Following on from part one of the Singapore PDPA we discuss further how important it is for your organisation to achieve PDPA compliance
Data Protection Obligations
Outside of the DNC, PDPA lists nine core obligations that organisations must meet when collecting, processing and disclosing data.
Consent must be gained from an individual in order to collect, process or disclose their data.
Similar to the “Right to Be Forgotten” under GDPR, individuals can withdraw their consent at any time and organisations must comply with this withdrawal.
Businesses must only collect use, or disclose an individual’s personal data for the specific purpose that the individual has consented for, unless exempted example: contract, legal obligation etc.
The business must inform the individuals of the purposes that the data will be collected, used, or disclosed.
4: Access and correction
Similar to data subject access requests, individuals have the right to request what data of theirs your organisation possesses or has control of. They can also request details on how that data has been used or disclosed within the past year.
Organisations are legally obligated to comply with those requests, and to amend any errors or omissions unless it is reasonable not to.
Businesses must make every reasonable effort to ensure that personal data they collect is accurate and complete if that data is going to be used to make decisions which affect the individual who the data relates to, or if that data is going to be disclosed to another organisation.
Reasonable security measures must be put in place to protect any personal data which is collected. This must include technical, organisational, and any other measures as appropriate.
Organisations must only retain personal data for as long as is necessary to carry out business or legal functions.
If personal data is being transferred internationally, including being stored with cloud services based overseas, then the transfer must meet specific requirements laid out by PDPA.
Organisations must make information publicly available about the policies and procedures it uses to ensure PDPA compliance
If you’re familiar with GDPR, you’ll no doubt see some similarities between the two laws when it comes to data protection obligations.
Naturally, this creates some opportunity to streamline compliance measures which can result in long-term cost savings and greater efficiency.
Data protection consultancy can help you identify key areas for such streamlining.
What role does a Data Protection Officer play in PDPA?
One key area of difference between PDPA and GPDR is within the role of the Data Protection Officer (DPO).
Under GDPR, only certain organisations are required to hire a DPO according to certain criteria.
Our recent guide to hiring a DPO for your organisation lists what these criteria are.
Under PDPA, however, all businesses are required to appoint a DPO, even if they are an SMB or sole trader.
This DPO can be someone whose sole responsibility within an organisation is to manage data protection or it can be someone who combines DPO responsibilities with other key organisation tasks.
Businesses also have the option of outsourcing that role to a third-party DPO service.
The Singapore government has set guidelines for the role of DPO, or Relentless Privacy & Compliance can help you determine the best option for appointing a DPO for your business.
Who does DPA apply to?
With all this being said, the one remaining question concerns whether or not your business needs to comply with Singapore’s data protection law in the first place.
Like China’s Data Protection Standard, like GDPR, and like the California Consumer Privacy Act, PDPA applies to any and all organisations who deal with the personal data of individuals who are based in the area where that law applies.
This is regardless as to where that business is primarily located.
In other words, if you collect, use, or disclose the personal data of people in Singapore, PDPA applies to you, even if you’re not based in that country.
There are, of course, a small number of exceptions.
If you are a public agency (such as a government authority), then you are exempt from PDPA. Likewise, if your business collects, uses or discloses data on behalf of a public agency, then you too are exempt.
What to do if PDPA applies to your business
The most effective approach for any business faced with complying with multiple international privacy laws is to look at how you can avoid duplicating your efforts and create systems, policies and procedures which ensure frictionless compliance across the board.
For example, hiring a DPO to comply with PDPA could be as simple as extending the responsibilities of your existing GDPR DPO, while the technical security measures you have in place for one law could be equally as effective to help you comply with another.
If you’re not sure where to start with this, the good news is that Relentless Privacy & Compliance are here to help.
We provide a full range of data protection consultancy services tailored to ensure that, no matter where you are in the world, you can enjoy frictionless compliance with:
We can help with:
● Mapping between GDPR, PDPA and other laws to reduce the costs and complications of compliance
● Acting as your organisation’s data protection representative in the EU if you’re based overseas.