Official Site of PDPA Compliance in Singapore
50% Pre-approved Grant for Data Protection Trustmark (DPTM) Certification for SMEs
Why do more businesses want to be DATA PROTECTION TRUSTMARK certified?
The Data Protection Trustmark (“DPTM”) issued by IMDA helps businesses increase sales by building trust with their customers, their associates, and their management & staff and enhances market access.
The DPTM certification demonstrates the corporate culture and values towards full compliance with the obligations of the Company under the PDPA.
Stakeholders may rest assured that the organization has put in place responsible data protection practices and will take better care of their personal data.
What is the PDPA Compliance Group?
The PDPA Compliance Group is an organization of independent experts in personal data protection. These experts are professionally trained and committed to helping organisations in Singapore comply with the PDPA.
iSmart Communications has engaged the PDPA Compliance Group in Singapore to help us acquire the Data Protection Trust Mark.
PDPA Compliance
ACRA Registration No. 53394982C
10 Anson Road, #29-04A, International Plaza, Singapore 079903.
What services does PDPA Compliance provide?
The PDPA Compliance Group provides a comprehensive suite of PDPA services in Singapore and Asia:
- Data Protection Officer
- Prepare Data Protection Policy
- Prepare procedures, processes, & practices for PDPA compliance
- Staff training on PDPA compliance in Singapore
- Third-party PDPA contract review
- Data protection system audit
- PDPA Incident management etc.
To learn more about how we can help your business with PDPA Compliance, please contact us.
What is PDPA compliance in Singapore?
Singapore Personal Data Protection Act 2012 (PDPA) is a law that governs the collection, use, and disclosure of personal data by all organisations.
Organisations in Singapore that fail to comply with PDPA may be fined up to $1 million and suffer reputation damage.
The PDPA covers all electronic and non-electronic personal data, regardless of whether the personal data is true or false.
The PDPA recognises both the need to protect individuals’ personal data and the need of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.
A data protection regime is necessary to safeguard personal data from misuse and to maintain individuals’ trust in organisations that manage their data.
By regulating the flow of personal data among organisations, the PDPA also aims to strengthen Singapore’s position as a trusted hub for businesses
What is Personal Data in Singapore?
Personal data is any information that identifies an individual. Different pieces of information, which are collected together can lead to the identification of a particular person and also constitute personal data.
What constitutes a breach of personal data in Singapore?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
What is the scope of the PDPA in Singapore?
The PDPA covers personal data stored in electronic and non-electronic formats.
It generally does not apply to:
- Any individual acting on a personal or domestic basis.
- Any individual acting in his/her capacity as an employee with an organisation.
- Any public agency in relation to the collection, use, or disclosure of personal data.
- Business contact information such as an individual’s name, position or title, business telephone number, business address, business email, business fax number, and similar information.
Why should your organisation comply with the Personal Data Protection Act (PDPA) in Singapore?
Organisations in Singapore should comply with the Personal Data Protection Act (PDPA) for several reasons:
-
Legal Requirements of PDPA: Compliance with the PDPA is a legal requirement for organizations that collect, use, and disclose personal data in Singapore. Non-compliance can result in penalties, fines, or even imprisonment.
-
Corporate Reputation of PDPA: Compliance with the PDPA can enhance an organisation's reputation as one that respects the privacy and confidentiality of its customers and employees. This can help to build trust and confidence among stakeholders and improve the organization's standing in the community.
-
Competitive Advantage of PDPA: Compliance with the PDPA can provide a competitive advantage in the marketplace by demonstrating that the organization is committed to protecting personal data and complying with best practices in data protection.
-
Business Continuity Brought About By PDPA: Compliance with the PDPA can help to ensure business continuity by reducing the risk of data breaches and other incidents that can result in financial losses, damage to reputation, and legal liabilities.
-
Global Compliance: Compliance with the PDPA can also help organisations to comply with other international data protection laws and regulations, particularly those that are based on similar principles such as the EU's General Data Protection Regulation (GDPR).
Every organisation in Singapore must appoint a Data Protection Officer (DPO)
Is a DPO mandatory under the PDPA?
Under the Personal Data Protection Act 2012 (PDPA), a Data Protection Officer (DPO) is mandatory when your company/organisation is collecting personal data during its operations. A DPO of your company can be one individual or a team to ensure its compliance with the PDPA of Singapore.
The following are examples of organisations required to appoint a DPO:
- A hospital processing large sets of sensitive data;
- A security company responsible for monitoring shopping centres and public spaces;
- A small headhunting company that profiles individuals.
Who can be a DPO?
A DPO must be competent in data protection, adequately resourced, and report to the highest management level. A DPO can be an existing employee or externally appointed.
What are the roles of a DPO?
In Singapore, Data Protection Officers (DPOs) play a critical role in ensuring that organisations comply with the Personal Data Protection Act (PDPA). The PDPA was enacted to govern the collection, use, and disclosure of personal data by organisations in Singapore.
