PDPA Compliance (SG)
Personal Data Protection is gaining importance especially in this Digital Era we are living in. The momentum started after European Union launched the General Data Protection Regulation (GDPR) in May 2018. This started a series of waves with more and more countries hopping onto the Privacy regime even in Asia as countries which already have their Privacy regulation known as Personal Data Protection Act (PDPA) beginning to emphasizing on PDPA compliance including the enforcement of those organisations who violated the PDPA. Countries without Privacy regulation are also planning to launch theirs. China’s President Xi announced their Personal Information Protection Law (PIPL) in 2020 and officially launched on 1st November 2021.
So in short, the world’s three top economy, we have the following:
Europe: GDPR | Asia: PDPA | China: PIPL
So what exactly is this mandatory Privacy Protection Regulation all about?
The Privacy Protection Regulation requires organisation or individual functioning as an organisation (eg. Freelancer, MLM marketers, agents, etc.) to comply with the obligations for Collection, Storage, Use and Disclosure of personal data. The regulation is to help organisation enhance their existing data process flow so that the personal data they are processing are properly managed and protected. It will help organisation to develop their trust with their customers, facilitate cross-border transfer of personal data and giving data-subject (individual) greater control of their personal data.
In this article, I will be explaining based on the PDPA (Singapore) requirements. It will help organisation in Singapore to understand about the requirements, and also for foreign organisation working with Singapore’s organisation.
Under the PDPA (Singapore), there are Eleven obligations to observe and I have placed them based on the data flow processes as shown:
So how to get started in getting your organisation complying with the PDPA?
- Appoint a DPO; register him/her in ACRA-BizFile
- Appoint departmental heads as Executive DPO (eDPO) who are experts in their departmental processes
- Collection: Think through whose personal data you are going to collect — Staff, leads/prospects, customers, vendors, etc. Think through the Purpose for collecting their personal data (eg. recruitment, employment, prospecting, customer support, etc.) Then write out the Notice to inform of the the purpose for collecting the personal data and other information into this Privacy Notice to be placed on the website. Next design the Consent Form to have evidence of Consent. Consider also how to ensure Accuracy.
- Storage: Check where the data are Stored, whether it is in your computer, mobile hard-disk, cloud storage, etc. Check also the website server location and whether you use the website to collect personal data. Ensure you keep track of the Retention period inside the Data Inventory Map. Digitalising all your data is beneficial for you in managing your organisation, so can find ways of converting your data into machine-readable format. Create an Access and Correction SOP or procedures to help to process your data subject access and updating of their personal data upon their request.
- Use and Disclosure: Consider potential risks when using the personal data and introduce relevant controls to mitigate the risks. If you need to disclose the personal data to organisation outside Singapore which is known as Transfer, please ensure consent is obtained plus the organisation in the other country has the same standard of data protection as what is required in Singapore. You can do that by helping them setup their PDPA compliance and conducting training for them to enhance their existing data flow processes. Create a Dispute Resolution Plan too to handle any dispute related to personal data.
- Disposal: Setup proper way to dispose of your personal data too. If it is paper document, shred it and if digital devices or files, please learn how to do it correctly or get licensed service provider to do that if your data to be disposed of is a lot.
Finally, Create a Breach Management SOP which will also include the Breach Notification plan. The requirement is to inform PDPC and the affected individuals within 72 hours. Breach that is notifiable to PDPA is when the data will have significant harm to the individual or more than 500 data subject involved.
All those mentioned above will be recorded in the Data Protection Management Programme (DPMP). So in summation, the following are the documentation you need to put in place:
- DPO / eDPO appointment letter and DPO Team Org Chart
- Brief description of your organisation Scope (related to data)
- Draw out your organisation Data Flow diagram and Data Inventory Map
- Notices: Privacy Notice (website), plus other notices based on the purposes
- Various Consent Forms
- Document the various Storage and Protection controls
- Access and Correction Procedure / SOP / System
- Dispute Resolution Plan
- Training and Communication Plan / Schedule
- Transfer SOP; if personal data needs to be transfer out of Singapore
- Breach Management SOP
It will take an organisation a few months to put all these together due to existing company workload. Another way is to engage Privacy Consultant to help you with all these, and get your DPO team to work closely with the consultant through the whole process as part of their training and familiarisation with the PDPA Compliance for the organisation.
This is a video I have created:
Hope this article provides you a good overview to get your organisation comply with the PDPA. Follow me to or ask me question pertaining to Privacy Protection. I am also familiar with the GDPR and PIPL.
