4 Considerations In The PDPA Singapore Checklist: The Specifics
The PDPA Singapore checklist is a must-have for organisations operating in Singapore because as the famous line goes, “ignorance of the law excuses no one”.
📌 Explore how Privacy Ninja can help organisations address their data protection compliance. Learn more >>>
The Personal Data Protection Act 2012 (PDPA) oversees the collection, use and disclosure of personal data. It has been established that the main purpose of the act is to make sure that a) all personal data is managed in a way that respects the privacy and ownership rights of individuals and b) organisations utilise such data for legal business purposes only.
The PDPA acknowledges both:
- The right of individuals (natural persons, whether living or dead) to safeguard their personal data; and
- The necessity of organisations (all corporate bodies such as companies, and unincorporated bodies which include those formed or resident outside of Singapore) to collect, use, or disclose personal data for intentions that a fair individual would consider relevant.
Implementation of the PDPA rules is compulsory for organisations operating in Singapore (both companies and unincorporated bodies) with regard to the collection, use, and disclosure of personal data. Hence, this PDPA Singapore checklist applies to these organisations.
Do take note that the following individuals are not bound by the PDPA provisions:
- Persons acting in a personal or domestic capacity;
- Public agencies;
- Organisations acting on behalf of a public agency in relation to the processing of the personal data.
Why must organisations comprehend the PDPA Singapore checklist?
In the age of digitalisation, an individual’s personal data is akin to digital currency. As consumers become empowered with the knowledge of their rights to data privacy and personal data protection, a business that can demonstrate compliance will surely be able to gain better customer loyalty.
📌 Let Privacy Ninja help you with your PDPA compliance through our PDPA compliance audit services. Contact us for a no obligations chat to understand what compliance audit services are needed to comply with the PDPA. Book an appointment >>>
PDPA compliance also builds trust among various stakeholders that include customers, employees, shareholders and in the scenario of non-profit organisations, volunteers, donors, and beneficiaries as well.
Additionally, PDPA compliance helps reduce the probability of a data breach and can even lower the impact in the event that a breach does happen.
Lastly, being compliant to the PDPA prevents or minimises regulatory penalties in the unlikely event of a breach.
Before moving on with the checklist, here are 5 things your organisation must keep track of to ensure compliance with PDPA provisions:
- What type of personal data is collected?
- What is the purpose of the collection of personal data?
- Who is collecting personal data?
- Where is the personal data stored?
- To whom is the personal data disclosed?
The PDPA Singapore checklist under 4 classifications
The considerations that organisations should deal with can be broadly classified into four categories.
1. Collection, management, retention and disposal of personal data
- Does your organisation guarantee that the personal data collected is relevant for the intention alone and not some other hidden agenda or purpose?
- Are the persons involved in this data collection made fully cognizant of the data collection purpose on or before the collection of their personal data?
- Organisations must also see to it that collection of sensitive data is limited and needed only if relevant and should not be unnecessarily collected.
- Is the consent sought and received by your organisation for the collection, use and disclosure of personal data?
- Does your organisation also see to it that third party involved in data collection is clear on their PDPA duties as well as adhere to the strict provisions set by PDPA with regard to the handling and collection of personal data by third party?
- Does your organisation guarantee proper use and disclosure of personal data collected?
- Is your organisation knowledgeable in handling transfer of personal data and can it ensure that the transfer of data overseas is in compliance with PDPA?
- Does your organisation know and comprehend the fulfillment of PDPA obligations with regard to working with 3rd party (such as an agent or a data intermediary) of the company managing the personal information data transfer?
2. Security, update, and maintenance of personal data
- Does your organisation have proper security provisions in place to prevent illegal access, collection and use of its personal data in its safekeeping or under its management?
- These security provisions must be developed on pertinent risk assessments, kind and sensitivity of personal data and chances and impact of illegal access, deletion or other use.
- Organisations must see to it that these security provisions are constantly updated and shared with relevant stakeholders.
- Organisations must also see to it that processes are in place for third parties to make fair arrangements to protect personal data.
- Does your organisation have pertinent data retention policies for various types of personal data? This is also applicable to third parties in possession of its personal data.
- Does your organisation have provisions in place to deal with unsolicited personal data?
- Does your organisation have provisions in place to dispose of personal data? This is also applicable to third parties in possession of its personal data.
- Does your organisation make sure that its personal data is correct and that personal data shared to other organisations is correct and complete?
- How does your organisation handle erroneous data?
📌 Do you know that appointing a Data Protection Officer (DPO) is not only mandatory under the PDPA, but is also crucial to ensuring that your organisation is fully compliant to the PDPA provisions? Check out how Privacy Ninja’s DPO-as-a-Service can help you manage the PDPA Singapore checklist and more, while you focus on what you do best, to grow the business. Learn more today. >>>
3. A person’s rights to personal data access and erasure
- Does your organisation have provisions in place and furnish information on how individuals may withdraw permission on the use of their personal data and the implications of withdrawing the consent?
- Does your organisation have provisions in place and furnish information on how individuals can ask for access to their personal data? Is there a process in place to adhere to the person’s request?
- Does your organisation have provisions in place and furnish information on how persons can amend their personal data under its possession?
4. The implementation, governance and process transparency of PDPA compliance
- Does your organisation have provisions and practices in place to manage personal data?
- Does your organisation share its data protection provisions and practices to pertinent internal and external stakeholders?
- Doer your organisation constantly review and update data protection provisions, and keep track of compliance of practices with these provisions?
- Does your organisation accept and answer to queries on the collection, use and disclosure of personal data by your organisation?
- Does your organisation carry out risk and impact assessments to identify, evaluate and address data protection risks?
- Does your organisation take into account Data Protection by Design in the growth of a product, service, system or process?
- Does your organisation have a data breach management plan? The plan should comprise of the following: a) personnel on management of data breach incident, b) timeline for reporting data breach incident, c) provisions for notifying affected individuals/organisations and pertinent regulators/enforcement authorities.
- Does your organisation have a Data Protection Officer (DPO) who is well versed in your data protection provisions and the PDPA?
- Is the business contact information of the DPO made available to the public?
- Is the DPO properly trained? The DPO should also have received formal training on data protection compliance with the PDPA.
- Does your organisation carry out regular training to employees on the company’s data protection provisions and practices?
There you have it, the comprehensive PDPA Singapore checklist. If you need further clarifications on any section here, feel free to reach out to us.
Privacy Ninja provides GUARANTEED quality and results for the following services:
DPO-As-A-Service (Outsourced DPO Subscription)
PDPA Compliance Training
PDPA Compliance Audit
Digital Transformation Consultancy
Data Protection Trustmarks Certification Readiness Consultancy
PDPA Data Protection Software
Vulnerability Assessment & Penetration Testing (VAPT)
Smart Contract Audit