In this guide:
What is Singapore’s Personal Data Protection Act (PDPA)?
The Personal Data Protection Act (PDPA) establishes a fundamental standard for safeguarding personal data in Singapore, complementing preexisting legislative frameworks like the Banking Act and Insurance Act already in place prior to the PDPA implementation in 2013. Amendments took effect in phases in 2021, and the PDPA now encompasses additional requirements that dictate the handling of personal data, encompassing its collection, utilization, disclosure, and overall management in the country. Singapore created the Personal Data Protection Commission (PDPC) to oversee and enforce this Act.
Furthermore, the PDPA facilitates the creation of a national Do Not Call (DNC) Registry, allowing individuals to register their Singapore telephone numbers and opt out of unsolicited telemarketing messages from organizations.
By balancing the imperative to protect individuals’ personal data with the legitimate needs of organizations to collect, use, and disclose such data, the PDPA acknowledges competing objectives. However, the establishment of a robust data protection framework is crucial to prevent the misuse of personal data and uphold individuals’ confidence in organizations entrusted with their information. By regulating the exchange of personal data among entities, the PDPA aims to fortify the protection of personal information and enhance Singapore’s reputation as a reliable international business hub.
The scope of the PDPA is quite broad, applying to personal data stored in both digital and physical formats. However, it specifically does not apply to:
- Any individual acting on a personal or domestic basis.
- Any individual acting in his/her capacity as an employee with an organisation.
- Any public agency in relation to the collection, use or disclosure of personal data.
- Business contact information such as an individual’s name, position or title, business telephone number, business address, business email, business fax number and similar information.
Every organization operating in Singapore that is collecting, using or disclosing personal data must comply with the various data protection obligations included in the PDPA. These obligations ensure the personal information of data subjects–the individuals whose data is being processed–are being respected with clear processes for them to exercise their rights. The Act’s extraterritorial scope ensures data collected within Singapore is covered by this regulation regardless of where the processing occurs. This is a vital aspect that many international privacy laws share, because it provides a legal basis to take action against businesses trying to use their location as a shield for unethical data processing practices. The PDPC hears any complaints from consumers about violations to ensure all of the rights created by the PDPA are protected.
The enumerated rights granted to individuals in Singapore include:
- Right to be informed: Individuals have the right to be informed about the purposes for the collection, use, or disclosure of their personal data.
- Right of access: Individuals can request access to their personal data held by organizations and information about how the data has been used or disclosed in the past year.
- Right to correction: Individuals have the right to correct inaccuracies in their personal data held by organizations. Upon request, organizations must correct the data promptly.
- Right to withdraw consent: Individuals have the right to withdraw their consent for the collection, use, or disclosure of their personal data. Organizations must cease such activities upon withdrawal, and individuals should be informed of the result.
- Right to object: Individuals can object to the use of their personal data for certain purposes, such as direct marketing. Organizations must cease such activities upon receiving the objection.
- Right to restrict processing: In certain situations, individuals can request the restriction of the processing of their personal data. This means that organizations can continue to store the data but not use it for processing purposes.
- Right to data portability: Upon request, individuals have the right to receive their personal data in a commonly-used, machine-readable format and transmit it to another organization.
- Right to be forgotten: Individuals have the right to request the deletion or removal of their personal data in certain circumstances, such as when the data is no longer necessary for the purpose for which it was collected.
- Right to non-discrimination: Individuals have the right to not be subjected to discriminatory practices based on their exercise of any of these data protection rights.
It’s essential to note that the PDPA aims to strike a balance between protecting individuals’ privacy and enabling legitimate data usage by organizations. As one of the first comprehensive data protection laws in Asia, the PDPA served as a benchmark for neighboring countries. Although it is just one of many global data privacy laws active today, Singapore’s PDPA positively influenced personal data protection standards and governance far beyond its border.
What’s different about the PDPA, however, is the way it adopts a risk-based and proportionate approach recognizing that not all organizations pose the same level of risk to individuals’ privacy. By looking through this lens, the PDPC has greater flexibility to adjust compliance measures based on the scale and sensitivity of information being handled by an organization.
The reason for this law is something businesses around the world should learn from. Despite the obligations the PDPA places on organizations which can be tricky to navigate, Singapore implemented these requirements to facilitate its growth as an international business hub. This is the key for any business: data privacy should be viewed as an opportunity, not a burden. When prioritized and done effectively, companies can use it as a competitive advantage to increase market share by increasing consumer trust.
