An Overview of The Personal Data Protection Act (PDPA) In Singapore

Globally, data protection laws are coming into force. This includes the EU’s General Data Protection Regulation (GDPR), Brazil’s Lei Geral de Pretecāo de Dados Pessoais (LGPD), Thailand’s Personal Data Protection Act (PDPA), India’s and Indonesia’s proposed bills, California’s Consumer Privacy Act (CCPA), and the various parts of the United States.

In Singapore, the Personal Data Protection Act 2012 governs the way organisations collect personal data for commercial purposes. The authorities continuously improve The Act and there has been a recent slew of changes in 2021.

What Is Personal Data?

Personal data is defined as data about an individual who can be identified from that data, or from that data and other information to which the organization has or is likely to have
access. These personal data can be in the form of digital or non-digital formats.

What is the PDPA?

The Personal Data Protection Act provides an overarching framework on how entities collect, use, disclose and maintain personal data in Singapore.

There is also a sub-branch from the Act called the Do Not Call (DNC) Registry. This DNC allows individuals to register their Singapore telephone numbers to opt out of getting unsolicited messages or calls from organizations.

The aim of such regulations is to ensure the usage of personal data in the originally intended manner and strengthen Singapore’s position as a trusted hub for businesses.

All organizations must comply with the regulations except when:

  1. the individual is acting on a personal or domestic basis
  2. the individual is acting in his/her capacity as an employee with an organization
  3. the public agency in relation to the collection, use or disclosure of personal data.
  4. business contact information is solely for personal use.

PDPA Obligations

If you are an organization dealing with personal data, then you should follow these 9 obligations:

ConsentEnsure that the consent has been obtained from the individuals before collecting, using or disclosure of the Personal Data
Purpose LimitationUse or disclose Personal Data only for the purposes defined
NotificationInform the individuals on the purposes for collection, use and disclosure of their
Personal Data during collection
Access and CorrectionUpon request, provide the Personal Data of the individual and information on how the individual’s personal data has been used or disclosed. Correct an individual’s Personal Data upon request
AccuracyEnsure that Personal Data is accurate and complete during collection or when deciding which will affect the individual
ProtectionSecure the Personal Data from unauthorized access
RetentionRetain Personal Data only for the intended purpose and destroy when no longer needed
Transfer LimitationEnsure overseas external organizations provide a standard of protection
comparable to the PDPA Singapore
AccountabilityUndertake and demonstrate responsibility for the Personal Data

Consequences Of Breaching PDPA Regulations

Failure to comply with the PDPA regulations may subject an organization to the following:

  1. A financial penalty of up to S$1 million or 10% of annual turnover (whichever is
  2. Not allowed to collect, use or disclose any Personal Data.
  3. Asked to destroy Personal Data collected in contravention of the PDPA.
    Since its inception, the authorities have penalised multiple organisations for breaching data
    protection obligations under the PDPA.

How To Ensure Compliance With PDPA

One of the most immediate steps the organization should do is to appoint a Data Protection Officer (DPO). The DPO’s role is to supervise how the organization handles Personal Data and if it meets the 9 obligations mentioned above.

The DPO will help to review existing data protection policies, identify the gaps and address them by implementing updated policies. If need be, he will work with a legal team to draft a suitable Data Protection Policy for the organization.

The DPO can create a training manual for every employee to receive adequate training in handling Personal Data.

The DPO is also the point of contact for individuals who wish to enquire about PDPA related matters.

Last but not least, the DPO does not need to be an employee of the organization. For a lot of SMEs with limited resources, they can consider engaging an external vendor who is well versed with the Personal Data Protection Act to be their DPO.

As we transform into a digital economy, collecting and maintaining databases is essential to an organization. The authorities are increasingly taking steps to scrutinise the handling of Personal Data.

Therefore, it is prudent for organisations to undertake data protection policies right now rather than later.

If you have any questions or concerns regarding PDPA compliance, consider getting in touch with us.



Download the Telegram app and follow us for the latest updates: