What You Should Know About The Data Protection Obligation Singapore

If you’re still confused about the main personal data obligations under the PDPA in Singapore and how your business relates to these, you came to the right place.

Let our friendly experts at Privacy Ninja help kick start your journey to compliance by conducting PDPA Compliance Audit Services at your workplace. Contact us for a no obligations chat. Get started today >>>

Under Singapore law, organisations are mandated to adhere to the Personal Data Protection Act (PDPA) when using, collecting or disclosing personal data. This is especially crucial in light of the accelerated digital push in the nation and beyond, which has made personal data even more vulnerable to illegal exposure and unauthorised acquisition.

Ten personal data obligations

There were 9 main personal data obligations under the first version of the PDPA. However, under the Personal Data Protection (Amendment) Act 2020, another main obligation has been added, bringing the total number to ten. They are:

1. The Consent Obligation
2. The Purpose Limitation Obligation
3. The Notification Obligation
4. The Access and Correction Obligations
5. The Accuracy Obligation
6. The Protection Obligation
7. The Retention Limitation Obligation
8. The Transfer Limitation Obligation
9. The Data Breach Notification Obligation (added after the amendment)
10. The Accountability Obligation

Also Read: PDPA Compliance Singapore: 10 Areas To Work On

The Data Protection Obligation Singapore

While all 10 obligations are equally important, it is probably the protection obligation that has seen the most breaches. Head over to the PDPC website and see for yourself how many organisations are getting flagged for non-compliance.

Under section 24 of the PDPA, an organisation must make reasonable security provisions to protect personal data in its possession or under its management in order to prevent unauthorised access, collection, use, disclosure, copying, amendment, disposal or similar risks.

Examples of when data protection obligation Singapore applies are when your organisation is processing and sending personal data, or disposing of documents containing personal data.

One frequent occurrence in which the organisation is unable to uphold its protection obligation duties is when an unauthorised entity breaks into the system and steals personal data. This usually means that the company has not put into place enough measures to ensure that its system is protected from illegal access.

Don’t let this happen to your organisation. Let our experts at Privacy Ninja help your company find security vulnerabilities before the bad guys do by undertaking out vulnerability assessment and penetration testing. Consult us today >>>

What happens when organisations fail to keep data protection obligation Singapore?

The thing about this obligation is that even when the breach was accidentally committed by an employee – who may have unintentionally caused the incident – the entire organisation will be implicated. In other words, the ownership and accountability of the breach will be on the organisation.

The PDPC, responsible for enforcing the PDPA, is authorised to issue remedial directions as it thinks fit. These may include directions mandating a company to:

1. stop collecting, using, or disclosing personal data in violation of the PDPA;
2. destroy personal data collected in breach of the PDPA;
3. allow access to or amend personal data; or
4. pay a financial penalty of up to S$1 million.

This is where having a Data Protection Officer (DPO) comes in handy. Ask us how you can benefit from full compliance without disrupting your day-to-day grind. Talk to us about outsourcing your DPO.

It has to be noted that the Amendment Bill proposes a higher financial penalty of up to 10% of an organisation’s annual turnover in Singapore, or S$1 million, whichever is higher.

Also Read: What Does A Data Protection Officer Do? 5 Main Things

It is crucial, therefore, to ensure that your workplace cultivates a culture of adhering to all obligations including data protection obligation Singapore. In doing so, you don’t only avoid the legal repercussions of breaking these obligations, but you also gain the trust and confidence of your stakeholders (which include your customers).