(Source: Singapore’s Personal Data Protection Commission website)
How to comply with PDPA provisions
It’s critical for organizations to know the requirements of the PDPA in detail to avoid legal consequences and build trust with customers. Given the Act has already been amended multiple times, it’s important to remain updated on any future developments as they happen. There’s typically some time before any changes are strictly enforced, but of course it’s always better to be proactive. Otherwise, a businesses can unknowingly miss key aspects of a new obligation that shifts the organization to noncompliance, resulting in expensive fines and potential legal action against the individuals at fault.
These obligations placed on businesses are specifically named in the PDPA, unlike many other data privacy laws around the world which are more vague and broad in describing company responsibilities. The following are the specific obligations named and explained:
- Accountability: Implement measures to ensure organizations fulfill their obligations under the PDPA. This includes providing information about data protection policies, practices, and complaint procedures upon request. Designate a Data Protection Officer (DPO) and make their contact information public.
- Notification: Inform individuals about the intended purposes of collecting, using, and/or disclosing their personal data.
- Consent: Collect, use, or disclose personal data only with the individual’s consent. Allow individuals to withdraw consent with reasonable notice and communicate the potential consequences. Cease data collection, use, or disclosure upon withdrawal of consent.
- Purpose limitation: Collect, use, or disclose personal data only for purposes deemed appropriate under circumstances given and consented to by the individual. Do not make consent a condition for providing a product or service beyond what is reasonable.
- Accuracy: Make reasonable efforts to ensure accuracy and completeness of collected personal data, especially if it impacts decisions affecting the individual or is disclosed to another organization.
- Protection: Establish reasonable security measures to safeguard personal data against unauthorized access, collection, use, disclosure, or similar risks. This may include encryption, access controls, and regular security assessments.
- Retention limitation: Cease retention or dispose of personal data appropriately when it is no longer necessary for any business or legal purpose.
- Transfer limitation: Transfer personal data internationally only according to prescribed regulations, ensuring a comparable standard of protection to that under the PDPA, unless specifically exempted by the PDPC.
- Access and correction: Provide individuals with access to their personal data and information on its use or disclosure promptly following the request. Correct any errors or omissions as soon as possible, and send corrected data to relevant organizations within a year following the correction.
- Data breach notification: If a data breach may result in significant harm to individuals or is of significant scale, notify the PDPC and affected individuals promptly.
- Data portability requirement: Upon an individual’s request, transmit their data, held or controlled by the organization, to another organization in a commonly used machine-readable format.
- Document everything: Keep detailed records of your processing activities and security steps taken proactively, which can be invaluable following a data breach. A business can receive a lot more grace if every reasonable action was taken to protect personal data upfront.
Here’s more good news: the obligations in the PDPA are aligned with leading global data privacy legislation. This means making the necessary adjustments to comply with the PDPA is a fantastic start to ensure international compliance in general. Put more simply, the best practices you find here are going to provide immense value when assessing global compliance.
It’s highly recommended all organizations processing personal data in Singapore employ the following practices:
- Develop a data protection policy and communicate responsibilities. Have a policy outlining how you meet PDPA obligations and designate a DPO responsible for compliance.
- Obtain proper consent. Consent should be opt-in, granular, clearly recorded and easily withdrawn.
- Retain records minimally with purpose limitations. Establish data retention schedules aligned to purposes. Dispose of records securely when no longer needed.
- Conduct regular audits and assessments: Regular internal audits and assessments ensure ongoing compliance. This includes reviewing and updating policies and procedures as needed.
- Map all data: Conduct a thorough data mapping exercise to understand what personal data is collected, where it is stored, how it is processed, and who has access to it.
- Train employees. Ensure all individuals handling personal data are trained to comply with PDPA requirements. Monitor compliance readiness.
It can also be helpful to regularly check the website for Singapore’s PDPC to see the latest legal updates and suggestions for compliance. Again, the point is to stay ahead of global trends. If you’re going to have to comply anyways, why not get ahead of the curve and use it as a key differentiator? It’s only going to decrease your risk while increasing public trust.
Singapore’s PDPA has had wide-ranging impacts on businesses across areas like operations, compliance costs, competitiveness, and innovation. But these impacts create opportunities. While increasing responsibilities, the PDPA aims to build consumer trust vital to the digital economy’s growth. Most businesses recognize its net benefits despite added pressures to their bottom line and day-to-day functioning. If you don’t recognize the benefits outweigh the negatives, it’s probably time to reconsider.
Why Privacy Bee is key
Personal data protection is imperative for businesses engaged in online service delivery today, especially for sensitive data. New regulations are popping up every day around the world. The current trend is that these continue to require more stringent opt-in policies while granting consumers more rights. The public now has the ability to review and remove their personal data, increasing the accountability and obligations of every organization processing personal identifiable information (PII).
