• 07 May, 2020
• No Comments

PDPA Singapore Checklist

This PDPA Singapore Checklist is designed to equip Organisations with an understanding of their preparedness in their Personal Data Protection Act (PDPA) compliance.

In answering “Yes” to all questions, it may not necessarily translate into meeting all the PDPA requirements.

Also, organisations should be able to exhibit and furnish evidence at all times, for the following:

• Documented data protection guidelines and procedures
• Demonstrate that data protection guidelines and procedures are carried out and practised on the ground.

Learn how Privacy Ninja’s DPO-As-A-Service can further help you achieve full compliance of all the PDPA requirements without breaking the bank.

PDPA Singapore Checklist Questions

PDPA Checklist 1: Governance and Transparency

1. Does your organisation have policies and practices in place to manage personal data?
2. Does your organisation communicate its data protection policies and practises to relevant internal and external stakeholders?
3. Does your organisation regularly review and update data protection policies and practices, and monitor compliance of practices with these policies?
4. Does your organisation receive and respond to queries on the collection, use and disclosure of personal data by your organisation?
5. Does your organisation conduct risk and impact assessments to identify, assess and address data protection risks?
6. Does your organisation take into account Data Protection by Design in the development of a product, service, system or process?
7. Does your organisation have a data breach management plan?
   The plan should include the following:

• • Personnel on management of data breach incident
  • Timeline for reporting data breach incident
  • Processes for notifying affected individuals/organisations and relevant regulators/enforcement authorities

8. Does your organisation have a Data Protection Officer (DPO) who is well versed in your data protection policies and PDPA? Is the business contact information of the DPO made available to the public?

   (DPO should also have received formal training on data protection compliance with the PDPA.)

9. Does your organisation conduct regular training to employees on company’s data protection policies and practices?

PDPA Checklist 2: Management of Personal Data

1. Does your organisation ensure that the personal data collected is necessary for the purpose, and individuals are notified of the purposes on or before the collection of their personal data?

   (Organisations should also ensure collection of sensitive data is limited and necessary in its purposes.)

2. Does your organisation obtain consent for the collection, use or disclosure of personal data?

   (This also includes processes in place with 3rd parties on collection of personal data.)

3. Does your organisation ensure proper use and disclosure of personal data collected?
4. Does your organisation ensure that the transfer of data overseas is in compliance with PDPA?

   (This includes 3rd party (eg data intermediary, agent) of the company handling the data transfer.)

PDPA Checklist 3: Care of Personal Data

1. Does your organisation have appropriate security measures in place to prevent unauthorised access, collection and use of its personal data in its possession or under its control?

   These security measures must be developed based on relevant risk assessments, type and sensitivity of personal data and likelihood and harm of unauthorised access, erasure or other use. Organisations should ensure these security measures are regularly updated and communicated to relevant stakeholders.

   Organisations should also ensure processes are in place for 3rd parties to make reasonable arrangements to protect personal data.

2. Does your organisation have appropriate data retention policies for different types of personal data?

   (This also applies to 3rd parties in possession of its personal data.)

3. Does your organisation have processes in place to handle unsolicited personal data?
4. Does your organisation have processes in place to dispose of personal data?
   (This also applies to 3rd parties in possession of its personal data.)

5. Does your organisation ensure that its personal data is accurate and that personal data disclosed to other organisation is accurate and complete? How does your organisation deal with inaccurate data?

PDPA Checklist 4: Individual’s Rights

1. Does your organisation provide information on how individuals may withdraw consent on the use of their personal data and the consequences of withdrawing the consent?
2. Does your organisation provide information on how individuals can request access to their personal data and has a process in place to respond to their request?
3. Does your organisation provide information on how individuals can correct their personal data under its possession?

If you have any questions or concerns regarding PDPA compliance, feel free to contact us here or email us at [email protected]

You could also check PDPC’s website for the Overview on PDPA

https://www.pdpc.gov.sg/Overview-of-PDPA/The-Legislation/Personal-Data-Protection-Act