Data protection penalties in Singapore hits over a million dollars so far in 2019

Singapore has seen a 47% increase in the number of data investigations since 2017 handing out over one and a half million dollars in fines, affecting companies from almost every industry

(This article, from Alpadis Group CEO Alain Esseiva, first appeared in Singapore Business Review)

A recent notification from the Personal Data Protection Commission (PDPC) of Singapore outlined a number of penalties incurred by six Singaporean companies for breaching the Personal Data Protection Act.

Financial penalties ranged from S$5,000 to $1,000,000 and were caused by a number of infractions including not having a Data Protection Officer to the unauthorised disclosure of clients’ personal data.

Since 2017, the PDPC has stepped up its investigations of companies thought to be in breach of the PDPA from 19 in 2017 to 28 in 2019 (and the number may still grow within the next months). While some investigations resulted in no breach being found, the majority (52%) resulted in fines totalling S$ 1,526,500, with the remainder resulting in warnings or further direction.

Source: Personal Data Protection Commission (PDPC)

Interestingly, these investigations affected 76 companies and organisations ranging from small firms to major public/private institutions. Industries include services and F&B to transport and insurance. Additionally, the severity of the fines have increased with the first six months of 2019 seeing an average of S$73,882 per fine handed out, compared to S$9,300 in 2017.

One company did not have an appointed DPO and had no practices in place to comply with the PDPA. Another did not have adequate online firewall security and so suffered a ransomware attack, and another firm’s employee disclosed customer details without authorisation.

Some of the companies could have claimed they were simply unlucky – for example, the firm who suffered the ransomware attached was undergoing a full IT migration and its IT team was waiting for the IT infrastructure to be refreshed before configuring the appropriate firewall settings. Yet all it took was one incident for the PDPC to be alerted, resulting in the exposure of their lack of PDPA compliance and significant fines.

Data breaches can happen to any company no matter what type and infractions can come from a variety of sources, from employees disclosing data to cyber-attacks.

It is imperative that firms in Singapore take data protection seriously. Among other requirements, Singapore-based companies should appoint at least one person as a DPO, ensure consent has been granted by individuals before collecting, using or disclosing their data and allow individuals to withdraw that consent and retain data only when needed and destroy it if no longer required.