Yet the responsibility still falls primarily on the individual to oversee, assess, update and delete (via DSAR request) their personal data wherever it may be collected and dispersed across the internet.
This becomes a massive lift for any business looking to protect their organization from data breaches. When working to cover an entire company, it is practically impossible for a single person or small team to manage External Data Privacy without help from a specialized team of experts. The identification and subsequent elimination of this data plays a pivotal role in deterring cybercriminals from launching dangerous social engineering attacks against an organization by closing the data protection gap.
That’s why Privacy Bee emerges as the optimal solution. The time-consuming process of monitoring and eradicating employee data as a complement to cybersecurity is a must, and Privacy Bee covers every site across the internet exposing your organization’s data. This data monitoring and deletion service is especially effective for executives who are highly visible to the general public. Using sophisticated automation processes backed by an active human service team, Privacy Bee substantially reduces a company’s attack surface and mitigates the looming threat of an expensive data breach. Industry estimates put the cost of a single data breach somewhere between $7-10 million USD. That can be crippling for a small or mid-size business–not to mention the fines from noncompliance–which is why a proactive approach for maximum security is a must.
Social engineering attacks are the fastest-growing data breach threat, no matter how mature an organization’s cybersecurity program is today. If your response to these attacks isn’t already completely covered, then threat actors still have a lucrative way to target and obtain your organization’s most sensitive information.
Ideally, you are already conducting risk assessments and vendor surveys as well. If so, well done! However, it is absolutely essential to recognize vendors are most susceptible to a breach via social engineering attacks relying on exposed data. Privacy Bee not only minimizes the proliferation of your organization’s data across the vast digital landscape but also extends its protection to vendors, helping you ensure third party partners do not serve as the weak link in your security defenses or put you at risk of noncompliance. Don’t miss this step, as there are far too many massive organizations falling victim to cyberattacks due to a vendor’s lack of proactive security.
Why would anybody do such a thing?
In the ever-growing billion-dollar surveillance industry, Data Brokers and People Search Sites are the key players. They reap record-breaking profits by trading and transferring your organization’s information with obscure and uncontrollable entities. These entities then either publish this information directly for clicks or compile it all to sell on again top yet another organization. Suddenly, you and your employees’ personal data can be easily found via quick Google Search.
If it’s that simple to find you and your coworker’s information, then threat actors can launch cyberattacks at scale by targeting the most vulnerable team members with emotionally engaging messaging that turns even the most highly-trained professionals into victims on a regular basis. The only way to prevent this is by stopping the data flow at the source. The consequences are simply too costly to risk:
- A solitary data breach leads to massive productivity losses, expensive remediation efforts, and recurring breach incidents.
- This isn’t new, and is a predicament that plagues the vast majority of businesses following an initial breach. Industry estimates state as many as 83% of organizations who experienced a data breach go on to experience multiple. That is staggering, and is exactly what Privacy Bee is fighting back against.
- The initial data breach sets off a chain reaction that inflicts short-term damage on your bottom line while eroding brand value and customer trust over time.
- Furthermore, there are ripple effects to consider, such as heightened employee turnover due to poaching.
Privacy Bee combats threat actors lurking beyond your organization’s perimeters. By meticulously analyzing every location across the internet where your personal and sensitive data resides, then swiftly purging it, Privacy Bee closes the data security gap. The service even encompasses dark web monitoring and provides timely data breach notifications if another company falls victim to an exploitation incident and exposes your information in the process.
Our unwavering commitment is deeply rooted in the belief that privacy is an inalienable human right that transcends political discourse and negotiations. This is why Privacy Bee vigilantly monitors user data for security vulnerabilities while holding the surveillance industry accountable. We compel Data Brokers, People Search Sites, and more than 150,000 additional websites to expunge your stored data and opt out of further data collection to protect you, your family, and your entire organization. This unchanging goal is the reason we offer no-charge monitoring services and deletion guides. You need only reach out when help is needed.
Privacy Bee protection covers a wide range of potential threats, including:
- Data breaches
- Social engineering attacks
- Doxxing
- Spam emails
- Telemarketing calls
- Cyberstalking
- Identity theft
- Swatting
- Blackmail
- And more!
Privacy Bee is quickly emerging as the next necessary tool in your security tool belt. There’s no better addition for business leaders with a mature cybersecurity program wanting to protect employee and customer data in the midst of innovative threat actors using AI and other new apps to scale their efforts.
Privacy is more important and harder to come by than ever. Today, you need a trusted partner fighting to preserve your personal and organizational integrity.
