Recent PDPA Amendments - w.e.f. 1 Feb 2021

May 4 2021
Stone Forest IT
PDPA update - 1 Feb 2021

 

From 1 February 2021, the following three key changes to the Singapore Personal Data Protection Act (PDPA) will take effect in phases:

1.  Mandatory data breach notification


A data breach is deemed to be of a significant scale (and therefore notifiable) if the data breach affects 500 or more individuals.

Who and when to notify?

  • Organisations must notify PDPC no later than three calendar days after the data breach has been identified.
  • Affected individuals must also be notified as soon as practicable, at the same time or after notifying the PDPC. 

What to notify?
See regulations on notification of data breaches for a prescribed list of minimum information that the notification must contain.

 

2.  Introduction of offences concerning mishandling of personal data by individuals

Individuals will be held accountable for knowingly or recklessly committing any unauthorised:

  •  Disclosure of personal data
  •  Use of personal data for wrongful gain or causing a wrongful loss to any person
  •  Re-identification of anonymised data.

A maximum fine of SGD 5,000 or a maximum two years imprisonment or both.

 

3.  Expansion of consent framework

The two new ways consent can be given are:

  • Contractual necessity
  • Notification 

The new exceptions that remove the need for consent are:

  • Legitimate interests
  • Business improvement
  • Research purposes

Other notable upcoming changes, expected to take effect in the coming months:

 

4.  Increased financial penalties

Up to 10% of an organisation's annual turnover in Singapore, or SGD 1 million, whichever higher. 


5.  The right to data portability

Organisations must, at the request of an individual, transmit an individual’s personal data that is in the organisation’s possession or under its control, to another organisation in a common machine-readable format.



KEY TAKEAWAYS
 

backup policy

Continuous review of existing data protection policies and procedures
 must be carried out to ensure the organisation is prepared and always compliant.

backup test

Data breach management plans
 must be updated to reflect new requirements on mandatory data breach notifications. 

training

Internal communications and training
should be also conducted regularly to keep staff informed of the latest update, requirements and data breach threats.

 

For a more in depth understanding of the recent PDPA amendments and how it will affect your business and data handling processes, do have chat with us.

For more information about how you can get DPO advisory and to simplify your data protection program, learn more about DPO2SME.     

Source: PDPC’s announcement; the gazetted Commencement Notification



About

The Stone Forest group of companies provides a comprehensive suite of business solutions to support your business growth in Singapore and globally.

Subscribe to Newsletter

Get In Touch

8 Wilkie Road, #03-08
Wilkie Edge, Singapore 228095
+65 6533 7600