An Overview of The Personal Data Protection Act (PDPA) In Singapore

Globally, data protection laws are coming into force. This includes the EU’s General Data Protection Regulation (GDPR), Brazil’s Lei Geral de Pretecāo de Dados Pessoais (LGPD), Thailand’s Personal Data Protection Act (PDPA), India’s and Indonesia’s proposed bills, California’s Consumer Privacy Act (CCPA), and the various parts of the United States.

In Singapore, we are governed by the Personal Data Protection Act 2012. This Act is continuously improved upon and there has been a recent slew of changes made in 2021.

What Is Considered Personal Data?

Personal data is defined as data about an individual who can be identified from that data, or from that data and other information to which the organization has or is likely to have
access. These personal data can be in the form of digital or non-digital formats.

What is the PDPA?

The Personal Data Protection Act provides an overarching framework on how entities collect, use, disclose and maintain personal data in Singapore.

There is also a sub-branch from the Act called the Do Not Call (DNC) Registry. This DNC allows individuals to register their Singapore telephone numbers to opt-out of getting unsolicited messages or calls from organizations.

The aim of such regulations is to ensure personal data are used in the originally intended manner and strengthen Singapore’s position as a trusted hub for businesses.

All organizations are required to comply with the regulations except for:

  1. Any individual acting on a personal or domestic basis
  2. Any individual acting in his/her capacity as an employee with an organization
  3. Any public agency in relation to the collection, use or disclosure of personal data.
  4. Business contact information that is not solely meant for personal use.

PDPA Obligations

If you are an organization dealing with personal data, then you will be expected to follow these 9 obligations:

ConsentEnsure that the consent has been obtained from the individuals before collecting, using or disclosure of the Personal Data
Purpose LimitationUse or disclose Personal Data only for the purposes defined
NotificationInform the individuals on the purposes for collection, use and disclosure of their
Personal Data during collection
Access and CorrectionUpon request, provide the Personal Data of the individual and information on how the individual’s personal data has been used or disclosed. Correct an individual’s Personal Data upon request
AccuracyEnsure that Personal Data is accurate and complete during collection or when deciding which will affect the individual
ProtectionSecure the Personal Data from unauthorized access
RetentionRetain Personal Data only for the intended purpose and destroy when no longer needed
Transfer LimitationEnsure overseas external organizations provide a standard of protection
comparable to the PDPA Singapore
AccountabilityUndertake and demonstrate responsibility for the Personal Data

Consequences Of Breaching PDPA Regulations

Failure to comply with the PDPA regulations may subject an organization to the following:

  1. A financial penalty of up to S$1 million or 10% of annual turnover (whichever is
    higher)
  2. Not allowed to collect, use or disclose any Personal Data
  3. Asked to destroy Personal Data collected in contravention of the PDPA
    Since inception, there are also multiple cases of organizations penalized for breaching data
    protection obligations under the PDPA.

How To Ensure Compliance With PDPA

One of the most immediate steps the organization should do is to appoint a Data Protection Officer (DPO). The DPO’s role is to supervise how the organization handles Personal Data and if it meets the 9 obligations mentioned above.

The DPO will help to review existing data protection policies, identify the gaps and address them by implementing updated policies. If need be, he will work with a legal team to draft a suitable Data Protection Policy for the organization.

The DPO can also come up with a training manual to ensure every employee of the organization is adequately trained with regards to handling Personal Data.

The DPO is also the point of contact for individuals who wish to enquire about PDPA related matters.

Last but not least, the DPO does not necessarily have to be an employee of the organization. For a lot of SMEs with limited resources, they can consider engaging an external vendor who is well versed with the Personal Data Protection Act to be their DPO.

As we transform into a digital economy whereby database is essential to perform better as an organization, the authorities are also increasingly scrutinizing the handling of Personal Data.

It will be prudent for organizations to start now and have their data protection policies in place rather than to fight fire when a breach occurs.

If you have any questions or concerns regarding PDPA compliance, consider getting in touch with us.

 

Download the Telegram app and follow us for the latest updates: https://t.me/sgcompanyservices