.

Principles of the PDPA in Singapore

The Personal Data Protection Commission requires the following obligations of organizations who are subject to the PDPA:

1. Purpose Limitation: Only use or disclose personal data for the purposes defined.
2. Notification Obligation: Inform the individuals on the purposes for collection, use and disclosure of their personal data during collection.
3. Consent: Ensure that the consent has been obtained from the individuals before collecting, using or disclosure of the personal data.
4. Access and Correction: Provide and correct an individual’s personal data upon request.
5. Accuracy: Ensure that personal data is accurate and complete during collection or when making a decision which will affect the individual.
6. Protection: Keep personal data in your possession secure from unauthorized access, modification, disclosure, use, copying, whether in hardcopy or electronic form.
7. Retention Limitation: Retain personal data only for business/legal purposes and securely destroy personal data when no longer needed.
8. Transfer Limitation: Ensure overseas external organizations provide a standard of protection comparable to the protection under the Singapore PDPA.
9. Openness: Designate a Data Protection Officer and publish their business contact information.
10. Do Not Call (DNC): Do not send marketing messages to individuals who have registered in the National DNC registry.

Key Changes Made to PDPA Singapore in 2021

There were a number of key amendments made to Singapore’s PDPA that went into effect on Feb. 1, 2021. The Personal Data Protection Commission’s power increased and it now has the ability to compel mediation without party consent. It’s also now mandatory to alert the PDPC when a breach causes harm or compromises the data of consumers. Businesses must require consent for collecting and disclosing data for contractual necessity. If an individual is harmed due to a PDPA violation, they can now file a lawsuit for civil damages.

In February 2022, penalties for non-compliance are expected to rise 10% of the annual turnover. The mishandling of data has new criminal implications that could lead to new fines or the potential to face prison time of up to two years. To avoid non-compliance, make sure to update company policies and procedures, monitor regulatory updates, provide employee training on data safety, conduct regular audits and data mapping and invest in a data discovery platform.

Ensure PDPA Singapore Compliance today!

As the PDPA finds its footing in Singapore, the best way to stay on top of PDPA compliance is finding out exactly where all of your business’ data is stored and processed. Ground Labs’ Enterprise Recon has the ability to scan and detect hundreds of data types across various locations such as the cloud, servers and emails regardless of what country your business operates in.

Interested in learning more about how to safeguard your company’s data? Book a demo with one of our experts to get started on your PDPA compliance journey today!