'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Singapore enacted the Personal Data Protection Act (the "PDPA") in 2012, which came into force in different phases; the provisions concerning data protection were enforced on 2nd July 2014. There are two main sets of provisions in the PDPA; provisions related to ‘Data Protection’ govern the collection, use, and disclosure of individuals' personal data, and the provisions pertaining to Singapore’s national ‘Do Not Call Registry’ set out the organisation’s obligations in relation to sending marketing messages to Singapore's national phone numbers.
The Personal Data Protection Regulations 2014, issued under the PDPA, specifically lay down the data transfer out of Singapore requirements, and the procedure of data access and/or correction requests from individuals. Singapore has recently introduced new extensive amendments to PDPA through the Personal Data Protection (Amendment) Act 2020
‘Anonymised data' does not come under the scope of the PDPA.
Organisations that handle and control personal data must comply with the following obligations stated under Part III to VI of the PDPA.
PDPA covers any organisation that deals with the collection, use, and/or disclosure of personal data from individuals in Singapore, whether the organisation is located in Singapore or not. However, this Act does not cover the following:
Any individual acting in a personal or domestic capacity;
Any employee acting in the course of his or her employment with an organisation;
Any public agency; and
Any organisation in the course of acting on behalf of a public agency in relation to the collection, use, or disclosure of personal data.
As per Part II of the PDPA, Personal Data Protection Commission (PDPC) is the regulatory body to enforce the provisions of PDPA. The PDPC is empowered with broad discretion to issue remedial directions, initiate investigation inquiries, and impose fines and penalties on the organisations in case of any non-compliance of PDPA.
If organisations misuse the personal data or hide information concerning its collection, use, or disclosure, PDPA states penalties not exceeding S$50,000 (approx. $36,000).
Penalty for hindering a PDPC investigation can lead to a fine of not more than S$100,000 (approx. $72,000). The PDPA states that companies are also liable for their employees’ actions, whether they are aware of them or not.
New amendments to PDPA have enforced increased financial penalties for breaches of the PDPA up to 10% of annual gross turnover in Singapore, or S$ 1 million, whichever is higher.
Non-compliance with specific provisions under the PDPA may also constitute an offense, for which a fine or a term of imprisonment may be imposed.
An individual can bring a private civil action against an organisation for having suffered loss or damage directly due to a contravention of the provisions of the PDPA.
Given the complex obligations for the organisations to manage the disclosure, access, and modification requests of the individuals, ensuring the effective security measures, fulfilling data breach notification requirements, and other compliance requirements, complying with the PDPA can be very labor-intensive and costly.
Securiti is the leader in AI-powered PrivacyOps and data governance. Similar to DevOps for software, PrivacyOps reimagines how to implement privacy management throughout an organisation efficiently.
Securiti is a recognized innovator in this market, having been awarded "Most Innovative Startup" at RSA Conference 2020, and Leader in the Forrester Wave: Privacy Management Software. Securiti's PrivacyOps solution uniquely combines real-time sensitive data intelligence harnessing bot and AI technology with full workflow automation of all the major privacy compliance functions.