The Personal Data Protection Act (PDPA) and Your Obligations
What is the Personal Data Protection Act?
The Act in Singapore that covers Personal Data is The Personal Data Protection Act (PDPA). This act sets out clear minimum standards of safe guarding personal data in Singapore. Furthermore, it dove tails sector-specific legislative and regulatory frameworks relating to the financial services industry in Singapore.
The Act sets out the obligations in respect of (a) collection, (b) use, (c) disclosure and (d) care of personal data in Singapore.
Personal data refers to data about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access, which includes customers, suppliers and employees.
Data Protection Framework Requirements
Firms are expected to have in place an appropriate data protection framework that starts with corporate governance/accountability for data protection practices in the management of personal data under the firm’s possession or control. This must also include data protection and breach management, training and communications.
The following are some basic elements to form part of a check list that your firm should include as part of your Data Protection Framework:
- develop a Data Protection (DP) policy
- appoint a DPO and ensure business contact information is made available to the public
- identify risks and gaps using PDPA Assessment Tool for Organisations (PATO)
- embed data protection as part of your corporate governance framework and establish a reporting structure for data protection matters
- embed regular monitoring and reporting mechanisms within Enterprise Risk Management (ERM) Framework
- establish a data breach management team
- develop a complaint handling procedure
- develop a 4-step action plan for data breach response
- develop a staff training and communications plan
- mandate all staff to complete the PDPA E-Learning Programme
- carry out an annual review of data protection policies
- conduct a table-top exercise to test the data breach response plan
- provide one refresher training for key employees on handling personal data
- document data assets and flows using a Data Inventory Map.
Data Protection Officer Requirements
As highlighted in the framework section above, a firm is required to designate at least one individual as the data protection officer (DPO), although it is not mandatory under the Act to register the DPO’s details with ACRA, firms are strongly encouraged to do so.
The PDPC website does state: “Organisations are also required to ensure that at least one DPO’s business contact information is made available to the public. The business contact information may be a general telephone or email address of the organisation”. Adding details to ACRA would therefore assist with complying with this requirement.
Although not a MAS related rule, we would urge firms if they have not done so already, to register the DPO with ACRA. You can find out if there already exists a current registration by clicking on your firms ACR record under Data Protection Officer(s) for more information.
You can find out more by visiting these websites:
How Waystone Compliance Solutions Can Help
Our APAC Compliance team can assist with the provision of policy and procedures and provide gap analysis, with recommendations for remediation where necessary. Waystone Compliance Solutions also provides employee compliance training and can assist with any specific data protection related projects you may have.