Any business that handles data must contend with an increasingly long list of compliance requirements. As concerns over the security and privacy of personal information multiply, national governments have acted to reassure their populations that businesses are using their data securely and ethically.
The Singapore Personal Data Protection Act (PDPA) of 2012 governs the collection, use, and disclosure of all personal data in relation to residents of Singapore. It was recently updated, with many amendments coming into force in November 2020.
Here’s what you need to know about the Singapore data protection law.
What is the Personal Data Protection Act (PDPA)?
The Personal Data Protection Act Singapore is the country’s primary law regulating how businesses handle Singapore residents’ personal data they collect.
For the purposes of this law, the definition of personal data relates to any piece of information that could be used to identify an individual resident. This includes real-world data, such as names and physical addresses, as well as digital data, such as IP addresses.
Businesses should see the Singapore data privacy laws as the baseline standard of protection for data. With data protection in Singapore becoming a major public issue, the law installs nine data protection obligations with which businesses must comply.
PDPA Compliance
Complying with the Data Protection Act of Singapore may seem like a chore, but it shares many of the same provisions as the European Union’s (EU) GDPR laws. If your business is already GDPR compliant, there’s very little you’ll need to do to also comply with the provisions on data privacy in Singapore.
The Nine Data Protection Obligations
To achieve full compliance with the Singapore privacy law, there are nine primary data protection obligations. These are outlined below.
1. Consent
Consent is always required when collecting, using, or disclosing personal data.
2. Purpose Limitation
Businesses must be transparent when it comes to informing individuals as to why their personal data is being collected, how it will be used, and in which cases personal data will be disclosed. Furthermore, businesses must not use data for any other reason than its stated purpose.
3. Notification
Individuals must be notified as to why the business is collecting, using, and disclosing their data before they give their consent.
4. Access and Correction
Individuals have the right to access the personal data an organization has collected on them. They also have the right to request that corrections are made in the event of an error.
5. Accuracy
Businesses are required to make a reasonable effort to collect full and complete personal data, especially if decisions are made that may impact how this data is used.
6. Protection
Businesses must make arrangements to ensure that their data security in Singapore
is of the highest standard. Organizations must prevent leaks, unauthorized access, copying, and modification.
7. Retention Limitation
Personal data may only be kept for a limited period. Once this period elapses, the data must be deleted permanently.
8. Transfer Limitation
Personal data may not be transferred outside of Singapore to any territory that does not have similar data standards to those of the Singapore Personal Data Protection Act.
9. National Do Not Call (DNC) Registry
Names that have been registered in the national DNC register must not receive any unsolicited marketing messages.
2020 Amendments
Amendments were made to the Singapore data protection law in 2020. The big change was the requirement for compulsory data breach reporting. Businesses must report a breach immediately to both the Personal Data Protection Commission and the individuals impacted.
There are also increased financial penalties for data breaches.
As part of the tightening of the law, rules have been expanded on “deemed consent,” new exceptions added to consent, tighter spam control laws, and brand new data portability obligations.
Does PDPA Apply to My Business?
PDPA applies to virtually any business that handles the personal data of Singapore residents. The Singapore privacy law also applies to businesses that operate virtually, so there are no exemptions for organizations without a physical presence in Singapore.
The big exemption to these laws is that they only apply to private businesses. The public sector has a separate manual governing how data is collected, used, and disclosed.
Penalties for Non-Compliance
Although many of the provisions within the Singapore Personal Data Protection Act are advisory and not legally binding, particularly in relation to industry-specific advice, penalties for non-compliance are severe.
The maximum financial penalty for non-compliance has been increased to one million SGD. For organizations with a turnover of more than 10 million SGD, the maximum fine is 10% of the organization’s turnover.
Although penalties remain much lower than those in the EU, businesses with significant operations in Singapore could be hit hard in the event of non-compliance.
The 2020 amendments have stated that penalties will not be enforced on businesses that fail to comply until November 2021.
Protect Sensitive Data with the Right Masking Solution
Safeguard sensitive and PII data in your development and testing environments. Learn how to choose the best data masking solution to ensure security, compliance, and operational speed.
Ensure PDPA Compliance with Confidence
Navigating the complexities of the Singapore Personal Data Protection Act (PDPA) requires precision and expertise. With increasingly stringent regulations and severe penalties for non-compliance, safeguarding personal data for Singapore residents is non-negotiable.
Delphix delivers data masking capabilities that enable businesses to mitigate risk and eliminate barriers to fast innovation. Delphix automatically discovers sensitive data values including names, email addresses, and payment information. Then, it transforms sensitive values into realistic, yet fictitious ones — while retaining referential integrity.
Related blog >> What Is Delphix?
Comply with Privacy Laws and Protect Against Breach
With Delphix, teams centrally define masking policies and deploy them across the enterprise for compliance with key privacy regulations such as PDPA. And because masking transforms sensitive information, Delphix neutralizes risk of breach in non-production environments that contain vast amounts of data that must be protected from cyberthreats.
Integrate Data Masking and Data Delivery
The Delphix DevOps Data Platform combines data masking with virtualization to deliver compliant data to downstream environments for development, testing, analytics, and AI. Masked, virtual data copies function like physical copies; but they take up a fraction of the storage space and can be automatically delivered in just minutes.
Take the hassle out of PDPA compliance. Request your custom demo from the Perforce Delphix team today.