What are the PDPA Requirements?

The Singapore Personal Data Protection Act of 2012 (PDPA) was created to protect the nation’s citizens from privacy breaches. It also made it illegal for organizations to store copies of Singaporean consumers’ National Registration Identity Cards (NRIC), which is one of Singapore’s core required identification documents.

The Singapore PDPA is applicable to physical and electronic environments. 

The law came into effect July 2, 2014, with amendments enacted most recently in February, 2021. Some of these changes included that businesses are mandated to notify individuals when a breach has occurred. The changes also allow for the individuals to be criminally prosecuted for egregious mishandling of data like recklessly disclosing personal data.

In this blog, we will lay out what the core PDPA requirements are for businesses to follow as well as what rights citizens are afforded under the law.

What are the PDPA Requirements?

The PDPA requirements include a number of rules surrounding the collection, disclosure and use of Singaorean personal data. They are as follows.

1. Purpose Limitation: Organizations may only use and share personal data within the scope of reasons they have previously defined to customers.

2. Notification: Individuals must be informed about the purpose for personal data collection and how it will be used at time of collection.

3. Consent: Consent must be obtained from individuals before collecting, using, or disclosing their personal information. 

4. Access and Correction: Upon request, individuals are entitled to know how their personal data has been used in the past year and they also have the right to request corrections if there are mistakes within the data on file. 

5. Accuracy: Collectors are accountable for ensuring the completeness and accuracy of personal data during collection. Organizations should confirm data is error-free before use as well.

6. Protection: Organizations are required to protect personal data (in both hard and electronic forms) from unauthorized access, modification, disclosure, use, or copying.

7. Retention Limitation: Entities may only retain personal data for business or legal purposes and securely destroy the data when it no longer is needed for its intended purpose.

8. Transfer Limitation: Organizations abroad who handle personal data of Singaporeans must be in compliance with a standard of protection comparable to the PDPA to ensure adequate privacy.

9. Openness: A data protection officer (DPO) must be appointed and their business contact information made publicly available so that they can answer questions or concerns about an organization’s data protection policies.

10. Do-Not-Call (DNC): Individuals who have registered on the national DNC registry should not be contacted with marketing messages regardless of the medium (voice calls, text messages, fax, emails, or any other means) unless they change consent status.

How to Comply with the PDPA Requirements 

The PDPA seeks to protect the misuse and abuse of personal data of Singaporeans. Although the requirements may seem daunting, with only a few key steps, an organization can be much closer to meeting compliance. Any organizational body collecting and processing data should establish data protection policies internally and for third parties who mingle with their company. Setting clear boundaries and expectations makes data protection prescriptive and eliminates guess-work.

Appointing a Data Protection Officer (DPO) might help with this. A DPO is responsible for ensuring that their organization is achieving compliance and taking an active stance in combating a breach, losing data or misusing what is existent. Although this employee’s main function is to promote compliance and safe data handling, they can not stand alone. Organizations should also provide training to all employees on policies and PDPA requirements. Insider threats may exist without malicious intent — such as employees mis-entering data sets, copying unnecessary data or misplacing existing data.

With all of that being said, humans are prone to errors. We recommend implementing a data discovery tool, like Ground Labs’ Enterprise Recon, which is a solution built to find, classify and remediate over 300 data types. Deploying this solution can help you rest assured that your organization is doing everything in its power to safeguard customer data and actively mitigate risk.

If you’re ready to find, organize and protect your organization’s data, schedule a discovery call with one of our experts now.