Suppose you’ve read our previous blog post, “5 Facts You Should Know About PDPA“. In that case, you might know that the Personal Data Protection Act, 2012 (PDPA) establishes rules for data protection within Singapore companies. In a nutshell, PDPA makes it mandatory for every organization to have privacy and internal data security policies in place as steps to prevent data breaches.
The Personal Data Protection Commission (PDPC) is Singapore’s enforcement body of PDPA. Since the enforcement of the PDPA law, PDPC has issued several warnings and fines to stress its data security rules.
This blog post will dive deep into the financial and non-financial costs related to non-compliance with PDPA. By following the PDPA frameworks and the information provided here correctly, your organization will do a better job avoiding financial losses, as well as preserving the brand reputation and market value.
The financial cost of non-compliance with PDPA
The penalty for personal data breach by an organization is provided under Section 29(1) of PDPA. It states that PDPC may, upon the fact of a non-compliant organization with the PDPA provisions, apply financial penalties depending on the case’s circumstances.
The Business Times’ calculations, based on decisions published since April 2016 on the PDPC website, showed that the number of penalties imposed totaled S$2.12 million over this period.
Many organizations have suffered huge penalties due to non-compliance, as seen in Orchard Turn Developments. In this case, the PDPC imposed a fine of S$15,000 on the organization for not making reasonable security arrangements to protect its customers’ data stored on its server.
Similarly, in Singapore Health Services Pte. Ltd. & Ors.[2019] SGPDPC 3, PDPC imposed a fine of S$ 1,000,000. The organization did not have a good data management policy, and it did not provide proper training to its employees to handle sensitive personal data. As a result, 1.5 million patients’ data was breached due to lapses in the cybersecurity system.
The non-financial costs of non-compliance with PDPA
Financial penalties are not the only consequences for companies that fail to comply with PDPA.
A company that suffers a data leak incident due to incorrect data management gets in the spotlight. Think about reputation damage as a big umbrella: loss of business opportunities, negative publicity, and a possible reasonable amount of customer complaints are a few of the consequences.
PDPC often issues warnings to non-compliant organizations, which may not result in financial penalties but brand reputation damage. For example, the PDPC issued a warning to an SME that did not train employees to protect personal data in the Hazel Florist Case. On that occasion, an employee used a paper containing customers’ personal data as wrapping paper to wrap gifts.
Aggravating Factors for PDPA Penalties
The PDPC lists out certain aggravating factors that may lead to an increase in penalty. These factors are as follows:
- the organization failed to settle the matter with the aggrieved in an effective manner;
- intentional, repeated, and/or ongoing breaches of PDPA by an organization. For example, the organization was aware, or ought reasonably to have known, of a breach risk, or breach of the PDPA but continued with its operations without taking measures to minimize the risk or remedy the breach;
- obstructing the PDPC during investigations;
- failing to comply with a previous warning or direction from the PDPC; and
- the organization is in the business of handling personal data (such as medical or financial data) but failed to put in place adequate safeguards proportional to the harm that the disclosure of that personal data might cause.
Ensure your employees align with PDPA requirements
It takes time and team dedication to build a PDPA compliance program. Your assigned Data Protection Officer will be the one responsible for dealing with the full check-list of requirements from PDPA. Still, it only takes one employee misstep to fall non-compliant with its regulations.
Click here to learn more about the 10 Steps to be Compliant with PDPA.
Right-Hand’s Compliance Readiness solution contains a Machine Learning engine that automates and customizes compliance teams’ ability to develop, store, disseminate, increase awareness and drive behavior change for corporate policies. Schedule a demo!
DISCLAIMER: The information provided by Right-Hand is for general information purposes only to permit you to learn more about our products and services. It is not intended to provide legal advice or opinions of any kind and may not be used for professional or commercial purposes. The information provided is accurate and useful to the best of our knowledge. However, the information may not be current and is subject to change without notice. No one should act, or refrain from acting, based solely upon the information provided herein without first seeking appropriate legal or other professional advice. No attorney-client or confidential relationship exists or will be formed between you and Right-Hand or any of our representatives.
