The PDPA Singapore checklist is a must-have for organisations operating in Singapore.
4 Considerations In The PDPA Singapore Checklist
The PDPA Singapore checklist is a must-have for organisations operating in Singapore because as the famous line goes, “ignorance of the law excuses no one”.
📌 Explore how Privacy Ninja can help organisations address their data protection compliance. Learn more >>>
The Personal Data Protection Act 2012 (PDPA) oversees the collection, use and disclosure of personal data. It has been established that the main purpose of the act is to make sure that a) all personal data is managed in a way that respects the privacy and ownership rights of individuals and b) organisations utilise such data for legal business purposes only.
The PDPA acknowledges both:
The right of individuals (natural persons, whether living or dead) to safeguard their personal data; and
The necessity of organisations (all corporate bodies such as companies, and unincorporated bodies which include those formed or resident outside of Singapore) to collect, use, or disclose personal data for intentions that a fair individual would consider relevant.
Implementation of the PDPA rules is compulsory for organisations operating in Singapore (both companies and unincorporated bodies) with regard to the collection, use, and disclosure of personal data. Hence, this PDPA Singapore checklist applies to these organisations.
Do take note that the following individuals are not bound by the PDPA provisions:
Persons acting in a personal or domestic capacity;
Public agencies;
Organisations acting on behalf of a public agency in relation to the processing of personal data.
Why must organisations understand the PDPA Singapore checklist?
In the age of digitalisation, an individual’s personal data is akin to digital currency. As consumers become empowered with the knowledge of their rights to data privacy and personal data protection, a business that can demonstrate compliance will surely be able to gain better customer loyalty.
The PDPA Singapore checklist under 4 classifications
The considerations that organisations should deal with can be broadly classified into four categories.
1. Collection, management, retention and disposal of personal data
Does your organisation guarantee that the personal data collected is relevant for the intention alone and not some other hidden agenda or purpose?
Are the people involved in this data collection made fully cognizant of the data collection purpose on or before the collection of their personal data?
Organisations must also see to it that collection of sensitive data is limited and needed only if relevant and should not be unnecessarily collected.
Is the consent sought and received by your organisation for the collection, use and disclosure of personal data?
Does your organisation also see to it that third party involved in data collection is clear on their PDPA duties as well as adhere to the strict provisions set by PDPA with regard to the handling and collection of personal data by third party?
Does your organisation guarantee proper use and disclosure of personal data collected?
Is your organisation knowledgeable in handling transfer of personal data and can it ensure that the transfer of data overseas is in compliance with PDPA?
Does your organisation know and comprehend the fulfillment of PDPA obligations with regard to working with 3rd party (such as an agent or a data intermediary) of the company managing the personal information data transfer?
2. Security, update, and maintenance of personal data
Does your organisation have proper security provisions in place to prevent illegal access, collection and use of its personal data in its safekeeping or under its management?
These security provisions must be developed on pertinent risk assessments, kind and sensitivity of personal data and chances and impact of illegal access, deletion or other use.
Organisations must see to it that these security provisions are constantly updated and shared with relevant stakeholders.
Organisations must also see to it that processes are in place for third parties to make fair arrangements to protect personal data.
Does your organisation have pertinent data retention policies for various types of personal data? This is also applicable to third parties in possession of their personal data.
Does your organisation have provisions in place to deal with unsolicited personal data?
Does your organisation have provisions in place to dispose of personal data? This is also applicable to third parties in possession of their personal data.
Does your organisation make sure that its personal data is correct, and that personal data shared with other organisations is correct and complete?
How does your organisation handle erroneous data?
📌 Do you know that appointing a Data Protection Officer (DPO) is not only mandatory under the PDPA, but is also crucial to ensuring that your organisation is fully compliant to the PDPA provisions? Check out how Privacy Ninja’s DPO-as-a-Service can help you manage the PDPA Singapore checklist and more, while you focus on what you do best, to grow the business. 3. A person’s rights to personal data access and erasure
