As more and more businesses are accelerating their digital adoption and moving their business presence online, it’s become increasingly imperative that companies ensure the security of their websites against cyber-attacks and data breaches. Ensuring that your company website complies with local personal data and privacy laws as laid out by the Personal Data Protection Act (PDPA) is critical to avoiding hefty fines and expensive criminal cases down the road should a breach occur.
What is the Personal Data Protection Act (PDPA)?
The PDPA governs the collection, use, and disclosure (collectively called “processing”) of personal data by organisations in Singapore. It was enacted in 2012 to protect the data rights of individuals, and places a burden of care on companies to safeguard the security of personal data flowing within their organisation.
According to the PDPA, a piece of data is considered “personal data” if:
- a person can be identified using that data alone (often referred to as “unique identifiers”; or
- a person can be identified using that data combined with any other information the organisation has or is likely to have access to.
Examples of what constitutes personal data include an individual’s:
- Full name
- NRIC number
- Passport number
- Personal mobile telephone number
- Emails and text messages
- Residential or business address
- Occupation and educational qualifications
- Facial image or recording
- Voice recording
The latest revisions to the PDPA that came into effect on 1 February 2021 have strengthened the enforcement powers of the Personal Data Protection Commission (PDPC) and introduced new criminal offences for individuals who mishandled personal information. If found guilty, the penalty is a fine of up to $5,000, imprisonment of up to 2 years, or both. And remember – ignorance is not a valid defence.
Currently, businesses that fail to discharge their obligations under the PDPA are subject to a maximum financial penalty of 10% of the annual turnover or $1 million, whichever is higher. This figure is expected to increase soon.
To safeguard your company and ensure that you are in compliance with the PDPA, it is important that you do the following:
1. Notify your customers and seek consent regarding the collection and use of data
To comply with the Notification Obligation, you are required to inform visitors to your website about which types of personal data are being collected and how they will be used and/or disclosed.
2. Provide access to the data
Under the Access and Correction Obligation, you are required to allow visitors to access their personal data to rectify any errors or omissions.
3. Do your due diligence to ensure the data is protected
Businesses have a responsibility to ensure that any personal data held by them is secure, and this includes any cybersecurity measures, privacy processes, or internal regulations necessary to protect customer data.
4. Don’t retain information when it is no longer required
Under the Retention Limitation Obligation, should there no longer be any use for the personal data in regard to business or legal purposes, you should refrain from withholding this information.
5. Be transparent about data breaches
Under the Data Breach Notification Obligation, it is now mandatory for you to disclose any data breaches to the PDPC and any affected individuals.
6. State your business contact information
To comply with the Accountability Obligation, it is mandatory to remain open to share information about your company’s data protection policies, practices, and processes upon request by customers.
Hire a corporate lawyer today to avoid needing a criminal lawyer tomorrow
Cybersecurity risks are escalating rapidly, and it’s important to get privacy protection right from the get-go. The Cyber Security Agency of Singapore reported 47,500 cases of phishing in Singapore in 2019, and the number of ransomware detections in Singapore jumped 45% in H2 2020 compared to H1.