When the term ‘data protection regulation’ comes to mind, most people immediately think of the GDPR. Well, this is natural, given that Europe’s introduction of the GDPR not only rocked the privacy compliance space, but also led to the birth of several laws of similar nature such as California’s CCPA, and Brazil’s LGPD. But what most people are not aware of, is that the GDPR was the first comprehensive data protection law, but not the first of its kind; it was actually Singapore’s PDPA, which was introduced way before the GPDR in 2012, and came into full force in July, 2014.
The execution of the PDPA was well thought out and was carried out in three phases – one in 2013 and the next two in 2014, which gave companies ample time to prep for compliance. But the thought that went into its execution might not have entirely gone into the provisos of the act, given that it fell short when compared to the GDPR. The act was criticized for a number of reasons, mainly due to its multiple exemption clauses and the non-inclusion of special categories of sensitive data such as race, ethnicity, health, etc.
This shortcoming was not without its costs, as Singapore went on to face a severe data breach in 2018, which ended up compromising the sensitive information of 1.5 million healthcare patients, including that of its prime minister. The reason for the breach was also found to be mainly due to weak cybersecurity practices. Since then, the PDPA’s requirements have been updated, the most notable ones being the inclusion of data breach management, data protection management, and active enforcement. The PDPA is also gearing up to implement data portability now, in phases.
Now that we’ve discussed the history of the PDPA in brief, let’s delve into discussing what the act is about, and its requirements.
What is the PDPA?
The PDPA stands for Personal Data Protection Act, and is the primary data protection law governing Singapore.
Who regulates PDPA?
The PDPA is governed by the Personal Data Protection Commission (PDPC), Singapore’s principal data protection authority. The PDPC is responsible for issuing advisory guidelines for the PDPA, and for enforcing it. The PDPC also administers the Do Not Call Registry (DNC), which we will discuss later.
Who does the PDPA apply to?
All private organizations come under the jurisdiction of the PDPA, which governs their manner of collection, use and disclosure of personal data. It doesn’t matter whether these companies are located in the country or not, but the requisite for compliance is the collection of data from Singaporean data subjects.
Public sector companies are governed by other rules, and hence, are not the responsibility of the PDPA.
What are the penalties for non-compliance?
Companies are fined accordingly, based on the severity of their errors. Mishandling personal data or hiding information regarding its collection, use and disclosure can lead to fines up to, and not more than, SS$50,000. Meddling with the PDPC investigation in any way can lead to fines up to, and not exceeding, SS$100,000.
However, the PDPA allows for a maximum penalty of SS$1,000,000, which was the case for the serious data breach that Singapore faced in 2018.
How does the PDPA impact consumers?
Like any other privacy compliance law, the PDPA confers several rights to its data subjects. Some of the key rights include:
- Right of Access to data
The right of access to data gives an individual the right to request a company to allow him access to his personal data. The company is obligated to, one – provide him access to his data, and two – inform him about how his data has been used/disclosed (access obligation).
- Right to Rectification of Errors
The right to rectification of errors gives an individual the right to request a company to allow him to make changes to his personal data. The company is obligated to allow the individual to update, correct, or delete parts of his data (correction obligation).
- Right to be Forgotten
The PDPA currently does not confer any such right to the individual wherein he may request a company to delete his personal data.
- Right to Data Portability
The PDPA currently does not confer any such right to the individual wherein he may request a company to obtain and reuse his personal data (move, copy, or transfer) across different IT environments. This right lies on the condition that it should be done in a safe and secure manner, without affecting the data’s useability.
- Right to Withdraw Consent
The right to withdraw consent gives an individual the right to withdraw his consent given to the company to collect, use and disclose his data.
- Right to Object Processing
Refer to Right to Withdraw Consent.
- Right to Restrict Processing
Refer to Right to Withdraw Consent.
- Right to Object Marketing
Individuals can register their personal phone number at the DNC registry should they not want to receive telemarketing calls and messages.
In addition, refer to Right to Withdraw Consent.
- Right to Complain to the relevant Data Protection Authority
This right allows individual to address their grievances by filing a complaint with the PDPC. Upon which, the PDPC will work towards solving the issue between the individual and the company, and may also choose to conduct an investigation on the company regarding their compliance initiatives.
Although the PDPA may be doing well on its own accord, we can see that it misses out a few crucial data subject rights such as the right to data portability, and most importantly, the right to be forgotten. And as I’ve mentioned before, the PDPA falls short compared to its successors, mainly in the area of consumer rights, especially due to its multiple exemption clauses. For instance, let us take the matter of consent. When it comes to consent, the requirements specified in the PDPA are a lot more relaxed when compared to, say, the GDPR or the CCPA, owing to the fact that it contains close to twenty exemptions to the rule. Some are familiar, for example, if the data is necessary for investigative purposes, or, if the data is publicly available. But some exemptions seem a bit controversial. For instance, data can be collected for evaluative purposes, or in the interest of the consumer.
