Breach of PDPA Singapore: 5 Things Your Organisation Should Know
With the rise of bad actors lurking and sniffing around, looking for their next victim, organisations in Singapore are taking extra precautions by setting out additional safeguards and protocols to ensure that there will be no instance of a data breach that occurs.
Curious why? It’s because of the Personal Data Protection Act or PDPA. The PDPA is a law that sets up obligations or duties to organisations within Singapore that must be mandatorily complied with regarding the collection, use, and disclosure of individual personal data. The law provides guidelines for organisations to follow when it comes to anything involving personal data.
With PDPA in place, organisations are compelled to take care of personal data at its highest standards and must not take it lightly. This is because, like in the decided cases before, breaching the PDPA will prompt the Personal Data Protection Commission (PDPC) to impose a hefty financial penalty which ranges up to S$1,000,000.
The 5 things organisations should know in breaching the PDPA
1. Potential entry points of a data breach
A data breach can happen in the least expected ways and can have multiple entry points, and in the majority of cases already decided, a breach occurs due to the employee’s fault.
When an organisation lacks the necessary policies for employees to follow and lacks the training to keep them informed and aware of the potential threat they could be under, typically, employees fall victim to social engineering tactics. Under this premise, they could also make an honest mistake of sending a document containing personal data to the wrong recipient. This then now becomes an entry point for a looming data breach.
In one of the decided cases, the employee repurposed a document containing personal data, breaching the retention obligation under the PDPA. In another, there has been a ransomware infestation due to a successful email phishing done to the employee, affecting thousands of individual personal data and breaching the protection obligation.
But not all can is spotlighted to employees alone. When the organisation itself does not conduct vulnerability testing before its new website or application goes live, this could also be an entry point for a breach. In the case of ChampionTutor, the organisation did not perform its due diligence in conducting a vulnerability testing that would have discovered any loopholes in its website leading to an SQL attack and affecting 4,625 personal data of individuals.
Potential entry points exist, especially when the organisation does not have a DPO that could help set up these policies that the employees and the organisations themselves must follow. It is the officer-in-charge of overlooking the cybersecurity hygiene of the organisation and ensuring that any instances of a potential data breach are to a minimum, if not zero.
2. Impact of a breach
A data breach is a big deal to organisations, big or small. A successful data breach could disturb the organisation’s operations, thus, disrupting normal cash flow. Furthermore, a breach would mean a possibility of a hefty financial penalty that could range up to S$1,000,000, denting the finances of organisations that had already suffered a halted service offering.
Moreover, a breach could also lose the trust of customers and potential future clients to the organisation. A simple breach could tarnish the reputation of the organisation, which took years to build, thus losing further income.
3. Organisations must ensure they have the right posture at all times
To prevent a data breach and its gruesome consequences, the organisation must ensure that they have the right posture at all times. This can be done by having a DPO oversee the cybersecurity hygiene of the organisation, set up training for the employees, and ensure that the organisation has up-to-date data protection policies set in place.
4. Breaches happen. What’s next?
With the sophistication that bad actors are employing, there is still a possibility that a breach could happen regardless of proactive efforts to prevent it. So what’s next? What should you do to mitigate the financial penalty that could be imposed on your organisation?
In the decided cases by the PDPC, there are instances where it only gave a warning or directions to the organisation simply because the organisation was not negligent in setting up necessary safeguards, and the organisation acted promptly in reporting and liaising with the PDPC the breach that occurred.
With this, when the organisation suffers a breach, although it already did its best to prevent it, the organisation must ensure that safeguards are in place and immediate mitigating actions are done to try and control the breach. As soon as possible, the organisation must report and liaise with PDPC and inform those who suffered from the breach that their data was leaked.
This also highlights the importance of a DPO, either in-house or outsourced, since it is the DPO that complies with all other requirements required by the PDPA. This includes notifying both the PDPC and the affected individuals in the breach.
5. Picking up the pieces after the incident
After a successful data breach suffered by the organisation, the goal is not to make the same mistake twice. The organisation must ensure that a posture of good cyber hygiene is maintained, and the employees are well aware of the possibility that a breach might occur again if they are not being careful of what they click in unsuspected email attachments. With this, both the organisation and its employees must perform the best practices available.
Organisations can suffer a breach at any time if they are not careful of how they handle the personal data entrusted to them by their customers. With cases already decided by the PDPC, it already served as a guide for us not to make the same mistake as other organisations did.
With this said, it is the obligation of each organisations in Singapore to be updated with the up-to-date data protection policies that could save them money by preventing a successful data breach.