Start using any ImmuniWeb product instantly after a quick customization and secure online payment. Alternatively, request your free demo.

Total Tests:

Singapore PDPA Compliance and Cybersecurity

Read Time: 6 min.

The Personal Data Protection Act (PDPA) of 2012 is a privacy and data protection law in Singapore
that imposes a broad set of duties on companies in Singapore and foreign entities
that process personal data of Singaporean residents.

Singapore PDPA Compliance and Cybersecurity

What is PDPA and what does it mean for your business?

Being one of the wealthiest nations in the APAC region, Singapore has a well-developed legislation and a highly efficient judicial system. Government of Singapore pays a special attention to privacy protection in order to remain competitive in the global landscape.

PDPA compliance ImmuniWeb can help you comply with PDPA cybersecurity and data protection requirements. How We Help

In 2012, the parliament of Singapore enacted the Personal Data Protection Act (No. 26 of 2012) to ensure a strong privacy protection regime comparable to European legislation. In February 2021, the Act was amended and modernized, enhancing data protection, increasing penalties for violations and giving additional rights to individuals including right to data portability as available under the EU’s GDPR. PDPA is a comprehensive and complex law, composed of almost 100 sections, that also regulates undesired telephone, fax and SMS marketing via Do Not Call (DNC) Registers.

Under PDPA, Singaporean businesses and foreign companies doing business in Singapore are mandated to implement a holistic data protection and privacy safeguard mechanisms including, among other things, mandatory nomination of a Data Protection Officers (DPO) reachable during Singaporean business hours. Thus, all companies covered by the law, regardless of their size, must designate a DPO as prescribed by the Section 11 (“Compliance with Act”) of PDPA.

Who is covered by PDPA regulation?

Any individual, company, association or body of persons, corporate or unincorporated in Singapore are covered by PDPA with no exceptions for SMEs. Section 2 (“Interpretation”) also makes it clear that foreign businesses having customers in Singapore and thus processing personal data of Singaporean residents must also abide by PDPA irrespective of their size or revenue derived from the Singaporean market.

There are, however, some exemptions under PDPA. For example, differently from the overarching GDPR, business contact information (e.g. business cards) is excluded from data protection obligation under PDPA. Some narrow exceptions also apply to opinion data kept for evaluative purposes (e.g. university admission or non-admission decision) and to some personal data processed within employment context. One should, however, be careful when applying these exemptions as, for instance, usage of business contacts for non-business purposes may be a violation of PDPA. Exclusions can be found in the Section 4 (“Application of Act”), Schedules 5 and 6 of PDPA.

Government and public agencies in Singapore are expressly exempt from PDPA, however, this gap is covered by Government Instruction Manual 8 and the Public Sector Governance Act.

Who does enforce PDPA compliance?

PDPA Section 5 (“Personal Data Protection Commission”) creates the Personal Data Protection Commission (PDPC) that administers and enforces the act. The Commission also has other roles such as promotion of privacy awareness and provision of advisory services relating to data protection in Singapore. Akin to the European Data Protection Board (EDPB) enacted by GDPR, the PDPC regularly issues advisory guidelines to help businesses comply with PDPA in a simple, practical and risk-based manner.

Under the Section 48I (“Directions for non-compliance”) of PDPA, the PDPC may order companies to rectify non-conformities and irregularities under the Act, to stop processing or collecting personal data, and to delete all unlawfully collected data.

PDPC is also authorized to impose monetary fines for violations of PDPA. Disobedience to a PDPC’s order may be a criminal offense and trigger harsh consequences.

What are the penalties for PDPA violations?

For negligent or intentional violations of PDPA, the PDPC may impose monetary fines going up to 1,000,000 SGD as detailed in the Section 48J (“Financial penalties”). Importantly, starting from 2022, the fines will skyrocket and may go up to 10% of the infringer’s annual turnover in Singapore.

PDPA Section 51 (“Offenses and penalties”) imposes criminal penalties including imprisonment for deliberate misconduct, such as intentional obstruction of PDPC investigation, destruction of evidence or any records requested by PDPC, or misleading the PDPC during investigation.

