PDPA Compliance In Singapore
Help your company comply with the PDPA in Singapore.
i-2 Communications is a partner of the PDPA Compliance Group.
The PDPA Compliance Group is an organization of independent experts in personal data protection. These experts are professionally trained and committed to helping organisations in Singapore comply with the PDPA.
PDPA Compliance
ACRA Registration No. 53394982C
10 Anson Road, #29-04A, International Plaza, Singapore 079903
The PDPA Compliance Group provides a comprehensive suite of PDPA services in Singapore and Asia:
Singapore Personal Data Protection Act 2012 (PDPA) is a law that governs the collection, use, and disclosure of personal data by all organisations.
Organisations in Singapore that fail to comply with PDPA may be fined up to $1 million and suffer reputation damage.
The PDPA covers all electronic and non-electronic personal data, regardless of whether the personal data is true or false.
The PDPA recognises both the need to protect individuals’ personal data and the need of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.
A data protection regime is necessary to safeguard personal data from misuse and to maintain individuals’ trust in organisations that manage their data.
By regulating the flow of personal data among organisations, the PDPA also aims to strengthen Singapore’s position as a trusted hub for businesses.
Personal data is any information that identifies an individual. Different pieces of information, which are collected together can lead to the identification of a particular person and also constitute personal data.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
The PDPA covers personal data stored in electronic and non-electronic formats.
It generally does not apply to:
Organisations in Singapore should comply with the Personal Data Protection Act (PDPA) for several reasons:
Under the Personal Data Protection Act 2012 (PDPA), a Data Protection Officer (DPO) is mandatory when your company/organisation is collecting personal data during its operations. A DPO of your company can be one individual or a team to ensure its compliance with the PDPA of Singapore.
The following are examples of organisations required to appoint a DPO:
A DPO must be competent in data protection, adequately resourced, and report to the highest management level. A DPO can be an existing employee or externally appointed.
In Singapore, Data Protection Officers (DPOs) play a critical role in ensuring that organisations comply with the Personal Data Protection Act (PDPA). The PDPA was enacted to govern the collection, use, and disclosure of personal data by organisations in Singapore.
The key responsibilities of a DPO in Singapore include:
In summary, the DPO plays a critical role in ensuring that the organisation complies with the PDPA and related regulations, and that personal data is processed in a responsible and secure manner. The DPO should have a thorough understanding of the PDPA and related regulations and be able to provide guidance and support to the organisation on data protection matters.
From 1 October 2022, for any breach of the PDPA, an organisation that breaches the PDPA may face fines of up to: SGD 1 million; or. where the organisation’s annual turnover in Singapore exceeds SGD 10 million, 10% of the organisation’s Singapore turnover.
Penalties imposed under the PDPA could potentially be more stringent compared to the GPDR, which currently imposes fines of up to €20 million or 4% worldwide turnover, whichever is higher.
The new PDPA also makes it a criminal offence for individuals (including employees) to mishandle personal data or re-identify anonymised information without authorisation. The offence is punishable with an SGD 5,000 and/or imprisonment of up to two years.
The PDPA does not apply to business contact information, which may include name, business title, corporate telephone numbers, business addresses, and business email addresses.
Such contact information is made publicly available to facilitate commerce and trade. Organisations will not be required to obtain consent prior to collection, use, or disclosure.
In addition, organisations sending business-to-business (B2B) marketing messages through phone calls, SMS, or fax are not required to comply with the Do Not Call provisions.