Most significant changes to the PDPA since its inception come into effect in phases as of February 1, necessitating mandatory data breach notifications among other requirements
The Personal Data Protection (Amendment) Act 2020 (the PDPA Amendments) will come into effect in phases from February 1, 2021. The amendments seek to strengthen organisational accountability and consumer protection, while encouraging companies to optimise the use of personal data for innovation.
The amendments taking effect on February 1 include:
- Mandatory data breach notification – the Personal Data Protection Commission (PDPC) must be notified by organisations who suffer from a data breach if that breach is likely to result in significant harm to the affected individuals or is of significant scale (usually involving 500 or more individuals). The individuals who are affected by the breach must also be notified if the breach is likely to result in significant harm to them. The types of data deemed to result in significant harm is listed here. Notifications to the PDPC must be made as soon as possible, no later than three calendar days after the breach.
- Introduction of offences – the amendments stipulate that individuals who egregiously mishandle personal data will be held accountable through the introduction of new criminal offences. Those who recklessly or knowingly disclose personal data, use personal data for wrongful gain or wrongful loss to any person, or reckless unauthorised re-identification of anonymised data, may receive a fine not exceeding S$5,000 or imprisonment for a term not exceeding 2 years or both.
- Expanded consent framework – deemed consent by contractual necessity or deemed consent by notification provisions are introduced, allowing organisations to use, collect and disclose personal data. Further expansions include legitimate business interests and business improvement exceptions, and the scope is broadened to include data innovation efforts. Additional accountability requirements accompany these exceptions
Following these changes, it is vital that organisations review their data procedures and ensure they have robust protections and responses in place. Regular training sessions should be introduced and updated, including educating relevant persons on the updates.
For more information, contact Alpadis Group