Personal data in Singapore is protected under the Personal Data Protection Act 2012 (PDPA).
Personal data in Singapore is protected under the Personal Data Protection Act 2012 (PDPA). The PDPA establishes a number of requirements to collect, use and disclose personal data. The City State is about to impose new guidelines coming into effect in September 2019 that aim to enhance consumer protection against unjustified collection, use, disclosure and retention of physical NRICs.
In 2018 the European Union’s (EU) General Data Protection Regulation (GDPR) came into effect imposing more stringent rules surrounding the collection and use of personal data from EU citizens. While this is an EU regulation, Singaporean companies must also comply with GDPR if they process collect and use the personal data of individuals in the EU in the course of providing them with goods and services or to monitor their behaviour.
Arguably, very few entities can claim today that they do not collect personal data. This may come as a surprise to many entities that believe that due to their small size or lack of commercial activities they may not fall within the scope of data protection rules. But the truth is that companies collect and use personal data not only from customers but also from their employees, company shareholders and directors. Personal data also easily flows across jurisdictions through subsidiaries.
As a result, Singapore-based companies must be ready to appoint at least one person as a Data Protection Officer (DPO) to oversee their data protection responsibilities and to implement an adequate data protection framework to protect the personal data they handle. Among other measures, companies should
- ensure consent has been granted by individuals before collecting, using or disclosing their data and allow individuals to withdraw that consent
- notify individuals of the purposes for which they are collecting, using or disclosing the data
- retain data only when needed and destroy it if no longer required.
- ensure that standard protection provided to the personal data transferred to other jurisdictions is comparable to the protection under the PDPA
In addition, Singapore companies also subject to GDPR may have to implement additional measures to accommodate for the stricter EU legislation.
It is very important that companies in Singapore take both PDPR and GDPR regulations seriously. This year we have seen a number of penalties imposed on local firms for failing to put in place reasonable data security arrangements.
Many penalties in Singapore come about thanks to internet breaches due to insufficient security practices, or errors in mass post or e-mail processes. The costs of complying do not necessarily need to be high, yet the costs of breaching these regulations can be significant.
The best way to ensure compliance with PDPA and other relevant data protection regulations is to map out the personal data collected by the company and put in place suitable data protection frameworks and processes accordingly. Companies should also communicate these processes and frameworks to their employees (if any) and to review them from time to time to ensure adherence to the relevant regulations.
Alpadis Group can provide or facilitate a range of data protection services to ensure your company is in full compliance with data protection regulations. Our services include DPO outsourcing and customised data protection policies. For more information please contact us here