Additionally, the Section 48O (“Right of private action”) of PDPA empowers aggrieved individuals, whose privacy rights were violated under the Act, to claim damages, injunction and any other relief as court thinks fit.

What are the cybersecurity requirements under PDPA?

PDPA labels data controller as “organization” and data processor as “data intermediary” in the Section 2 (“Interpretation”). Both controllers and data processors are bound by PDPA’s broad requirements to protect personal data. The Section 24 (“Protection of personal data”) prescribes a duty to “protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal, or similar risks.

PDPC and Hong Kong’s Privacy Commissioner issued joint guidelines on “Data Protection by Design for ICT Systems” that instruct, among other things, using HTTPS instead of HTTP, running regular security testing for OWASP Top 10 vulnerabilities, and protecting web applications with a WAF. The guidelines also advise regular performance of penetration testing and vulnerability assessment by a qualified third-party provider prior to deployment of web applications into production and after every major update.

In the recent “[2019] SGPDPC 17” enforcement decision, involving a data breach during an initial coin offering performed via a web application, the PDPC expressly mentioned web penetration testing and vulnerability scanning as requisite security controls, lack of which evidenced negligence and aggravated the violation. In the same decision, the PDPC pointed out that web applications are to be tested prior to a public launch.

In another “[2019] SGPDPC 46” decision, involving a security incident suffered by a healthcare provider, the PDPC clearly stated that security vulnerabilities and other findings from penetration testing reports are to be remediated without undue delay.

Finally, in the “[2019] SGPDPC 36” decision, involving unauthorized disclosure of personal data via insecure mobile application, the PDPC emphasized importance of mobile penetration testing including mobile backend (API) security testing.

PDPA compliance ImmuniWeb can help you comply with PDPA cybersecurity and data protection requirements. How We Help

What are the data breach notification requirements under PDPA?

Similarly to GDPR’s data breach provisions, the Section 26D (“Duty to notify occurrence of notifiable data breach”) of PDPA states that organizations (data controllers) must inform the PDPC within 3 calendar days about a notifiable data breach.

A notifiable data breach is a breach that “results in, or is likely to result in, significant harm to an affected individual; or is, or is likely to be, of a significant scale” according to the Section 26B (“Notifiable data breaches”) of PDPA. Once the PDPC is informed about a data breach, the breached organization must also notify each affected individual without undue delay.

As stipulated in the Section 26C (“Duty to conduct assessment of data breach”) of PDPA, data intermediaries (processors) must notify organization (data controller) without delay about a suffered data breach if it implicates personal data entrusted to the processor. Then the organization must immediately conduct assessment of the breach to determine whether it is a notifiable data breach or not and proceed accordingly.

In 2021, the PDPC released detailed guidelines on “Managing and Notifying Data Breaches” that provide detailed instructions and a checklist for the entire breach notification process, incident response, post-breach evaluation and remediation.

What are the supply chain security requirements under PDPA?

The Section 24 (“Protection of personal data”) of PDPA makes it clear that organizations, covered by the Act, are legally liable for misconduct or insufficient data protection of their intermediaries who process personal data on their behalf. The language of the Section 24 is broad and unambiguous “organization must protect personal data in its possession or under its control.

The PDPC has also issued guidelines on “Managing Data Intermediaries” that recommend a risk-based approach for selection and management of data intermediaries: “The controller should ensure that the processor is able to provide the protection and care that is commensurate with the volume and sensitivity of the personal data that the processor is to process.

The guidelines likewise suggest organizations to impose enforceable contractual duties on their processors to ensure rigorous compliance with adequate data protection requirements, including implementing ISO 27001 security controls and information security management system. Moreover, contractual clauses may impose external audit of processors, periodic revision of their security policies, planned on-site inspections, mandatory incident reporting, security training for processor’s personnel, and regular monitoring of incident logs by data controller.

In a nutshell, data controller has a strong interest to ensure that all processors follow best data protection practices to avoid vicarious liability and severe penalties under PDPA.

Introduction to PDPA by NLA DFK

List of authoritative PDPA resources

Share on Twitter Share on LinkedIn Share on Facebook
Book a Call Ask a Question
Talk to ImmuniWeb Experts
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential