Singapore PDPA Compliance and Cybersecurity
The Personal Data Protection Act (PDPA) of 2012 is a privacy and data protection law in Singapore that
imposes a broad set of duties on companies in Singapore and foreign entities that
process personal data of Singaporean residents.
What is PDPA and what does it mean for your business?
Being one of the wealthiest nations in the Asia–Pacific (APAC) region, Singapore has a well-developed body of legislation and a highly efficient judicial system. The Government of Singapore pays special attention to privacy protection in order to remain competitive in the global landscape.
ImmuniWeb can help you comply with PDPA cybersecurity and data protection requirements. How We Help
In 2012, the parliament of Singapore enacted the Personal Data Protection Act (PDPA) (No. 26 of 2012) to ensure a strong privacy protection regime comparable to European standards. In February 2021, the PDPA was amended and modernized, enhancing data protection, increasing penalties for violations and giving additional rights to individuals, including a right to data portability (as available under the EU’s General Data Protection Regulation or GDPR). The PDPA is a comprehensive and complex law, composed of almost 100 sections, that also regulates undesired telephone and text message marketing via Do Not Call (DNC) Registers.
Under the PDPA, Singaporean businesses and foreign companies doing business in Singapore are mandated to implement holistic data protection and privacy safeguard mechanisms including, among other things, mandatory nomination of Data Protection Officers (DPO) reachable during Singaporean business hours. Thus, all companies covered by the law, regardless of their size, must designate a DPO as prescribed by Section 11 (“Compliance with Act”) of PDPA.
It’s worth noting that a consultation is currently taking place on “how the PDPA applies to the collection and use of personal data to develop and deploy AI systems that embed machine learning (ML) models ("AI Systems") used to make decisions, recommendations or predictions.”
Who is covered by PDPA regulation?
Any individual, company, association or body of persons, corporate or unincorporated in Singapore are covered by PDPA, with no exceptions for SMEs. Section 2 (“Interpretation”) also makes it clear that foreign businesses with customers in Singapore (i.e. which process the personal data of Singaporean residents) must also abide by the PDPA irrespective of their size or revenue derived from the Singaporean market.
There are, however, some exemptions under the PDPA. For example, in contrast to the overarching nature of the GDPR, business contact information (e.g. business cards) is excluded from data protection obligations under the PDPA. Some narrow exceptions also apply to opinion-related data kept for evaluative purposes (e.g. university admission decisions), and to some personal data processed within the context of employment. One should, however, be careful when applying these exemptions as, for instance, usage of business contacts for non-business purposes may be a violation of the PDPA. Exclusions can be found in Section 4 (“Application of Act”), and Schedules 5 and 6 of the PDPA.
Government and public agencies in Singapore are expressly exempt from provisions of the PDPA; this gap is covered by the Instruction Manual for Infocomm Technology and Smart Systems (ICT&SS) Management and the Public Sector Governance Act 2018.
Who enforces PDPA compliance?
PDPA Section 5 (“Personal Data Protection Commission”) creates the Personal Data Protection Commission (PDPC) that administers and enforces the Act. The Commission also has other roles such as promotion of privacy awareness and provision of advisory services relating to data protection in Singapore. Akin to the European Data Protection Board (EDPB) enacted by the GDPR, the PDPC regularly issues advisory guidelines to help businesses comply with the PDPA in a simple, practical and risk-based manner.
Under Section 48I (“Directions for non-compliance”) of the PDPA, the PDPC may order companies to rectify non-conformities and irregularities under the Act, to stop processing or collecting personal data, and to delete all unlawfully collected data.
PDPC is also authorized to impose monetary fines for violations of the PDPA. Failure to comply with a PDPC order can amount to a criminal offense with more serious repercussions.
What are the penalties for PDPA violations?
For negligent or intentional violations of the PDPA, the PDPC may impose monetary fines rising to 1,000,000 SGD for most organisations, as detailed in Section 48J (“Financial penalties”). Organisations whose annual turnover in Singapore exceeds 10 million SGD are liable to pay up to 10% of their annual turnover.
PDPA Section 51 (“Offences and penalties”) imposes criminal penalties including imprisonment for deliberate misconduct, such as intentional obstruction of a PDPC investigation, destruction of evidence or any records requested by the PDPC, or misleading the PDPC during an investigation.
