Policy Awareness

10 Steps to be Compliant with PDPA

10 step PDPA checklist

As we’ve previously mentioned in “5 Facts You Should Know About PDPA”, the Personal Data Protection Act, 2012 (PDPA), sets the rules on data protection in Singapore by regulating the flow of personal data among organizations. The PDPA in Singapore takes into account an individual’s right to data protection and an organization’s commercial right to collect, use, or disclose personal data for a reasonable purpose.

In order to make the compliance obligations more reader-friendly, PDPC (Personal Data Protection Commission, which represents the Singapore Government) has issued a 10 step PDPA checklist.

The PDPA Checklist was built to make sure that the companies are compliant with the data protection obligations. The steps are as follows:

1. Appoint A Data Protection Officer

All organisations, including multinationals (MNCs), sole proprietors, non-profit organizations and small and medium enterprises (SMEs) must appoint at least one person as the Data Protection Officer (DPO). The DOP is responsible for ensuring PDPA compliance and shall liaise with the PDPC on data protection matters. The DPO will also look into all the queries and complaints related to data protection and handling.

2. Notify Purpose(s) And Seek Consent 

Organisations must notify the purpose of the collection of data and seek the consent of the individuals prior to collecting their data. The organization must stop collecting data in case the individual withdraws his/her consent. Personal data must be collected only for a reasonable purpose. 

3. Respond When Individuals Ask About Their Personal Data 

Upon the customer’s request, organisations must provide information on what personal information has been collected and how it has been used. Organisations may charge a reasonable fee to cover the processing cost for this request, provided that the organization gives a written estimate of the fee beforehand. Organisations must provide this information within 30 days, if it is not possible then they must inform the individual within 30 days and let him/her know when the organization can respond. 

4. Allow Correction of Personal Data

Organisations must correct an error or omission in personal data when an individual makes a request unless the company, on reasonable grounds, deems fit not to correct the information as provided under Section 22(4) of the PDPA.  

5. Secure Personal Data Held by the Organization

Organisations must take appropriate steps such as formulation of internal data security policy and employee training. This is to prevent risks related to unauthorised access, collection, use, or disclosure of the data. 

Check out the blog post “The Role of Employee Awareness Training in Adhering to PDPA” to get more details about this step.

6. Dispose of Personal Data That is No Longer Needed

Organisations must stop holding on to personal data when they no longer have any business or legal use for it. The organization should set a retention period and formulate a plan to safely dispose of any personal data after the expiration of the retention period. 

7. Ensure Protection Of Personal Data When Transferring Overseas

If an organisation intends to transfer personal data overseas, they must take steps to ensure that the data protected is in compliance with the PDPA while the personal data is still in your possession or control. 

8. Closely Manage Service Providers That Handle Personal Data

If an organization engages a service provider to process personal data, they may be held responsible if their service provider contravenes the PDPA while providing the service to them. 

When entering into a service agreement with the service provider, the organization must ensure there are clauses that require the service provider to take sufficient measures to ensure compliance with PDPA requirements.

9. Check The Do Not Call Registry

If an organization conducts telemarketing to subscribers or users of Singapore telephone numbers, it will need to submit the telephone numbers on its telemarketing list for checks against the Do Not Call (DNC) Registry, unless the subscriber or user has given his/her clear and unambiguous consent to receive such messages.

10. Communicate Data Protection Policies, Practices, and Processes

The data protection and security policy must be communicated to the employees and customers. Organisations must formulate privacy policies and conduct employee training. 

Ensure PDPA compliance with Compliance Readiness

In order to drive awareness and proper training to your workforce to handle both internal and external personal data, you should look for a smart solution to help you drive meaningful and long-lasting policy compliance awareness within your organization. 

Schedule a demo and learn how Compliance Readiness can help your company’s assigned Data Protection Officer save time and resources when dealing with the PDPA regulations.

DISCLAIMER: The information provided by Right-Hand is for general information purposes only to permit you to learn more about our products and services. It is not intended to provide legal advice or opinions of any kind and may not be used for professional or commercial purposes. The information provided is accurate and useful to the best of our knowledge. However, the information may not be current and is subject to change without notice. No one should act, or refrain from acting, based solely upon the information provided herein without first seeking appropriate legal or other professional advice. No attorney-client or confidential relationship exists or will be formed between you and Right-Hand or any of our representatives.

We love talking about cybersecurity awareness. Join the conversation!

Share this post:

Share on linkedin
Share on twitter
Share on email
Share on facebook