Policy Awareness

10 Steps to be Compliant with PDPA

PDPA Post Series

As we’ve previously mentioned on “5 Facts You Should Know About PDPA”, the Personal Data Protection Act, 2012 (PDPA), sets the rules on data protection in Singapore by regulating the flow of personal data among organisations. The PDPA in Singapore takes into account an individual’s right to data protection and an organization’s commercial right to collect, use, or disclose personal data for a reasonable purpose.

In order to make the compliance obligations more reader-friendly, PDPC (Personal Data Protection Commission, which represents the Singapore Government) has issued a 10 step PDPA checklist.

The PDPA Checklist was built to make sure that the companies are compliant with the data protection obligations. The steps are as follows:

1. Appoint A Data Protection Officer

All organisations, including multinationals (MNCs), sole proprietors, non-profit organizations and small and medium enterprises (SMEs) must appoint at least one person as the Data Protection Officer (DPO). The DOP is responsible for ensuring PDPA compliance and shall liaise with the PDPC on data protection matters. The DPO will also look into all the queries and complaints related to data protection and handling.

2. Notify Purpose(s) And Seek Consent 

Organisations must notify the purpose of the collection of data and seek the consent of the individuals prior to collecting their data. The organization must stop collecting data in case the individual withdraws his/her consent. Personal data must be collected only for a reasonable purpose. 

3. Respond When Individuals Ask About Their Personal Data 

Upon the customer’s request, organisations must provide information on what personal information has been collected and how it has been used. Organisations may charge a reasonable fee to cover the processing cost for this request, provided that the organization gives a written estimate of the fee beforehand. Organisations must provide this information within 30 days, if it is not possible then they must inform the individual within 30 days and let him/her know when the organization can respond. 

4. Allow Correction of Personal Data

Organisations must correct an error or omission in personal data when an individual makes a request unless the company, on reasonable grounds, deems fit not to correct the information as provided under Section 22(4) of the PDPA.  

5. Secure Personal Data Held by the Organization

Organisations must take appropriate steps such as formulation of internal data security policy and employee training. This is to prevent risks related to unauthorised access, collection, use, or disclosure of the data. 

6. Dispose of Personal Data That is No Longer NeededOrganisations must stop holding on to personal data when they no longer have any business or legal use for it. The organization should set a retention period and formulate a plan to safely dispose of any personal data after the expiration of the retention period. 

7. Ensure Protection Of Personal Data When Transferring Overseas

If an organisation intends to transfer personal data overseas, they must take steps to ensure that the data protected is in compliance with the PDPA while the personal data is still in your possession or control. 

8. Closely Manage Service Providers That Handle Personal Data

If an organization engages a service provider to process personal data, they may be held responsible if their service provider contravenes the PDPA while providing the service to them. 

When entering into a service agreement with the service provider, the organization must ensure there are clauses that require the service provider to take sufficient measures to ensure compliance with PDPA requirements.

9. Check The Do Not Call Registry

If an organization conducts telemarketing to subscribers or users of Singapore telephone numbers, it will need to submit the telephone numbers on its telemarketing list for checks against the Do Not Call (DNC) Registry, unless the subscriber or user has given his/her clear and unambiguous consent to receive such messages.

10. Communicate Data Protection Policies, Practices, and Processes

The data protection and security policy must be communicated to the employees and customers. Organisations must formulate privacy policies and conduct employee training. 

Ensure PDPA compliance with Compliance Readiness

In order to drive awareness and proper training to your workforce to handle both internal and external personal data, you should look for a smart solution to help you drive meaningful and long-lasting policy compliance awareness within your organization. 

Schedule a demo and learn how Compliance Readiness can help your company’s assigned Data Protection Officer save time and resources when dealing with the PDPA regulations. 

Share this post:

Share on linkedin
Share on twitter
Share on email
Share on facebook

Live Webinar: Key Cybersecurity Trends in APAC, presented by Frost & Sullivan - Jan 28