The Personal Data Protection Act (PDPA) provides aframeworkfor organizations to ensure the protection ofthe personal data of citizens of Singapore. The regulations require organizations to protect individuals’ personal data that they process and alsoprove legitimate and reasonable purpose for collecting and using the personal data. The regulation was established and enforced to ensure the safety of personal data and prevent any misuse of the data. The aim of establishing the PDPA law is to regulate the flow of personal data in the country and strengthen Singapore’s position as a trusted business hub globally. The law is designed to protect personal data stored in an electronic and non-electronic format.
We sit with your team to understand your business processes and the environment to consolidate the requirements against the PDPA.
Our team will based on your business and understanding define the scope for PDPA compliance.
Identify gaps in your organization’s security control, systems, and environment vis-à-vis PDPA requirements.
We conduct an awareness training program to help your employees understand the PDPA compliance Regulation and its requirements.
Identify your sensitive personal assets, classify them, and create/update the Asset inventory.
Our team conducts a comprehensive Risk Assessment to identify weak areas that could be exploited and lead to an incident of the breach.
Our team helps you build strategies and appropriate Risk Treatment measures to help bridge gaps and strengthen security systems. We also assist you in developing and implementing a data breach management response that can blend with your existing Incident Response Plan.
Our team assesses your application for confirmation to PDPA requirements such as Data Portability, User Consent, Effective UI design, etc.
Our team of experts will conduct User Training programs for all personnel covered in scope on their specific PDPA Compliance responsibilities. Training materials for future use shall be provided.
Develop effective documentation for your organization as per PDPA requirements.
We will help you build and rollout effective policies and procedures for your organization, pertaining to PDPA Compliance.
After a reasonable gestation period, a separate team of experts conducts a Pre-assessment of your setup and ensures all measures are implemented.
Once all controls are confirmed to be in place, we will be issuing a legally admissible "PDPA Compliance" Certificate for your organization.
If required we can extend our continual support by offering you Managed Compliance Services to help your organization stay certified.
The PDPA Compliance applies to any organization that processes and deals with any kind of Personal Data in Singapore. Employees of an organization processing Personal Data are expected to adhere to the organization’s policies and procedures in context to PDPA Rule. However, employees cannot be personally held responsible for the organization’s breach.
PDPA obligations do not apply to government agencies or public agencies. This would mean the exclusion of organizations acting on behalf of a public agency concerning processing Personal Data. Further, the law does not apply to even individuals acting in a personal or domestic capacity.
Singapore enacted the Personal Data Protection Act the PDPA in 2012, and thereafter it cameinto force in different phases andwas enforced on 2nd July 2014.
PDPA Compliance cost for an average-sized company starts at $8000. Pricing for PDPA Compliance usually depends on several factors, including the Scope of Audit, Business Applications, Technology Platforms, Number of Locations, and other additional services.
The PDPA Compliance report is only valid for a year from the date of issue. Further, an audit should be performed annually, or at least when significant changes are introduced that may impact systems and control in an environment.
The PDPA regulation covers the personal data of citizens of Singapore stored in electronic format and non-electronic format. But it generally does not apply to any personal data processed for domesticpurposes or any public agency collecting, using,and disclosing personal data.