How to comply with the PDPA in Singapore

Hawksford

Hawksford

In our increasingly digitised world, data protection has become a key concern for individuals and businesses alike. Singapore, known for its robust regulatory framework, has established stringent measures to safeguard personal data through its Personal Data Protection Act 2012 (PDPA).  

Understanding the obligations, mandatory requirements and potential fines under the PDPA is crucial for entities operating within Singapore. 

 

Main obligations under the PDPA

Accountability: Ensure that organisations comply with their obligations under the PDPA, such as providing information about your privacy policy, practices and complaints procedure upon request, as well as appointing a Data Protection Officer (DPO) and making the company's contact details available to the public. 

Consent: Obtaining consent is fundamental before collecting, using or disclosing personal data. This consent must be obtained in a clear and transparent manner, detailing the purposes for which the data will be used.

Purpose limitation: Organisations are only permitted to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.

Notification obligation: Individuals must be informed of the purposes for which their data is collected, used or disclosed at the time of collection.

Accuracy: Reasonable efforts must be made to ensure that the personal data collected is accurate and complete. Particularly if it is used to make a decision that affects the individual, such as applying for a loan or an insurance policy. 

Access and correction: Individuals have the right to access their personal data held by an organisation and to correct any inaccuracies.

Protection: Organisations are required to protect personal data in their possession or control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

Retention limitation: Personal data should not be retained longer than necessary for the fulfilment of the purposes for which it is collected.

Transfer limitation: Organisations must ensure that personal data transferred outside Singapore is adequately protected. 

Data breach: In the event of a data breach, organisations must take steps to assess if it is notifiable. If the data breach is likely to result in significant damage to individuals and/or is of a significant scale, organisations must notify the PDPC and the individuals concerned as soon as possible. 

 

Mandatory steps for organisations in Singapore

Beyond awareness of the PDPA, organisations must take proactive steps to ensure full compliance and robust data protection practices. From appointing a DPO to implementing thorough policies and procedures, adherence to the following mandatory steps is crucial in safeguarding personal data and avoiding potential fines. 

One of the primary requirements under the PDPA is the appointment of a DPO for organisations handling personal data. The DPO acts as a focal point for data protection matters within the organisation, ensuring compliance with the PDPA and other relevant regulations.

Organisations must develop and implement comprehensive policies and procedures governing the collection, use, disclosure, and management of personal data. These policies should encompass consent mechanisms, data retention schedules, security measures, breach response protocols and guidelines for handling data access requests.  

Before embarking on new projects or initiatives involving the processing of personal data, organisations should conduct DPIAs to assess and mitigate potential risks to individuals' privacy rights. DPIAs help identify privacy risks, evaluate the necessity and proportionality of data processing activities and implement measures to enhance data protection. 

Ensuring that employees are well-informed about data protection obligations is paramount. Organisations should provide regular training sessions and awareness programs to educate staff members on their responsibilities regarding the handling of personal data, including the importance of confidentiality, data accuracy and security measures. 

Organisations must implement appropriate technical and organisational measures to protect personal data from unauthorised access, disclosure, alteration or destruction. This may include encryption, access controls, regular security assessments and the adoption of privacy-enhancing technologies.

In the event of a data breach, organisations must have robust response mechanisms in place to promptly detect, assess and mitigate the impact of the breach. This includes notifying affected individuals and the Personal Data Protection Commission (PDPC) within the stipulated timeframes and taking remedial actions to prevent future breaches.

Conducting regular compliance audits and reviews is essential to ensure ongoing adherence to data protection requirements. Organisations should periodically assess their data protection practices, identify areas for improvement and take corrective actions as necessary to maintain compliance with the PDPA.

 

Potential fines for non-compliance 

Non-compliance with the PDPA can result in severe penalties, including financial fines. The PDPC has the authority to impose the following fines: 

  • Financial penalties – organisations found in breach of the PDPA can face fines of up to SG$1 million or 10% of annual turnover (whichever is higher).

  • Reputational damage and loss of trust – organisations may suffer damage to their image and a loss of trust from their partners and customers, as the offence and the penalty will be published on the PDPC website. 

  • Directions, warnings and audits – in the event of non-compliance, the authorities can issue directions and warnings or initiate an audit of the entire company. 

 

Examples of fines in 2023 

In 2023, the PDPC imposed fines on organisations for various breaches of the PDPA. For instance: 

  • A leasing and hire purchase business was fined SG$82,000 for failing to put in place reasonable security arrangements to protect individuals' personal data in its possession or under its control. 
  • A mobile phone retailer was fined SG$48,000 for failing to obtain proper consent before using its customers' personal data. 
  • A recruitment agency was fined SG$9,000 for failing to take reasonable security measures to protect the personal data of jobseekers in its possession or under its control.

 

Conclusion

Adhering to the mandatory requirements outlined in the PDPA is essential for maintaining trust and integrity in the digital age. Furthermore, understanding the potential fines for non-compliance highlights the seriousness with which data protection is regarded in Singapore.  

By prioritising compliance and implementing robust data protection measures, organisations can navigate the regulatory landscape effectively, while safeguarding the privacy rights of individuals. 

 

hawksford-corporate-services-contact-us

Speak to our experts today

Explore how our corporate services can elevate your business needs