Singapore’s Personal Data Protection Commission (PDPC) has declared that the mandatory data breach notification will soon become required in Singapore. However, not all infractions must be reported. This guide is to help businesses understand when, to whom, and how to inform in the event of a data breach.
A data breach is defined as any illegal access, collection, use, disclosure, copying, modification, or disposal of personal data in the ownership or control of an organization.
When and to whom should a company report a data breach?
1. When the data breach that occurred is:
2. When a data breach is likely to cause significant harm or impact to the individuals to whom the information belongs, an organization must notify affected individuals (including parents and legal guardians of minors whose personal data is compromised).
There may be exceptions where:
3. When a data intermediary (i.e., an organization that processes personal data on behalf of another) becomes aware of a data breach, it must notify that organization without undue delay (i.e., within 24 hours).
To PDPC:
Reporting should be done as quickly as possible, but no later than three days after deciding that a violation is notifiable.
Organizations must:
Notifications made after three days are in violation of the PDPA.
To Individuals who have been affected:
• As soon as possible.
Also Read: Managing employee data under Singapore’s PDPA
To PDPC:
To affected individuals:
If the organization is regulated, it may be obligated to notify the relevant sector’s regulator. In Singapore, for example, financial institutions must report the Monetary Authority of Singapore (MAS) within one hour of discovering a relevant incident (i.e., a system malfunction or IT security incident which has a severe and widespread impact on their operations or materially impacts their service to customers). They must also submit a root-cause and impact analysis report to MAS within 14 days of the incident’s discovery.
While it is not required, an organization should also tell the authorities if it detects any criminal behavior (e.g., hacking, theft, or unauthorized system access). It can also contact the Singapore Computer Emergency Response Team (SingCERT) for technical assistance in the event of a computer security problem.
Depending on the jurisdiction, obligatory notification rules may apply if the data breach affects personal data stored outside of Singapore. The EU, California, the Philippines, China, Australia, and South Korea are among the jurisdictions that currently have obligatory breach reporting laws in place.
Also Read: Check the Do Not Call Registry in Singapore before marketing to phone numbers
Role of Enhanced Access Controls in Safeguarding Personal Data in Telecommunications that every Organisation in…
Effective Incident Response Procedures in Strengthening Data Security that every Organisation in Singapore should know…
Crucial Role of Regular Vulnerability Scanning that every Organisation in Singapore should know. Strengthening Your…
Enhancing Data Security with Multi-Factor Authentication that every Organisation in Singapore should know. Enhancing Data…
Strong Password Policy as a first line of defense against data breaches for Organisations in…
Importance of Efficient Access Controls that every Organisation in Singapore should take note of. Enhancing…
This website uses cookies.