From 1 February 2021, the following three key changes to the Singapore Personal Data Protection Act (PDPA) will take effect in phases:
1. Mandatory data breach notification
A data breach is deemed to be of a significant scale (and therefore notifiable) if the data breach affects 500 or more individuals.
Who and when to notify?
- Organisations must notify PDPC no later than three calendar days after the data breach has been identified.
- Affected individuals must also be notified as soon as practicable, at the same time or after notifying the PDPC.
What to notify?
See regulations on notification of data breaches for a prescribed list of minimum information that the notification must contain.
2. Introduction of offences concerning mishandling of personal data by individuals
Individuals will be held accountable for knowingly or recklessly committing any unauthorised:
- Disclosure of personal data
- Use of personal data for wrongful gain or causing a wrongful loss to any person
- Re-identification of anonymised data.
A maximum fine of SGD 5,000 or a maximum two years imprisonment or both.
3. Expansion of consent framework
The two new ways consent can be given are:
- Contractual necessity
The new exceptions that remove the need for consent are:
- Legitimate interests
- Business improvement
- Research purposes
Other notable upcoming changes, expected to take effect in the coming months:
4. Increased financial penalties
Up to 10% of an organisation's annual turnover in Singapore, or SGD 1 million, whichever higher.
5. The right to data portability
Organisations must, at the request of an individual, transmit an individual’s personal data that is in the organisation’s possession or under its control, to another organisation in a common machine-readable format.
Continuous review of existing data protection policies and procedures must be carried out to ensure the organisation is prepared and always compliant.
Data breach management plans must be updated to reflect new requirements on mandatory data breach notifications.
Internal communications and training should be also conducted regularly to keep staff informed of the latest update, requirements and data breach threats.
For a more in depth understanding of the recent PDPA amendments and how it will affect your business and data handling processes, do have chat with us.
For more information about how you can get DPO advisory and to simplify your data protection program, learn more about DPO2SME.
Source: PDPC’s announcement; the gazetted Commencement Notification