1. Mandatory data breach notification
A data breach is deemed to cause significant harm (and therefore notifiable) if the data breach results in the compromise of an individual’s full name or national identification number or account information.
A data breach is also deemed notifiable if it is of a significant scale, i.e. if the data breach affects 500 or more individuals.
Who and when to notify?
- Organisations must notify PDPC no later than three calendar days after the data breach has been identified.
- Affected individuals must also be notified as soon as practicable, at the same time or after notifying the PDPC.
What to notify?
See regulations on notification of data breaches for a prescribed list of minimum information that the notification must contain.
2. Introduction of offences concerning mishandling of personal data by individuals
Individuals will be held accountable for knowingly or recklessly committing any unauthorised:
- Disclosure of personal data
- Use of personal data for wrongful gain or causing a wrongful loss to any person
- Re-identification of anonymised data.
A maximum fine of SGD 5,000 or a maximum two years imprisonment or both.
3. Expansion of consent framework
The two new ways consent can be given are:
- Contractual necessity
The new exceptions that remove the need for consent are:
- Legitimate interests
- Business improvement
- Research purposes
Other notable upcoming changes, expected to be implemented once regulations are issued:
4. Increased financial penalties
Up to 10% of an organisation's annual turnover in Singapore, or SGD 1 million, whichever higher. This higher financial penalty cap will take effect no earlier than 1 February 2022.
5. The right to data portability
Organisations must, at the request of an individual, transmit an individual’s personal data that is in the organisation’s possession or under its control, to another organisation in a common machine-readable format.