pdpa compliance

Many International Regulatory Bodies are today focusing on the protection of Personal Data. Significant efforts by the governing bodies have led to the establishment of various Data Protection Laws. In response to the increasing concern over unsolicited marketing communications, the Singapore Government introduced the Personal Data Protection Act.

The primary purpose of the PDPA Compliance is not just to protect Personal Data but also protect the fundamental rights of individuals concerning their Personal Information. The law introduced was to ensure the protection of Personal Data (PD) of individuals that organizations collect during the course of their business.

The law was enforced to balance out the commercial needs of organizations and protect an individual’s right to personal data. Today’s article focuses on the application of the law and PDPA obligations that organizations should meet. But let us first understand more about PDPA Compliance.  

What is PDPA?

The Personal Data Protection Act 2012 (PDPA) is a Data Protection law enforced and administered by the Personal Data Protection Commission (PDPC).It is a law that protects the rights of citizens of Singapore and has significant ramifications on businesses dealing with such data.

The PDPA Compliance governs the collection, use, disclosure of Personal Data as described in the PDPA Guidelines and Compliance check-list. Under the PDPA law, the government of Singapore has outlined 9 obligations that organizations must follow.

The 9 data protection obligations include consent, purpose limitation, notification, access and correction, accuracy, protection, retention, transfer, and openness. Before getting into the details of the listed obligations, let us learn about the type of data PDPA protects. 

Information Protected Under PDPA

Any Personal Data of an individual is protected under the PDPA. Personal Data can be defined as any information that results in the identification of an individual. This would even include the collection of data or information which together can lead to the identification of an individual. Personal Data would typically include Full Name, NRIC Number, Passport Number, Photographs, Videos, CCTV images, Personal Mobile Telephone Number, Personal e-mail address, Name, and Residential Address, DNA Profile, Biometrics of an individual and Voice Recording of an individual to name a few.

Data Exempted– It is important to note that business contact information such as Name and Business Title, Business Telephone Number, Business Address, and E-mails are not considered as Personal Data.

Who Does the PDPA Law Apply To?

The PDPA Compliance applies to any organization that processes and deals with any kind of Personal Data in Singapore. Employees of an organization processing Personal Data are expected to adhere to the organization’s policies and procedures in context to PDPA Rule. However, employees cannot be personally held responsible for the organization’s breach.

Organizations Exempted from PDPA

PDPA obligations do not apply to government agencies or public agencies. This would mean the exclusion of organizations acting on behalf of a public agency in relation to processing Personal Data. Further, the law does not apply to even individuals acting in a personal or domestic capacity.

PDPA Breach & Penalties

Businesses dealing and handling the Personal Data of citizens of Singapore are accountable for its protection under the PDPA Compliance. Organizations failing to comply will face harsh penalties. PDPA penalties also include scenarios wherein an individual submits a complaint to the PDPC, which will investigate the business conduct and compliance with the PDPA. If found non-compliant, the PDPC may-

  • Impose a financial penalty amounting to $1 million or 10% of the annual turnover, whichever is higher.
  • Businesses may also be directed to stop collecting, using, or disclosing Personal Data as under the PDPA Rule.
  • Organizations may also be directed to destroy Personal Data collected due to non-compliance with PDPA Rules.

PDPA Obligations that Businesses Need to Meet

Personal Data Protection Commission has drawn out 9 obligations under the Personal Data Protection Act for organizations to comply with. Given below is the list and way how organizations can achieve compliance in this regard.

  1. Consent– Businesses can only collect, use, and/or disclose the Personal Data of individuals who have taken consent for the same. PDPA requires organizations to develop and implement policies and procedures that ensure customers are notified about their Personal Data being collected and processed. Further, organizations must inform customers on how the data may be used and to whom it may be disclosed. Customer must first offer their consent with a voluntary opt-in mechanism for organizations to collect Personal Data.
  2. Purpose Limitation– Businesses can only collect, use disclose, and process Personal Data of individuals for the purpose for which they got consent from individuals. The data processing is only limited to the purpose for which they were originally collected.
  3. Notification– Businesses must inform individuals of the purpose for which their Personal Data was collected, used, disclosed, and processed. They are also required to notify individuals in case of a data breach that may affect their individual rights. 
  4. Access and Correction- Business is obliged to provide information to individuals on request as soon as reasonably possible to give individuals Personal Information they requested for and rectify errors if any unless it is reasonable to not correct.
  5. Accuracy – Businesses should make a reasonable effort to ensure that the Personal Data collected by the business is accurate and complete if the personal data is likely to be processed and affects the individual or in case they disclose to another organization.
  6.  Protection of Data– Businesses must have in place a reasonable amount of security measures to protect the Personal Data in their possession or control. The aim is to prevent unauthorized access, theft, or damage to Personal Data in possession.
  7. Retention Limitation- Business is only allowed to retain the Personal Data for only as long as it is necessary for meeting the business purpose, as mentioned during the collection of data.
  8. Transfer Limitation– Businesses transferring the Personal Data overseas or storing the data in the cloud must ensure that it meets the PDPA’s Data Protection Requirements. This is to ensure that the data being transferred is secured to the level of the PDPA requirements.
  9.  Openness Obligation: Businesses must implement necessary policies and procedures to fulfill their PDPA obligations. It must ensure that the policies and procedures developed are publicly available on their website.

Steps for achieving Compliance

  • Develop relevant Privacy Policy and ensure its availability to the public.
  • Develop terms and conditions and an explicit section for obtaining consent from customers.  
  • Allow Customers to withdraw their consent to process Personal Data.
  • Have in place provisions to receive Personal Data within 30 days.
  • Allow customers to update, correct, and delete their Personal data.
  • Verify data collected from a third-party provider.
  • Implement Administrative, Physical, and Technological Security Measures for Personal Data Security.
  • Prepare Appropriate Data Retention Policy.
  • Ensure disposal of Personal data when not in use.
  • Appoint a DPO to ensure Compliance with PDPA.

Conclusion

PDPA is a complex regulation designed to ensure the protection of individuals’ fundamental rights related to the collection, processing, and disclosure of their Personal Data. Organizations should develop strategies and have in place security measures to prevent thefts or data breaches.

Non-compliance to the Regulation or incident of Data Breach can lead to penalties. Hence, organizations need to have a clear understanding of the data protection obligations under the PDPA Regulations.  Consult and collaborate with a professional Cyber Security Consulting firm for achieving Compliance. VISTA InfoSec is a global Cyber Security Consulting firm having years of industry experience and knowledge of Compliance Regulations and Industry best practices. Get industry insights and tips from our experts and ease your Compliance process.

You can also watch the webinar on PDPA Compliance

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.