Policy Awareness

5 Facts You Should Know About PDPA

PDPA Post Series

Putting it simple: the Personal Data Protection Act, 2012 (PDPA) provides a framework for companies to follow for personal data protection. It comprises various rules governing the collection, use, disclosure and care of personal data. PDPA makes it mandatory for every organization to have privacy and internal data security policies. 

PDPA is administered and enforced by the Personal Data Protection Commission (PDPC). The PDPC represents the Singapore Government and serves as the main authority dealing with matters related to personal data protection. This governing body is entrusted with the task of formulating and implementing policies related to the protection of personal data. 

By regulating the flow of personal data among organizations, PDPA also has an important mission to maintain Singapore’s position as a trusted, world-class hub for businesses.

Here are the 5 facts you should know about PDPA in order to be compliant with this Singaporean regulation:

#1: The nine PDPA obligations explained

When it comes to data protection, PDPA imposes nine obligations on organizations:

  • Consent:

Organizations must only collect, use or disclose personal data for purposes for which an individual gives expressed or deemed consent. Organizations must also provide the notification for the purpose. Individuals must be allowed to withdraw consent. 

  • Purpose: 

PDPA states that an organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances; and that the individual has been informed of.

  • Notification:

Organizations must notify individuals of the purposes for which their data is collected, used or disclosed on or before such collection, use or disclosure. The breach notification obligation is still under review in case of PDPA. 

  • Access and correction:

Upon request made by an individual, organizations should make corrections to the data or inform individuals about the details of the data collected.

  • Openness:

Organizations must make information about data protection policies, practices and complaints processes available on request. It must also designate one or more individuals as a Data Protection Officer to ensure that the organisation complies with the PDPA.

  • Protection:

Organizations should take reasonable security arrangements to protect the personal data that they possess or control to prevent unauthorised access, collection, use, disclosure or similar risks. 

  • Accuracy; 

Organizations should take reasonable effort to ensure that personal data collected is accurate and complete.

  • Retention:

Organizations should cease retention of personal data or anonymise the personal data when it is no longer necessary for any business or legal purpose.

  • Transfer:

Organizations must transfer personal data to another country only according to the requirements prescribed under PDPA.

#2: Both external and internal data matters to PDPA 

Organizations, as employers, must take reasonable steps while dealing with their employee’s personal data by having an internal data management system. 

To illustrate the importance of protecting internal data, let’s use the example of the Re Executive Coach International Pte Ltd  [2017] SGPDPC 3 case: a director of an organization disclosed sensitive personal data regarding an employee on a WhatsApp group chat with other employees. The PDPC held this organization liable for breach of PDPA.

On the other hand, PDPC puts a lot of emphasis on an organization’s responsibility while handling customer data. In the case of In re SLF Green Maid Agency[2018] SGPDPC 27, an organization’s staff, while interacting with prospective customers, reused scrap and discarded paper containing the personal data of individuals including photocopies of their national registration identity cards, foreign identity numbers, passport information, and signatures. PDPC ruled that the organization breached PDPA and this created a lot of reputational damage to the organization. 

The above examples show that the organization must provide training on PDPA to its staff to avoid financial and reputational damages. 

#3: The PDPA Privacy Policy explained

Under PDPA, every organization must provide a privacy policy and must take, either explicit or deemed, consent prior to collecting its customer’s data. A privacy policy must include the following in order to comply the following requirements:

  • The nature and type of data collected;
  • Purpose of data collection;
  • How is the data used, collected and disclosed;
  • Procedure for withdrawal of consent;
  • Access to and correction of personal data;
  • Measures taken to protect personal data;
  • Accuracy of personal data;
  • Retention of personal data;
  • Deletion of personal data;
  • Transfer of personal data;
  • Details regarding data protection officer in case the customer want to make a complaint;
  • Effect of notice and change to notice;

#4: PDPA requires companies to have a Data Protection Management Program (DPMP)

In order to have a good management system, PDPC recommends that organizations must: 

(i) Appoint a Data Protection Officer (“DPO”), preferably from senior management, who can effectively direct and oversee data protection initiatives, 

(ii) endorse a Data Protection Management Program (DPMP)

(iii) establish a risk management framework and reporting mechanisms

(iv) Create and communicate a data security policy that specifies the organisation’s approach to handling personal data.

In order to comply with the recommendation (ii) listed above, PDPA requires a Data Protection Management Program (DPMP). Not only multinational companies (MNCs) but also many SMEs are directed to implement a DPMP. 

A DPMP is a systematic framework to help organisations establish a robust data protection infrastructure. It covers management policies and processes for the handling of personal data as well as defines roles and responsibilities of the people in the organisation in relation to personal data protection.

#5: The Data Protection Officer (DPO) role in PDPA

A competent Data Protection Officer is the key to prevent non-compliance of PDPA. Although the DPO is responsible for ensuring compliance, many organisations have a team consisting of senior management and personnel from other departments to assist in personal data related matters. An organization shall make available to the public the business contact information of the DPO. However, this shall not free the organization of its obligations. 

The DPO designated by an organisation should be sufficiently skilled and knowledgeable. Also, organizations should ensure that individuals appointed as a DPO are trained and certified.

Ensure PDPA compliance with Compliance Readiness

In order to drive awareness and proper training to your workforce to handle both internal and external personal data, you should look for a smart solution to help you drive meaningful and long-lasting policy compliance awareness within your organization. Schedule a demo with us and learn how Compliance Readiness can help your company’s assigned Data Protection Officer save time and resources when dealing with the PDPA regulations.

Share this post:

Share on linkedin
Share on twitter
Share on email
Share on facebook

Live Webinar: Key Cybersecurity Trends in APAC, presented by Frost & Sullivan - Jan 28