The Personal Data Protection Act (PDPA) Singapore – what are the requirements?

      The Personal Data Protection Act (PDPA) sets out clear minimum standards of safeguarding personal data in Singapore. It aims to bring together sector-specific legislative and regulatory frameworks relating to the financial services industry in Singapore.

      The PDPA sets out the obligations in respect of (a) collection, (b) use, (c) disclosure and (d) care of personal data in Singapore. Personal data refers to data about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access, which includes customers, suppliers, and employees.

      Data protection framework

      Firms are expected to have in place an appropriate data protection framework that starts with corporate governance/accountability for data protection practices in the management of personal data under the firm’s possession or control, this must also include breach management, training and communications.

      We have set out below some basic elements that should be in included in a firm’s data protection framework:

      • develop a Data Protection (DP) policy
      • appoint a DPO and ensure their business contact information is available to the public
      • identify risks and gaps using the PDPA Assessment Tool for Organisations (PATO)
      • embed data protection as part of corporate governance and establish a data protection reporting structure
      • embed regular monitoring and reporting mechanisms within your Enterprise Risk Management (ERM) framework
      • establish a data breach management team
      • develop a 4-step action plan for data breach response
      • develop a complaint handling procedure
      • develop a staff training and communications plan
      • ensure all staff complete the PDPA e-Learning programme
      • carry out an annual review of data protection policies
      • conduct a table-top exercise to test the data breach response plan
      • provide one refresher training for key employees on handling personal data
      • document data assets and flows using a data inventory map.

      Data Protection Officer (DPO) requirements

      Firms are required to designate at least one individual as the DPO and although it not mandatory under the Act to register the DPO’s details with ACRA, firms are strongly encouraged to do so.

      The PDPC site states that “Organisations are also required to ensure that at least one DPO’s business contact information is made available to the public. The business contact information may be a general telephone or email address of the organisation.”

      Although this is not a specific MAS-related rule, it is still a legal requirement and is something that can be carried out in a short space of time. We would urge firms to register the DPO’s details with ACRA if they have not already done so . You can find out if this has already been carried out by accessing your firm’s ACR record under the Data Protection Officer(s) section.

      Waystone Compliance Solutions assists firms with the provision of relevant policies and procedures and employee training in relation to data protection and in addition can carry out gap analysis to identify any areas that require attention. Please reach out to your usual Waystone representative.

      Previous post Next post
      Share

      More like this

      Compliance obligation reminders for licensed Venture Capital Fund Managers (VCFMs)

      Licensed Venture Capital Fund Managers (VCFMs) have various obligations that they must adhere to, and although not the same as…
      Read more

      Regulatory Compliance Updates December 2022 – APAC Region

      28 December 2022 - Masterminds Behind Singapore's Largest Stock Market Manipulation Jailed To view this Criminal Prosecution, please click here.…
      Read more

      MAS Guidelines on Environmental Risk Management for Asset Managers

      What are the MAS Guidelines on Environmental Risk Management for Asset Managers?
      Read more

      MAS Issues Revised Guidelines on Licensing, Registration and Conduct of Business for Fund Management Companies

      In November, MAS updated its guidelines on the licensing, registration and conduct of business for Fund Management Companies (FMCs).
      Read more

      Regulatory Compliance Updates November 2022 – APAC Region

      29 November 2022 - Compliance Toolkit for Approvals Notifications and Other Regulatory Submissions to MAS for Special Purpose Reinsurance Vehicles…
      Read more

      ASEAN Central Banks sign MOU

      At the recent G20 Leaders’ summit in Bali, Indonesia, Bank Indonesia, Bank Negara Malaysia, Bangko Sentral ng Pilipinas, MAS and…
      Read more