Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Top 8 Main PDPA Obligations To Boost And Secure Your Business

pdpa obligations
The PDPA obligations require organizations to develop and implement policies and procedures that clearly notify customers that their personal data is being collected.

Top 8 Main PDPA Obligations To Boost And Secure Your Business

As a result of recent regulations, Singapore companies are required to obtain the consent of an individual before they can collect, use, or disclose any personal information related to that individual. The Personal Data Protection Act (or PDPA) relies on two main pillars for protecting consumers: the Do Not Call (DNC) Registry and general data protection provisions. If you manage a company based in Singapore, you should understand the scope of this regulation and its possible impact on the operations of your firm. This article provides such an overview of the PDPA.

How the PDPA obligations defines personal data

Personal data is any data that can be used to identify an individual on its own, which is considered uniquely identifying data. In addition, generic data used along with uniquely identifying data is also considered personal data. Although not exhaustive, the Personal Data Protection Act Commission (PDPAC) has prepared a list of examples of personal data.

Uniquely identifying data:

  • Full name
  • NRIC Number or FIN (Foreign Identification Number)
  • Passport number
  • Personal mobile telephone number
  • Facial image of an individual (e.g. in a photograph or video recording)
  • Voice of an individual (e.g. in a voice recording)
  • Fingerprint
  • Iris image
  • DNA profile

Generic data:

  • Gender
  • Age
  • Nationality
  • Past employment
  • Education
  • Income
  • Spending habits
  • Medical information

Types of personal data that are exempt:

  • Business contact information such as an individual’s name, position, title, business phone number, business address, business email address or business fax number.
  • Personal data that has been recorded at least 100 years
  • Personal data of a person who has been deceased for over 10 years

Compliance under PDPA

In the PDPA, the government of Singapore has outlined 8 obligations that companies collecting and using personal data must follow.

  1. Consent, Purpose Limitation and Notification Obligation
  2. Access and Correction Obligation
  3. Accuracy Obligation
  4. Protection Obligation
  5. Retention Limitation Obligation
  6. Transfer Limitation Obligation
  7. Openness Obligation
  8. Do Not Call Provisions
Companies must develop and implement policies to meet its obligations under the PDPA.

The Obligations for Organisations under PDPA

1. Consent, Purpose Limitation and Notification Obligation

The PDPA obligations requires organisations to develop and implement policies and procedures that clearly notify customers that their personal data is being collected. In addition, companies must notify customers on how the data may be used and where it may be disclosed. Lastly, before any personal data is collected, the customer must first offer their consent.

How to comply

  • Create a privacy policy that is available to the public: The PDPAC recommends companies create a privacy policy that can be displayed publically, for example on the company website.
  • Obtain consent from customers in your terms and conditions: The PDPA obligations requires that customers must voluntarily give their consent through an opt-in mechanism rather than an opt-out failure.
  • Allow Customers to withdraw their consent to collect personal data

2. Access and Correction Obligation

If requested companies must provide customers with their personal data that has been collected and inform the customer on how the data has been used or disclosed in the past year. In addition companies must change the personal data of a customer if requested.

How to Comply

  • Provide customers with their personal data within 30 days: Under the PDPA, if a company cannot respond to a customer’s access request within 30 days, then the company will have an additional 30 days from the date they were unable to fulfill the request to respond in writing to the customer.
  • Allow customers to update, correct and delete data

3. Accuracy Obligation

Companies must take reasonable steps to verify that the data they store on customers is accurate if they plan to use personal data to make decisions regarding the customer, or disclose the personal data.

How to Comply

  • Require verbal or written confirmation from the customer: Companies can require customers to make a verbal or written confirmation that the personal data provided is accurate and complete. Furthermore, in cases where the recency of the data is important, companies can also take measures to confirm the personal data provided by the customer is up-to-date.
  • Take extra steps to verify data from a third party provider: Companies can obtain confirmation from a third party data provider that the accuracy of the personal data has been verified.

4. Protection Obligation

Companies must protect any personal data in order to prevent the unauthorised access, collection, use, disclosure, copying, modification or disposal.

How to Comply

  • Take cybersecurity measures to safeguards data: The PDPAC recommendations include but are not limited to:
    • Ensuring computer networks are secure
    • Adopting appropriate access controls
    • Encrypting personal data
    • Installing appropriate computer security software and using suitable computer security settings
    • Eliminating all personal data from devices that are to be recycled, sold or disposed
    • Updating computer security and IT equipment regularly
  • Take physical security measures to safeguard data: The PDPAC recommendations include but are not limited to:
    • Marking confidential documents clearly and prominently
    • Storing confidential documents in locked file cabinet systems
    • Restricting employee access to confidential documents on a need-to-know basis
    • Using privacy filters to minimise unauthorised personnel from viewing personal data on laptops
    • Properly disposing of confidential documents that are no longer needed, through shredding or similar means
  • Take administrative measures to ensure personal data security: The PDPAC recommendations include but are not limited to:
    • Requiring employees to be bound by confidentiality obligations in their employment agreements
    • Implementing robust policies and procedures (with disciplinary consequences for breaches) regarding confidentiality obligations
    • Conducting regular training sessions for staff to impart good practices in handling personal data and strengthen awareness of threats to security of personal data
    • Ensuring that only the appropriate amount of personal data is held, as holding excessive data will also increase the efforts required to protect personal data

5. Retention Limitation Obligation

Companies are required to dispose of personal data as soon as it has fulfilled a legal or business purpose.

Companies must take reasonable steps to verify that the data they store on customers is accurate if they plan to use personal data to make decisions regarding the customer or disclose the personal data.

How to Comply

  • Prepare an appropriate personal data retention policy: Fintech companies can develop procedures that outline when stored personal data will be periodically reviewed. Furthermore, policies can be established on how to best store personal data so that it complies with the retention limitation obligation.
  • Dispose of personal data as soon as it’s no longer useful: The PAPAC examples of how to cease to retain documents include but are not limited to:
    • Returning the documents to the customer
    • Transferring the document to another person based on the instructions from the customer
    • Destroying the documents. by shredding them or disposing of them in an appropriate manner
    • Anonymising the personal data

6. Transfer Limitation Obligation

Companies cannot transfer data to a country outside of Singapore.

7. Openness Obligation

Companies must develop and implement policies to meet its obligations under the PDPA.

How to Comply

  • Designate an individual responsible for compliance with the PDPA: Companies must designate at least one person who will ensure compliance with the PDPA. Note that the PDPA obligations compliance officer does not need to be an employee of the company.

8. Do-Not-Call-Provisions

Fintech companies are required to check the Do-not-call register and receive unambiguous consent from customers before they send marketing material

How to Comply

  • Check the Do-not-call register before sending marketing material: Companies are required to check the DNC registry within 30 days of sending marketing material to a customer through a Singapore phone number.
  • Receive unambiguous consent: Companies are not required to check the Do-Not-Call registry if they have already received clear and unambiguous consent from customers to receive marketing messages through their Singapore

Further resources for PDPA obligations compliance

The PDPAC has created a number of resources to help companies comply with PDPA obligations regulations and stay up-to-date with new changes.

  • To see how well your company follows PDPA obligations guidelines, you can follow the PDPA obligations checklist.
  • For additional examples of how your company can stay in compliance see the PDPA Obligations Guidelines.
  • Finally, for an exhaustive guide to PDPA obligations compliance see the PDPAC Advisory Guidelines

Also read: 4 easy guides to data breach assessment



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us