Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

PDPC: New guidance on personal data protection practices

personal data protection
The PDPC releases new guidance on personal data protection practices, and we are here to learn about them.

Personal data protection 

As defined by the Personal Data Protection Commission, Personal Data refers to data regarding an individual who can be identified from that data or from that data and other information to which the Organization has or is likely to have access. 

Under the Personal Data Protection Act (PDPA), these data that Organizations have access into are protected in the way of fining them when there is a data breach that occurred. The Organization usually pays a hefty fine as a consequence which ranges up to 1,000,000 SGD.


The PDPA is the law imposed by the PDPC, which provides for a baseline standard of protection for personal data in Singapore. Furthermore, the PDPA complements the sector-specific legislative and regulatory frameworks, such as Insurance Act and Banking Act.

Over the years, the PDPA has been amended by the PDPC for it to be more comprehensive and for it to cover the PDPC decisions and undertakings. Currently, the PDPC released a new guidance on data protection practices to cover further such PDPC decisions and undertaking, which we will discuss in a few.

Also Read: The DNC Singapore: Looking At 2 Sides Better

Personal Data Protection Commission’s new guidance on data protection practices: The Guide, Handbook, and Checklists

The new edition of the Guide to Data Protection Practices for ICT Systems comprises data protection practices from PDPC’s past advisory guidelines and guides. It also includes the learning from PDPC decisions and undertakings, and it recommends both enhanced and basic practices that organizations include in their ICT systems, processes, and policies. 

The Checklists to Guard Against Common Types of Data Breaches was also based on PDPC decisions and undertakings regarding breaches and identified the five (5) common gaps in ICT system management and processes, which may result in a data breach.

Lastly, the PDPC also released two (2) Checklists to Guard Against Common Types of Data Breaches to assist organizations in putting in place policies and reviewing them together with technology controls and processes to avoid any mistakes caused by negligence which often results in a data breach. 

personal data protection
The PDPC released a new guidance on personal data protection practices, and Organizations are expected to follow them.

The Guide to Data Protection Practices for ICT Systems 

For easy reference by the ICT team of Organizations, as well as its vendors, the new Guide on data protection practices for ICT systems has been grouped into three main sections, and it recommends the basic and enhanced ICT practices that Organizations can implement to support the data lifecycle in each stage:

  • Collection of personal data, Policies, and risk management practices, covering governance; a collection of personal data; correction and accuracy of personal data; notification of purpose; managing consent; access; housekeeping of personal data; and retention of personal data
  • Web applications and website security; ICT control measures, covering authentication, authorization, and passwords; database security; ICT security and testing; and computer networks.
  • Compliance, monitoring, alerts, testing, and audits; standard operating procedures and ICT operations, covering security awareness; portable computing devices and removable storage media; cloud computing; and personal computers and other computing devices.

The Handbook on How to Guard Against Common Types of Data Breaches

Such Handbook composed by the PDPC identifies the five common gaps in any Organization’s ICT system management and processes based on PDPC decisions and undertakings:

  1. Accounts and passwords: Accounts and passwords must be securely managed to prevent easy access to the database and cause breaches. It must only be accessed by authorized personnel, and Organizations must periodically review user accounts and remove unneeded ones. As always, to limit any risk of brute force attacks, Organizations must see to it that they implement a strong password.
  2. Coding issues: There are instances that in the early phase of programming of the software, there are mistakes done which can lead to errors that can disclose the personal data of individuals. To limit this, the IT team can first design before coding and perform a thorough impact analysis, invest the effort to document all software, functional and technical specifications; and make sure that the application has been tested thoroughly and there have been code reviews done. 
  3. Configuration issues (including issues in code management and deployment): Many ICT systems can be configured. When such settings are unsecured, including leaving settings in their default, this can result in unintended personal data disclosure. This can be prevented by hardening system configuration and introducing changes to the settings, managing configuration settings systematically, and automating build and deployment processes. 
  4. Malware and phishing: Many organizations fall victim to phishing emails with malicious malware in their attachments. With its sophistication in copying a legitimate website or known company, workers can easily be deceived and end up clicking the attached file or link. To prevent this, the Organization can introduce simulated phishing exercises and educate their employees to be alert when they come across emails sent to their accounts. 
  5. Security and responsibility issues: In the ICT’s development and design phases, the Organization must consider the probability of breach upon testing it. In such testing, the Organization must see to it that the team will only use synthetic data and never the actual data. Furthermore, for administrative log-in for accounts, the Organization must use multi-factor authentication and require complex passwords. 

Checklists to Guard Against Common Types of Data Breaches 

The checklist for personal data protection practices complements the Handbook, and it aims to help Organizations:

  • Enhance responsibilities during coding and security awareness; and
  • Avoid any issues in coding through setting good data protection practices during the development phase of the application and support practices.

The PDPC expects that the organizations that handle personal data implement the relevant enhanced practices suggested in each section, especially those that handle large quantities of different types of personal data or data that might be more sensitive to the individuals or the organizations.

Also Read: The Data Protection Act of Singapore and how it affects businesses



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us