In addition, the PDPA also allows deemed consent as valid consent. Deemed consent means the data is voluntarily provided to the company by an individual when it is reasonable for the individual to do so. This personal data can then be used and disclosed by the company for any reasonable purpose.
How does the PDPA impact businesses?
The PDPA establishes protection of personal data through its data protection provisions, and its Do Not Call (DNC) provisions.
Its data protection provisions include nine ‘obligations’ which govern how businesses should handle consumer data. They are as follows:
- Consent Obligation
The consent obligation disallows companies to collect, use and disclose personal data without the consumer’s consent. The consent may be expressed consent or deemed consent.
- Purpose Limitation Obligation
The purpose limitation obligation disallows companies to collect personal data from consumers unless they have a reasonable purpose for doing so.
- Notification Obligation
The notification obligation requires companies to inform the individual about the purpose behind data collection, use and disclose.
- Access and Correction Obligation
The access and correction obligation requires companies to, one – provide individuals with their data and notify them as to how its been used/disclosed, and two – allow consumers to make changes to their data (update, correct, or delete).
- Accuracy Obligation
The accuracy obligation requires companies to make sure that the data they collect on the consumer is accurate and complete. This is to ensure that the consumer is not ill affected by an organization making an erroneous decision as a result of inaccurate and incomplete data. For example, rejection of loan to consumer due to inaccurate credit history information.
- Protection Obligation
The protection obligation requires companies to take adequate measures to ensure they protect the consumers’ data from unauthorized collection, use and disclosure.
- Retention Limitation Obligation
The retention limitation obligation requires companies to remove personal data that no longer fulfils any business or legal purpose. This, along with the purpose limitation obligation, try to limit the amount of personal data collected/stored by an organization.
- Transfer Limitation Obligation
The transfer limitation obligation disallows companies to send personal data outside of Singapore, unless the receiver has a law that is comparable in capability when compared to the PDPA, to protect the consumer’s data. Or, the receiver must have obtained consent from the PDPC, or the individual whose data is being transferred.
- Openness Obligation
The openness obligation requires companies to create policies and implement them so as to meet all obligations under the PDPA. Companies must appoint at least one person to be in charge of overseeing this task.
The final provision is the DNC provision. It requires companies to check the DNC registry and receive unambiguous consent from the individual before they send marketing material.
How can companies achieve PDPA compliance?
We have seen how achieving compliance is not an easy task, mainly due to the fact that regulations are multidimensional, and there are many facets that are involved while trying to show compliance. The PDPA might be more relaxed in some areas when compared to other laws of its kind, but this doesn’t make compliance any easier. The following are three core ways in which companies can achieve PDPA compliance:
- Data Transfer
As I’ve previously mentioned (refer to Transfer Limitation Obligation), companies can send personal data outside of Singapore, as long as the receiver has a law that is comparable in capability when compared to the PDPA, to protect the consumer’s data. Or, the receiver must have obtained consent from the PDPC or the individual whose data is being transferred.
To ensure the safe and secure cross-border transfer of data, effective measures of discovery and anonymization are a necessity. To find out more about this, visit our blog on Cross-border data security.
- Data Deletion
Even though the PDPA does not include a right to be forgotten, data deletion remains a necessity given the retention limitation obligation. To ensure proper retention mechanisms in place, an effective data minimization solution is needed. The key here is to delete the data from the system without impairing referential integrity. To find out if you’re on the right path, visit our blog – Data Minimization: Are you doing it right?.
- Information Protection
While getting into the finer details to achieving compliance with a particular privacy compliance law, businesses tend to forget the core ideology of all these regulations – data security. Protecting the online identities of users and ensuring a safe haven for digital transactions has gained paramount importance in today’s world. This is why, while consent management may be important in establishing a secure privacy framework, it alone does not help you get across the line. A robust data security policy, which enables a business to thoroughly scan and isolate the presence of all sensitive data they possess and then go on to secure them using anonymization and pseudonymization mechanisms is equally, if not more important.
MENTIS helps businesses in their PDPA compliance initiatives through its market-leading and patented sensitive data discovery mechanism, along with downstream data protection mechanisms like anonymization, monitoring, and retirement, all in a single integrated platform.
MENTIS data and application security platform is a single integrated platform that protects sensitive data across its lifecycle, with modules for sensitive data discovery, static and dynamic data anonymization, data monitoring, and data minimization. The built-in separation of duties and flexible architecture accommodate the complexities of enterprise application security with ease.
We help businesses in their PDPA compliance initiatives through our market-leading and patented sensitive data discovery mechanism, along with downstream data protection mechanisms like anonymization, monitoring, and retirement, all in a single integrated platform.
We have successfully implemented our solution in large enterprises like a global conglomerate, one of the top Swiss banks, and Ivy League universities.