Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Protection Obligation: What every organization should know

Protection Obligation
Organizations should take note of the Protection Obligation to avoid breach and a hefty penalty

What every organization should know about the Protection Obligation

Organizations should implement the necessary security measures to safeguard the personal data in their possession or under their control, as well as the storage media or devices on which such data is stored. This is done to prevent any unauthorized access, collection, use, or disclosure of such data.

This is inscribed Section 24 of the Personal Data Protection Act, which provides that “organizations should make reasonable security arrangements to protect personal data in its possession or under its control in order to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.”

Organizations cannot comply with the Protection Obligation using a “one-size-fits-all” approach. Each organization should consider adopting security measures that are reasonable and appropriate in the circumstances, such as taking into account the nature of the personal data, the form in which the personal data has been collected (e.g., physical or electronic), and the possible impact on the individual if an unauthorised person obtained, modified, or disposed of the personal data.

For instance, in the employment environment, it would be appropriate to assume a higher level of security for highly secret employee evaluations than for more general information about a worker’s past projects.

The Protection Obligation requires organizations to place reasonable measures and safeguards to protect personal data, and appoint a DPO.

In practice, an organization should:

a) design and organize its security arrangements to fit the nature of the personal data held by the organization and the possible harm that could result from a security breach;
b) identify reliable and well-trained personnel responsible for ensuring information security;
c) implement robust policies and procedures for ensuring appropriate levels of security for personal data of varying sensitivity; and
d) be prepared and able to respond to information security incidents.

In addition, organizations may find it valuable to do a risk assessment to determine whether current information security measures are adequate. In doing so, the following things may be taken into account:
a) the size of the organization and the quantity and type of personal data it has;
b) who within the organization has access to the personal data; and
c) if the personal data is or will be held or used on behalf of the organization by a third party.

Also Read: The Singapore financial services and markets bill: Everything you need to know

Breach of Protection Obligation by Trinity Christian Centre

The recent decision that was released by the PDPC involving the Trinity Christian Centre underscores the importance of exercising the Protection Obligation by the PDPA. After breaching such an Obligation, Trinity was made to pay a whopping S$20,000 fine.

In this case, the PDPC was notified on March 11, 2021, that its database servers containing personal data were infected with ransomware.

The database servers housed the data of 72,285 individuals at the time of the Incident. Each individual’s data were impacted differently and at times included their name, full identification number, residential address, contact number, email address, photograph, date of birth, age, marital status, education level, and description of a medical condition.

Upon the investigation done by the organization, it was revealed that it maintained an open and publicly exposed remote desktop protocol port. This was how the bad actor had access to the compromised administrator account credentials and was able to enter the organization’s network and database server, leading to the execution of the ransomware attack.

With this Incident, Trinity Christian Centre was made to pay a financial penalty of S$20,000 for breaching the data protection obligation and for failure to make reasonable security arrangements to ensure that safeguards are placed so that a ransomware infestation will not result in the future.

This decision also undertakes the importance of appointing a DPO to ensure that there is no vulnerability present in the organization’s networks and servers. It is under the DPO’s scope of work to ensure that the vulnerabilities present are patched up so that threat actors will not exploit them.

How a DPO can help organizations

The Protection Obligation is the most common obligation under the PDPA that is violated by organizations, especially SMEs. Of course, when Organizations fail to observe such obligation, a financial penalty can be imposed by the PDPC. To ensure that this will never happen to your organization, a DPO can help.

A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of cyber threats and instances of data breaches as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.

For instance, at Privacy Ninja, we regularly conduct a penetration testing to see if the organization’s systems can be exploited or taken advantage of, and patch it up as quickly as possible before any bad actor can do it.
DPOs complement the efforts of Organizations in making sure that the personal data collected and used is accurate. This is because when there is an instance that the obligation has been breached, DPOs ensure that a protocol for dealing with it has been established and can be employed.

As a consumer who provides my very own sensitive information to each organization I encounter or have a transaction with, I would feel safe if an organization would take the extra mile to ensure that my data is correct and concise as it affects me whenever a decision is made.

Also Read: Guarding against common types of data breaches in Singapore



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us