Privacy Ninja

Understanding the mandatory data breach notification of Singapore

mandatory data breach notification
The mandatory data breach notification is here for Singaporean organizations to follow!

Understanding the mandatory data breach notification of Singapore

Singapore’s Personal Data Protection Commission (PDPC) has declared that the mandatory data breach notification will soon become required in Singapore. However, not all infractions must be reported. This guide is to help businesses understand when, to whom, and how to inform in the event of a data breach.

What exactly is a data breach?

A data breach is defined as any illegal access, collection, use, disclosure, copying, modification, or disposal of personal data in the ownership or control of an organization.

When and to whom should a company report a data breach?

1. When the data breach that occurred is:

  • likely to cause significant harm or effect to the people to whom the information relates; or
  • on a significant scale (as a rule of thumb, data from 500 or more individuals is affected).

2. When a data breach is likely to cause significant harm or impact to the individuals to whom the information belongs, an organization must notify affected individuals (including parents and legal guardians of minors whose personal data is compromised).

There may be exceptions where:

  • the personal information has been encrypted and cannot be decoded; or
  • corrective efforts were implemented so that the breach is unlikely to cause significant harm or impact on the persons.

3. When a data intermediary (i.e., an organization that processes personal data on behalf of another) becomes aware of a data breach, it must notify that organization without undue delay (i.e., within 24 hours).

The mandatory data breach notification serves as a guide for Organizations in times of breach

Timeline for reporting in mandatory data breach notification

To PDPC:

Reporting should be done as quickly as possible, but no later than three days after deciding that a violation is notifiable.

Organizations must:

  • determine whether a suspected violation is notifiable within 30 days of becoming aware of it;
  • document the procedures taken to assess the violation and keep track of the reasons for any delays.

Notifications made after three days are in violation of the PDPA.

To Individuals who have been affected:

• As soon as possible.

Also Read: Managing employee data under Singapore’s PDPA

PDPC’s data breach notification informs organizations as to the period for reporting the incident

What information should the notification contain?

 To PDPC:

  • the magnitude of the data leak;
  • the type(s) and quantities of personal data involved;
  • the cause or probable cause of the data leak;
  • whether the data breach has been resolved;
  • the controls and processes in place at the time of the data breach;
  • whether the organization has notified or will notify affected individuals; and
  • contact information for the organization’s representative(s), with whom PDPC can communicate for more information.

To affected individuals:

  • the manner and time of the data leak;
  • the type(s) of personal data at issue;
  • the nature(s) of the injury or impact on impacted individuals, if appropriate;
  • actions performed or planned by the organization in response to the dangers posed by the data breach;
  • detailed information about the data breach and related steps that impacted individuals should take to avoid data misuse; and
  • contact information for affected individuals to contact the organization for additional information and support.
This mandatory data breach notification should not be taken lightly as failure to follow it could result to a financial penalty

Other reporting requirements in Singapore to take note of

If the organization is regulated, it may be obligated to notify the relevant sector’s regulator. In Singapore, for example, financial institutions must report the Monetary Authority of Singapore (MAS) within one hour of discovering a relevant incident (i.e., a system malfunction or IT security incident which has a severe and widespread impact on their operations or materially impacts their service to customers). They must also submit a root-cause and impact analysis report to MAS within 14 days of the incident’s discovery.

While it is not required, an organization should also tell the authorities if it detects any criminal behavior (e.g., hacking, theft, or unauthorized system access). It can also contact the Singapore Computer Emergency Response Team (SingCERT) for technical assistance in the event of a computer security problem.

Depending on the jurisdiction, obligatory notification rules may apply if the data breach affects personal data stored outside of Singapore. The EU, California, the Philippines, China, Australia, and South Korea are among the jurisdictions that currently have obligatory breach reporting laws in place.

What to do before the mandatory data breach notification kicks in

  • Organizations will most likely be granted some time to establish and implement the required policies and practices to comply with the new notification requirements. However, organizations should start thinking about the following actions far in advance of any implementation deadline:
  • Ensure that agreements are evaluated to provide proper data breach protection. This may include counterparty promises on data privacy and security, incident reporting, subcontracting limits, audit rights, and insurance requirements. It is beneficial to retain outside counsel to ensure that contracts are strong and where arrangements or negotiations are more complex.
  • Create a data breach response plan by updating internal policies and procedures. Such a plan should instruct stakeholders on how to detect a breach, who to notify, how to record/document essential information, and other particular activities to take in reaction to an occurrence.
  • Provide training to staff to familiarize them with essential policies, processes, and plans, as well as setting up fake data breach exercises to put them to the test.

Also Read: Check the Do Not Call Registry in Singapore before marketing to phone numbers

Outsourced Data Protection Officer – It is mandatory to appoint a Data Protection Officer. We help our clients quickly comply with their PDPA & data protection requirements.

Vulnerability Assessment Penetration Testing – Find loopholes in your websites, mobile apps or systems.

Smart Contract Audit – Leverage our industry-leading suite of blockchain security analysis tools, combined with hands-on review from our veteran smart contract auditors.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Powered by WhatsApp Chat

× Chat with us