Skip to main content

Amendments to Singapore's Personal Data Protection Act Take Effect

by Chris Brook on Monday November 16, 2020

Contact Us
Free Demo

Singapore's recently amended Personal Data Protection Act (PDPA) increases the penalizations imposed on companies for data breaches and recognizes the rights of individuals to protect their personal data.

Recent changes to Singapore's personal data protection law have strengthened the accountability of organizations and granted consumers more control over their own personal data.

In amendments to the sovereign island city-state's Personal Data Protection Act passed earlier this month bring its data protection laws up to date with the rest of the world's.

Organizations that either operate in Singapore, handle Singapore data, or maintain a server in Singapore will want to verify that the correct safeguards are in place in the event there's a data breach.

Under recent changes, speaking of data breaches, in the event of a breach organizations will have to notify Singapore's Personal Data Protection Commission within three calendar days after the breach if it’s likely to result in in "significant harm to the affected individuals or are of a significant scale (more than 500 affected individuals)." Individuals need to be contacted as soon as practicable under the new amendment as well.

A new consent exception in the act, similar to one in the European Union’s General Data Protection Regulation (GDPR), carves out a way for organizations to collect, use, or disclose personal data without consent, if so-called "legitimate interests" and a benefit to the public outweigh the effect on the individuals. This sounds like it would come into play if data processed would help detect or deter any illegal activities or threats to security. Another instance this might be used could be to detect anomalies in payment systems to detect fraud.

Organizations would still have to satisfy a number of requirements, like fulfilling a risk and impact assessment - basically a way to determine if it'd affect the individual – before moving forward.

As far as individuals go, a new data portability right will be made available to data subjects under the new iteration of PDPA; individuals can request their data be transferred to another service provider. To do so, organizations will need to keep tabs on a data subject's personal data for a set time after the access or porting request.

Another change involves the amount an organization can be fined. Companies with an annual turnover in Singapore exceeding $10 million can now be fined up to 10% of this turnover or $1 million, whichever is greater. Currently the most a company can be fined for a data breach is $1 million.

It's the first time the PDPA has been amended since 2012, when it was first enacted. Previous tweaks to the act came in 2014 when regulations around the legislation were issued and when organizations were asked to comply with its data protection requirements.

To prep for recent changes to the PDPA, law firms that specialize in data protection are encouraging organizations in Singapore to double check that their data privacy policies are aligned to comply with the act. They’re also being instructed to conduct PDPA training for employees and highlight the possibility of personal liability for failure to act in accordance with the company’s data protection policies and procedures and social media policies.

Tags:  Data Privacy

Recommended Resources

The Definitive Guide to DLP

  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives

The Definitive Guide to Data Classification

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business