How To Comply With PDPA: A Checklist For Businesses
Read on for more information on how to comply with PDPA, because Singapore organisations have an obligation to ensure that personal data under their management is safeguarded.
✍️ It all starts with a basic overview and understanding of the PDPA provisions. As they say, ignorance of the law excuses no one. Let Privacy Ninja’s PDPA Consultancy & Training provide you with the knowledge as well as steps on how it may be applied to the organisations for compliance. Get started today.
At the recent Singapore Budget 2021 presentation, cybersecurity has been highlighted – yet again – as among the emerging technologies that will benefit from the government’s SG$24 billion (US$18.1 billion) funding. Undoubtedly, organisations stand to gain from the government’s efforts to tighten cybersecurity measures. However, these also serve to remind them of their own obligations to protect personal data under their management.
With the unprecedented growth in data-centric technologies plus digitalisation in general, there is also a rapid growth in the amount of personal data collected and processed in Singapore and beyond.
In Singapore, it is mandatory for companies to obtain an individual’s consent before they can collect, use, or disclose any personal information pertaining to that individual. The Personal Data Protection Act (PDPA) hinges on two key pillars for safeguarding consumers: the Do Not Call (DNC) Registry and general data protection provisions. As a business operating in Singapore, it is your duty to understand the scope of this regulation and its potential impact on your firm’s operations.
PDPA Amendment Act 2020
In November 2020, the timely Personal Data Protection (Amendment) Bill 2020 was passed. This seeks to:
- bolster the accountability of organisations
- recalibrate the balance between individual’s consent and organisational accountability to leverage data for relevant and legal purposes
- allow greater consumer freedom over their own personal data, and
- enhance the effectiveness of enforcement efforts by the Personal Data Protection Commission (PDPC).
These amendments to the PDPA couldn’t have come at a better time. In the swift-changing landscape of the digital economy, Singapore’s personal data protection laws are brought up-to-date and are aligned with international standards like the GDPR.
Personal data – a refresher
Under the PDPA, “personal data” is defined as: (a) data about a person who can be identified from that data itself, or (b) data about a person who can be identified from that data and other details to which your business has or likely to have access.
Check out examples of personal data that can, on its own, identify an individual:
- Biometric identifiers (e.g. face geometry or fingerprints)
- Name and NRIC number
- Photograph or video image of a person
- Voice of a person
- DNA profile
It should also be noted that the PDPA safeguards, to a limited capacity, the personal data of individuals who have been deceased for less than 10 years. For such personal data, only the provisions pertaining to the disclosure and safeguarding of personal data will apply.
✍️ Under the PDPA, it is mandatory for all businesses in Singapore to appoint a Data Protection Officer (DPO). Do you know that you can outsource your DPO? Let us know how we can help you in this area, so you can focus on growing your business. Get started today.
Why is it crucial to learn how to comply with PDPA?
While it is true that compliance with PDPA helps keep hefty fines at bay in the event of a breach, there’s more to this than merely preventing your cashflow from getting disrupted:
- When your business demonstrates compliance, there’s a higher chance that you will gain customer loyalty.
- You cultivate trust among stakeholders which include your customers, employees, and other relevant profiles in your organisation’s community.
- PDPA compliance can help to lower the risk of a data breach, and reduce the impact should a breach really happen.
Your checklist on how to comply with PDPA
Does your business regularly collect personal data? If the answer is yes, the following checklist is a must-have for your organisation, to keep track of your compliance with the PDPA provisions:
- What personal data is being taken – this is to comply with the Protection Obligation. Being privy to the different kinds of personal data being taken by your organisation will allow you to have a better view of the kind of protective measures required and check if the intentions for collecting such data are best fulfilled by the data collection.
- Why such personal data is being collected – this is to comply with the Purpose Limitation Obligation and Retention Limitation Obligation
- Who is collecting the personal data – this is to comply with the Consent Obligation and Notification Obligation. In the collection process, only authorised staff who have received sufficient training in PDPA compliance should be participating.
- Where the personal data is stored – this is to comply with the Protection Obligation.
- Who receives the personal data being collected – this is to comply with the Access and Correction Obligation and Protection Obligation. Businesses in Singapore are required by law to provide access to an individual’s personal data if requested by that individual. However, before doing so, it is your duty to verify the identity of the individual. For instance, by asking for relevant identification documents before giving such access. This, in turn, would prevent unintended leaks of personal data.
In an era of rapid digitalisation, consumers are more empowered than ever to know the value of their personal data. They are also in a better position to demand its safekeeping and management.
If you need more information on how your organisation can achieve full PDPA compliance, we at Privacy Ninja are here to help! Simply drop us a note and our best consultants will reach out to you.