The Personal Data Protection Act (PDPA) Singapore – what are the requirements?
The PDPA sets out the obligations in respect of (a) collection, (b) use, (c) disclosure and (d) care of personal data in Singapore. Personal data refers to data about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access, which includes customers, suppliers, and employees.
Data protection framework
Firms are expected to have in place an appropriate personal data protection framework that starts with corporate governance/accountability for data protection practices in the management of personal data under the firm’s possession or control, this must also include breach management, training and communications.
We have set out below some basic elements that should be in included in a firm’s data protection framework:
- develop a Data Protection (DP) policy
- appoint a DPO and ensure their business contact information is available to the public
- identify risks and gaps using the PDPA Assessment Tool for Organisations (PATO)
- embed data protection as part of corporate governance and establish a data protection reporting structure
- embed regular monitoring and reporting mechanisms within your Enterprise Risk Management (ERM) framework
- establish a data breach management team
- develop a 4-step action plan for data breach response
- develop a complaint handling procedure
- develop a staff training and communications plan
- ensure all staff complete the PDPA e-Learning programme
- carry out an annual review of data protection policies
- conduct a table-top exercise to test the data breach response plan
- provide one refresher training for key employees on handling personal data
- document data assets and flows using a data inventory map.
Data Protection Officer (DPO) requirements
Firms are required to designate at least one individual as the DPO and although it is not mandatory under the Act to register the DPO’s details with ACRA, firms are strongly encouraged to do so.
The PDPC site states that “Organisations are also required to ensure that at least one DPO’s business contact information is made available to the public. The business contact information may be a general telephone or email address of the organisation.”
Although this is not a specific MAS-related rule, it is still a legal requirement and is something that can be carried out in a short space of time. We would urge firms to register the DPO’s details with ACRA if they have not already done so . You can find out if this has already been carried out by accessing your firm’s ACR record under the Data Protection Officer(s) section.
How can Waystone Compliance Solutions help?
The Cyber and Data Protection team at Waystone Compliance Solutions assists firms with the provision of relevant policies and procedures and employee training in relation to data protection and in addition can carry out gap analysis to identify any areas that require attention. Please reach out to your usual Waystone Compliance Solutions representative today to learn more.