PDPA: The Singapore Data Protection Law Explained
Any business that handles data must contend with an increasingly long list of compliance requirements. As concerns over the security and privacy of personal information multiply, national governments have acted to reassure their populations that businesses are using their data securely and ethically.
The Singapore Personal Data Protection Act (PDPA) of 2012 governs the collection, use, and disclosure of all personal data in relation to residents of Singapore. It was recently updated, with many amendments coming into force in November 2020.
Here’s what you need to know about the Singapore data protection law.
What is the Personal Data Protection Act (PDPA)?
The Personal Data Protection Act Singapore is the country’s primary law regulating how businesses handle Singapore residents’ personal data they collect.
For the purposes of this law, the definition of personal data relates to any piece of information that could be used to identify an individual resident. This includes real-world data, such as names and physical addresses, as well as digital data, such as IP addresses.
Businesses should see the Singapore data privacy laws as the baseline standard of protection for data. With data protection in Singapore becoming a major public issue, the law installs nine data protection obligations with which businesses must comply.
Complying with the Data Protection Act of Singapore may seem like a chore, but it shares many of the same provisions as the European Union’s (EU) GDPR laws. If your business is already GDPR compliant, there’s very little you’ll need to do to also comply with the provisions on data privacy in Singapore.
The Nine Data Protection Obligations
To achieve full compliance with the Singapore privacy law, there are nine primary data protection obligations. These are outlined below.
Consent is always required when collecting, using, or disclosing personal data.
2. Purpose Limitation
Businesses must be transparent when it comes to informing individuals as to why their personal data is being collected, how it will be used, and in which cases personal data will be disclosed. Furthermore, businesses must not use data for any other reason than its stated purpose.
Individuals must be notified as to why the business is collecting, using, and disclosing their data before they give their consent.
4. Access and Correction
Individuals have the right to access the personal data an organization has collected on them. They also have the right to request that corrections are made in the event of an error.
Businesses are required to make a reasonable effort to collect full and complete personal data, especially if decisions are made that may impact how this data is used.
Businesses must make arrangements to ensure that their data security in Singapore
is of the highest standard. Organizations must prevent leaks, unauthorized access, copying, and modification.
7. Retention Limitation
Personal data may only be kept for a limited period. Once this period elapses, the data must be deleted permanently.
8. Transfer Limitation
Personal data may not be transferred outside of Singapore to any territory that does not have similar data standards to those of the Singapore Personal Data Protection Act.
9. National Do Not Call (DNC) Registry
Names that have been registered in the national DNC register must not receive any unsolicited marketing messages.
Amendments were made to the Singapore data protection law in 2020. The big change was the requirement for compulsory data breach reporting. Businesses must report a breach immediately to both the Personal Data Protection Commission and the individuals impacted.
There are also increased financial penalties for data breaches.
As part of the tightening of the law, rules have been expanded on “deemed consent,” new exceptions added to consent, tighter spam control laws, and brand new data portability obligations.
Does PDPA Apply to My Business?
PDPA applies to virtually any business that handles the personal data of Singapore residents. The Singapore privacy law also applies to businesses that operate virtually, so there are no exemptions for organizations without a physical presence in Singapore.
The big exemption to these laws is that they only apply to private businesses. The public sector has a separate manual governing how data is collected, used, and disclosed.
Penalties for Non-Compliance
Although many of the provisions within the Singapore Personal Data Protection Act are advisory and not legally binding, particularly in relation to industry-specific advice, penalties for non-compliance are severe.
The maximum financial penalty for non-compliance has been increased to one million SGD. For organizations with a turnover of more than 10 million SGD, the maximum fine is 10% of the organization’s turnover.
Although penalties remain much lower than those in the EU, businesses with significant operations in Singapore could be hit hard in the event of non-compliance.
The 2020 amendments have stated that penalties will not be enforced on businesses that fail to comply until November 2021.