Linkedin Twitter Facebook-f Instagram Youtube
IMC Logo
Contact Us
IMC Logo

All you need to know about PDPA compliance in Singapore

Personal Data Protection Act, commonly known as PDPA is a general data protection law in Singapore that specifies mandatory requirements for personal data protection and handling. The Personal Data Protection Commission (PDPC) is the regulatory body that ensures PDPA compliance in Singapore.

The objective of PDPA is framing policies and procedures for collecting, using and disclosing personal data and empowering individuals for more effective and better control of their data. Organisations are mandated for establishing reasonable purposes when collecting, using and disclosing personal data.

Start your journey toward successful business

We have a great professional team. We’re able to provide best support through your business journey

Personal data is defined as information about an individual which helps in identifying that individual and accessing other information about the individual.

An act to govern and administer personal data collection, usage and disclosure by organisations is known as PDPA in Singapore. It functions as a baseline standard for personal data protection and supports sector-specific regulatory frameworks including Banking and Insurance Acts.

Singapore PDPA compliance needs organisations to comply with specific requirements for collection, use, disclosure and care of personal data in Singapore.

In today’s world, huge amounts of personal data are collected, used and even transferred to third-party organisations daily for a variety of reasons and are growing exponentially as the processing and analysis of large amounts of personal data becomes possible with sophisticated technology and computing power.

However, the usage of large personal data poses concerns to individuals and authorities about their data usage and disclosure. The concerns about personal data are driving data protection regimes for framing appropriate policies for the governance of personal data.

The PDPA also focuses on promoting Singapore’s competitiveness as a trusted business hub to foreign investors, authorities and consumers by enacting mandatory PDPA compliance in Singapore.

The PDPA recognises both the need to protect individuals’ data and the need of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.

Singapore PDPA compliance is also necessary to safeguard sensitive personal data from any misuse and fraudulent act.

Personal data stored both in electronic and non-electronic formats comes under the purview of PDPA with the following exemptions applied.

  • Individuals acting on a personal or domestic capacity
  • Individuals acting as employees with an organisation
  • Public agencies about the collection, use or disclosure of personal data
  • Business contact information including individual’s name, position, title, business telephone number, business address, business email, business fax number and any similar information

 

Different types of data protection obligations apply to business organisations specifying regulatory requirements for PDPA compliance in Singapore when they perform activities relating to the collection, use or disclosure of personal data.

How has PDPA evolved in Singapore?

The chronological order of events that took place about personal data protection and Singapore PDPA compliance are as under

  • On 2nd January 2013, the PDPC was established
  • On 2nd July 2014, the DNA Registry provisions were introduced
  • On 2nd November 2020, the amendments to PDPA were tabled
  • From 1st February 2021, the amended and enhanced PDPA was put into force

How does the Personal Data Protection Act (PDPA) work?

Once sector-specific legislation and regulatory frameworks are critically reviewed, a reference standard for personal data protection is usually drawn across the entire economy by the PDPC for documenting PDPA.

Singapore PDPA compliance becomes mandatory for organizations including compliance with common and industry/sector-specific regulations while handling personal data within their reach.

The below-mentioned aspects are the prime considerations of the PDPA while putting into force

Consent

Personal data can only be collected, used or disclosed by organisations with the individual’s knowledge and consent with a few exceptions

Purpose

Personal data can only be collected, used or disclosed with specific purposes and in an appropriate manner for the circumstances and only when organisations keep the individuals appraised of such purposes

Reasonableness

Personal data can only be collected, used or disclosed by organisations for purposes considered appropriate to a reasonable person in the given circumstances

What are the business obligations under PDPA?

There are nine obligations for organisations dealing with personal data specified under PDPA and include the following

Consent obligation

Purpose limitation obligation

Notification obligation

Access and correction obligation

Accuracy obligation

Protection obligation

Retention limitation obligation

Transfer limitation obligation

Openness obligation

How do companies comply with PDPA Obligations?

Singapore Personal Data Protection Commission (PDPC) in its endeavour to make the compliance obligations more comprehensive, issued a 10 step PDPA checklist for Singapore PDPA compliance. The steps are

  • Employing a Data Protection Officer to liaise with PDPC on data protection measures
  • Notifying Purposes of data collection and seeking the consent of individuals before collection of personal data
  • Allowing corrections of personal data provided under section 22 (4) of the PDPA as appropriate
  • Securing personal data by establishing data security policies and employee training
  • Responding to individuals' queries on personal data
  • Deleting personal data no longer required
  • Protecting personal data when transferring to foreign countries
  • Effectively Managing service providers handling personal data
  • Checking the Do Not Call (DNC) if organizations are involved in telemarketing
  • Ensuring company-wide PDPA awareness and communicating personal data protection policies, procedures and processes

Why should an organisation opt for PDPA Compliance?

Businesses demonstrating PDPA compliance in Singapore are treated with more respect and enjoy enhanced customer loyalty.

It also creates a more trusting environment amongst employees, customers and other stakeholders.

Singapore PDPA compliance can help businesses improve overseas market share and avoid regulatory penalties imposed by authorities.

We’ve been
helping customers globally.

Book a consultation appointment with our professionals now.

We’ve been
helping customers globally.

Book a consultation appointment with our professionals now.

What our customers are saying

Best Consultant to set up company in Singapore. Excellent team of People. Perfectly oriented and guided by team. Best in the country as well as business.

— Karan Patel

We have been taking IMC service more more than a year now. They have been completely professional in their approach and they give us an overall perspective for each query we have.

— Monisha Wadhwa

We approached IMC for our trademark applications and have been working closely with Mayuri from the IMC team in Singapore. We had an absolutely stress-free experience.

— Anjana Singhvi

IMC Singapore is one of the best Consultant to set up company in Singapore, they have an excellent team of People who guide you right from the begining to start up new company in Singapore .

— Saket Brijendra

Have any project
in mind?

Let's Talk
about your project

Book a consultation appointment with our professionals now.

Reach us at

+65-91269927

A Member Firm of Andersen Global

Get updated by Signup
to our Newsletter!

Get updated by Signup
to our Newsletter!

IMC Logo
Get Updated by Signup to Our Newsletter

Get Started

About

Locations

IMC Logo

Get Started

About

Locations