Additionally, Section 48O (“Right of private action”) empowers aggrieved individuals, whose privacy rights were violated under the Act, to claim damages, injunctions and any other reliefs as the court deems fit.
What are the cybersecurity requirements under the PDPA?
The PDPA labels a data controller as an “organization” and a data processor as a “data intermediary” in Section 2 (“Interpretation”). Both controllers and data processors are bound by the PDPA’s broad requirements to protect personal data. Section 24 (“Protection of personal data”) prescribes a duty to “protect personal data in its possession or under its control by making reasonable security arrangements to prevent - (a) unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and (b) the loss of any storage medium or device on which personal data is stored”.
The PDPC has published a guide to “Data Protection Practicesby Design for ICT Systems” that instructs, among other things: using HTTPS instead of HTTP; running regular security testing for OWASP Top 10 vulnerabilities; and protecting web applications with a web application firewall (WAF). The guide also advises stipulating penetration testing and audits by a qualified third-party provider when selecting a cloud service provider (CSP) , along with network penetration testing prior to the commissioning of any new ICT system.
Notable PDPA cases
In the recent “ SGPDPC 17” enforcement decision, involving a data breach during an initial coin offering performed via a web application, the PDPC expressly mentioned web penetration testing and vulnerability scanning as requisite security controls, lack of which evidenced negligence and aggravated the violation. In the same decision, the PDPC pointed out that web applications are to be tested prior to a public launch.
In another “ SGPDPC 46” decision, involving a security incident suffered by a healthcare provider, the PDPC clearly stated that security vulnerabilities and other findings from penetration testing reports are to be remediated without undue delay.
Finally, in the “ SGPDPC 36” decision, involving unauthorized disclosure of personal data via an insecure mobile application, the PDPC emphasized the importance of mobile penetration testing including mobile backend (API) security testing.
ImmuniWeb can help you comply with PDPA cybersecurity and data protection requirements. How We Help
What are the data breach notification requirements under the PDPA?
Similarly to GDPR’s data breach provisions, Section 26D (“Duty to notify occurrence of notifiable data breach”) of PDPA states that organizations (data controllers) must inform the PDPC within 3 calendar days about a notifiable data breach.
A notifiable data breach is a breach that “results in, or is likely to result in, significant harm to an affected individual; or is, or is likely to be, of a significant scale” according to the Section 26B (“Notifiable data breaches”) of the PDPA. Once the PDPC is informed about a data breach, the breached organization must also notify each affected individual without undue delay.
As stipulated in Section 26C (“Duty to conduct assessment of data breach”) of the PDPA, data intermediaries (processors) must notify the organization (data controller) without delay about a suffered data breach if it involves personal data entrusted to the processor. The organization must immediately conduct an assessment of the breach to determine whether it is a notifiable data breach or not and proceed accordingly.
In 2021, the PDPC released detailed guidelines on “Managing and Notifying Data Breaches” that provide instructions and a checklist for the entire breach notification process, incident response, post-breach evaluation and remediation.
What are the supply chain security requirements under the PDPA?
Section 24 (“Protection of personal data”) of PDPA makes it clear that organizations are legally liable for misconduct or insufficient data protection of their intermediaries who process personal data on their behalf. The language of Section 24 is broad and unambiguous, stating that an “organization must protect personal data in its possession or under its control.”
The PDPC has also issued guidelines on “Managing Data Intermediaries” that recommend a risk-based approach for the selection and management of data intermediaries (DIs) by data controllers (DCs), stating: “The DC should ensure that the DI is able to meet its data processing requirements and provide the protection and care that is commensurate with the volume and sensitivity of the personal data that the DI is to process.”
The guidelines likewise suggest organizations impose enforceable contractual duties on their processors to ensure rigorous compliance with adequate data protection requirements, including referencing ISO 27001 security controlss. Moreover, contractual clauses may impose a requirement of external audit of processors, periodic revision of their security policies, planned on-site inspections, mandatory incident reporting, security training for a processor’s personnel, and regular monitoring of incident logs by data controllers.
In a nutshell, a data controller has a strong interest to ensure that all processors follow best data protection practices to avoid vicarious liability and severe penalties under the PDPA.