The Personal Data Protection Act (PDPA) and Your Obligations

      What is the Personal Data Protection Act?

      The Act in Singapore that covers Personal Data is The Personal Data Protection Act (PDPA). This act sets out clear minimum standards of safe guarding personal data in Singapore. Furthermore, it dove tails sector-specific legislative and regulatory frameworks relating to the financial services industry in Singapore.

      The Act sets out the obligations in respect of (a) collection, (b) use, (c) disclosure and (d) care of personal data in Singapore.

      Personal data refers to data about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access, which includes customers, suppliers and employees.

      Data Protection Framework Requirements

      Firms are expected to have in place an appropriate data protection framework that starts with corporate governance/accountability for data protection practices in the management of personal data under the firm’s possession or control. This must also include data protection and breach management, training and communications.

      The following are some basic elements to form part of a check list that your firm should include as part of your Data Protection Framework:

      • develop a Data Protection (DP) policy
      • appoint a DPO and ensure business contact information is made available to the public
      • identify risks and gaps using PDPA Assessment Tool for Organisations (PATO)
      • embed data protection as part of your corporate governance framework and establish a reporting structure for data protection matters
      • embed regular monitoring and reporting mechanisms within Enterprise Risk Management (ERM) Framework
      • establish a data breach management team
      • develop a complaint handling procedure
      • develop a 4-step action plan for data breach response
      • develop a staff training and communications plan
      • mandate all staff to complete the PDPA E-Learning Programme
      • carry out an annual review of data protection policies
      • conduct a table-top exercise to test the data breach response plan
      • provide one refresher training for key employees on handling personal data
      • document data assets and flows using a Data Inventory Map.

      Data Protection Officer Requirements

      As highlighted in the framework section above, a firm is required to designate at least one individual as the data protection officer (DPO), although it is not mandatory under the Act to register the DPO’s details with ACRA, firms are strongly encouraged to do so.

      The PDPC website does state: “Organisations are also required to ensure that at least one DPO’s business contact information is made available to the public. The business contact information may be a general telephone or email address of the organisation”. Adding details to ACRA would therefore assist with complying with this requirement.

      Although not a MAS related rule, we would urge firms if they have not done so already, to register the DPO with ACRA. You can find out if there already exists a current registration by clicking on your firms ACR record under Data Protection Officer(s) for more information.

      You can find out more by visiting these websites:

      How Waystone Compliance Solutions Can Help

      Our APAC Compliance team can assist with the provision of policy and procedures and provide gap analysis, with recommendations for remediation where necessary.  Waystone Compliance Solutions also provides employee compliance training and can assist with any specific data protection related projects you may have.

      Previous post Next post

      More like this

      ACRA Proposed Amendments

      On 15 December 2022, Singapore’s Ministry of Law (MinLaw) announced the termination of “Alternative Arrangements for Meetings” (electronic meetings, or…
      Read more

      Pre-Acquisition Due Diligence

      Your existing business is fully compliant and you have everything in place - you may now be considering an expansion,…
      Read more

      Is compliance outsourcing right for your firm?

      Key considerations for senior management when determining if outsourcing is suitable for your firm.
      Read more

      Regulatory Compliance Updates February 2023 – APAC Region

      Have a question about any of the below updates? Get in touch with our APAC Compliance solutions team today. 23…
      Read more

      Regulatory Outlook and Trends for 2023

      MAS Priorities for 2023 Corporate Disclosures MAS will enhance effectiveness in pursuing corporate disclosure breaches, including collaboration with key regulatory…
      Read more

      Regulatory Compliance Updates January 2023 – APAC Region

      19 January 2023 - Form 26 - Notice of Commencement of Business/Additional Regulated Activities by a Person Exempted from Holding…
      Read more