The key responsibilities of a DPO in Singapore include:
-
Advising the organisation: The DPO should provide advice and guidance to the organisation's management and employees on matters related to the protection of personal data, including compliance with the PDPA and related regulations.
-
Monitoring compliance: The DPO is responsible for ensuring that the organisation complies with the PDPA and related regulations. This includes reviewing policies and procedures, conducting data protection impact assessments, and monitoring data breaches.
-
Data protection training: The DPO should conduct regular training sessions for the organisation's employees to educate them on the importance of data protection and the proper handling of personal data.
-
Responding to data breaches: The DPO should have a clear plan in place for responding to data breaches, including notifying affected individuals and the Personal Data Protection Commission (PDPC) in a timely manner.
-
Liaising with the PDPC: The DPO is the main point of contact between the organisation and the PDPC on matters related to personal data protection. This includes responding to queries from the PDPC and notifying the PDPC of any breaches.
-
Conducting Data Protection Impact Assessments (DPIAs): DPIAs are assessments conducted by the DPO to identify and mitigate any potential risks associated with the processing of personal data. The DPO should identify and analyse any risks associated with data processing activities and recommend measures to mitigate them.
-
Implementing Data Protection Policies and Procedures: The DPO should develop, implement and review data protection policies and procedures within the organisation. These policies and procedures should align with the PDPA and related regulations and provide clear guidance on handling personal data.
-
Managing Data Subject Requests: The DPO is responsible for managing requests from data subjects, including requests for access to personal data, correction of personal data, and deletion of personal data. The DPO should ensure that such requests are handled in a timely and compliant manner.
-
Conducting Data Protection Audits: The DPO should conduct regular audits of the organisation's data protection practices to identify any gaps or areas of improvement. These audits can help the organisation stay compliant with the PDPA and related regulations.
-
Maintaining Records: The DPO should maintain records of the organisation's data processing activities, including the types of personal data collected, the purposes for processing, and any third-party disclosures. These records should be made available to the PDPC upon request.
In summary, the DPO plays a critical role in ensuring that the organisation complies with the PDPA and related regulations, and that personal data is processed in a responsible and secure manner. The DPO should have a thorough understanding of the PDPA and related regulations and be able to provide guidance and support to the organisation on data protection matters.
What is the penalty for any breach of the PDPA?
From 1 October 2022, for any breach of the PDPA, an organisation that breaches the PDPA may face fines of up to: SGD 1 million; or. where the organisation's annual turnover in Singapore exceeds SGD 10 million, 10% of the organisation's Singapore turnover.
Penalties imposed under the PDPA could potentially be more stringent compared to the GPDR, which currently imposes fines of up to €20 million or 4% worldwide turnover, whichever is higher.
The new PDPA also makes it a criminal offence for individuals (including employees) to mishandle personal data or re-identify anonymised information without authorisation. The offence is punishable with an SGD 5,000 and/or imprisonment of up to two years.
Does the PDPA cover B2B databases?
The PDPA does not apply to business contact information, which may include name, business title, corporate telephone numbers, business addresses, and business email addresses.
Such contact information is made publicly available to facilitate commerce and trade. Organisations will not be required to obtain consent prior to collection, use, or disclosure.
In addition, organisations sending business-to-business (B2B) marketing messages through phone calls, SMS, or fax are not required to comply with the Do Not Call provisions.
Step into the captivating world of AI Marketing
Download Your FREE eBook: AI Marketing Decoded: A Comprehensive Guide for Modern Marketers
As we begin this comprehensive guide, our mission is to equip you, the modern marketer, with a wealth of knowledge, strategies, and resources to harness the immense power of AI Marketing. Whether you're an experienced professional looking to enhance your marketing expertise or a curious newcomer intrigued by the potential of AI, this e-book is tailored to meet your needs and aspirations.
No matter if you're a small business owner aiming for growth, a marketing manager striving to boost your team's performance, or an entrepreneur on the brink of launching a new venture, AI Marketing offers a boundless array of opportunities. It's a realm where the fusion of creativity and data, the convergence of innovation and strategy, and the limitless options are limited only by your imagination.
Get ready for an exhilarating ride as we embark on a thrilling exploration of the history, present, and future of AI Marketing. This journey is guaranteed to ignite inspiration, enlighten your perspective, and empower you with the knowledge to conquer the world of modern marketing.
Fill in your name and business email address on the right to gain immediate access to your free eBook!
* Required
FREQUENTLY ASKED QUESTIONS
Why do I need to fill out the information requested?
We will always keep your personal information safe. We ask for your information in exchange for a valuable resource in order to (a) improve your browsing experience by personalizing the iSmart Communications Pte Ltd site to your needs; (b) send information to you that we think may be of interest to you by email or other means; (c) send you marketing communications that we think may be of value to you. You can read more about our privacy policy here.
Is this really free?
Absolutely. Just sharing some free knowledge that we hope you’ll find useful. Keep us in mind next time you have marketing questions!