Does your website comply with the PDPA and privacy and personal data law?

by 11 July 2021Corporate & Commercial, Knowledge & Insights

As more and more businesses are accelerating their digital adoption and moving their business presence online, it’s become increasingly imperative that companies ensure the security of their websites against cyber-attacks and data breaches. Ensuring that your company website complies with local personal data and privacy laws as laid out by the Personal Data Protection Act (PDPA) is critical to avoiding hefty fines and expensive criminal cases down the road should a breach occur.

What is the Personal Data Protection Act (PDPA)?

The PDPA governs the collection, use, and disclosure (collectively called “processing”) of personal data by organisations in Singapore. It was enacted in 2012 to protect the data rights of individuals, and places a burden of care on companies to safeguard the security of personal data flowing within their organisation.

According to the PDPA, a piece of data is considered “personal data” if:

  1. a person can be identified using that data alone (often referred to as “unique identifiers”; or
  2. a person can be identified using that data combined with any other information the organisation has or is likely to have access to.

Examples of what constitutes personal data include an individual’s:

  • Full name
  • NRIC number
  • Passport number
  • Personal mobile telephone number
  • Emails and text messages
  • Residential or business address
  • Occupation and educational qualifications
  • Facial image or recording
  • Voice recording
  • Fingerprint

Why you should care about having a comprehensive Privacy Policy

The latest revisions to the PDPA that came into effect on 1 February 2021 have strengthened the enforcement powers of the Personal Data Protection Commission (PDPC) and introduced new criminal offences for individuals who mishandled personal information. If found guilty, the penalty is a fine of up to $5,000, imprisonment of up to 2 years, or both. And remember – ignorance is not a valid defence.

Currently, businesses that fail to discharge their obligations under the PDPA are subject to a maximum financial penalty of 10% of the annual turnover or $1 million, whichever is higher. This figure is expected to increase soon.

This makes it critical for you to ensure that your Privacy Policy is comprehensive enough to cover all requirements of the PDPA. A Privacy Policy is a legally binding statement on your website declaring how your company will handle the personal data collected from visitors, and serves as a notification to them of what types of data you are collecting.

Dos and Don’ts of your Privacy Policy

To safeguard your company and ensure that you are in compliance with the PDPA, it is important that you do the following:

1. Notify your customers and seek consent regarding the collection and use of data

To comply with the Notification Obligation, you are required to inform visitors to your website about which types of personal data are being collected and how they will be used and/or disclosed.

You will then need to obtain consent from them before you proceed. Implementing this on your website can come in the form of a popup explaining “Our website uses cookies”, and then allowing the visitor to choose either “I understand and accept” or “I do not accept”.

2. Provide access to the data

Under the Access and Correction Obligation, you are required to allow visitors to access their personal data to rectify any errors or omissions.

3. Do your due diligence to ensure the data is protected

Businesses have a responsibility to ensure that any personal data held by them is secure, and this includes any cybersecurity measures, privacy processes, or internal regulations necessary to protect customer data.

4. Don’t retain information when it is no longer required

Under the Retention Limitation Obligation, should there no longer be any use for the personal data in regard to business or legal purposes, you should refrain from withholding this information.

5. Be transparent about data breaches

Under the Data Breach Notification Obligation, it is now mandatory for you to disclose any data breaches to the PDPC and any affected individuals.

6. State your business contact information

To comply with the Accountability Obligation, it is mandatory to remain open to share information about your company’s data protection policies, practices, and processes upon request by customers.

It’s also necessary that you appoint at least one Data Protection Officer (DPO) for your business and have their contact information, such as email or phone number, made available to the public. This contact information can be included in the Privacy Policy.

Hire a corporate lawyer today to avoid needing a criminal lawyer tomorrow

Cybersecurity risks are escalating rapidly, and it’s important to get privacy protection right from the get-go. The Cyber Security Agency of Singapore reported 47,500 cases of phishing in Singapore in 2019, and the number of ransomware detections in Singapore jumped 45% in H2 2020 compared to H1.

Need help ensuring your Privacy Policy is as watertight as can be? Our corporate lawyers are well-versed in all areas related to business law and the PDPA. Contact us today for a consultation. And if you are undergoing any personal legal implications as a result of a data breach at your company, our team of highly experienced criminal lawyers is here to help.

About the author

About the author

Jonathan Wong

Jonathan is the Founder and Managing Director of Tembusu Law. He is also the founder of LawGuide Singapore, a prominent legaltech startup which successfully created and launched Singapore’s first legal chatbot in 2017.


We'll always make time for you. Tell us what's on your mind and we'll find a way to help.