11 PDPA obligations: Why ‘POPCORN' matters

By Benjamin Shepherdson, Leong Wai Chong

The Personal Data Protection Act (PDPA) is a pivotal piece of legislation in Singapore, designed to safeguard the privacy of individuals by regulating the management of personal data. Enacted on July 2, 2014, the PDPA applies to all organisations, regardless of their size, that handle personal data within the country.

The act outlines 11 key data protection obligations that organisations must adhere to, ensuring they collect, use, and disclose personal data responsibly and transparently. These obligations serve not only to protect individuals' privacy rights but also as a protection standard to foster trust between organisations and their customers. Understanding and complying with these obligations is essential for businesses in Singapore, as it helps mitigate potential legal risks and enhances their reputation in an increasingly data-driven world.

The 11 PDPA obligations

Meeting these 11 obligations is what's expected of a Data Protection Officer (DPO), so it is imperative to learn these 11 Data Protection Act obligations by heart!

Get an operational perspective of the Singapore PDPA by attending our one-day course here.

1. Purpose limitation obligation:

You must collect, use, or disclose personal data only for purposes which are reasonable to provide your product or service, or for which you have been granted consent.

2. Consent obligation: 

You must obtain consent for your specific purpose before you can collect, use, or disclose personal data. You must allow individuals to withdraw their consent when they wish to do so.

3. Accountability Obligation: 

You are responsible for the personal data entrusted to you by your customers and employees. You show responsibility by making sure you are compliant with the 11 PDPA obligations. You ensure compliance by appointing a DPO and implementing data protection policies, among many other best practices for data protection (which you can learn about in our DPEX courses!)

4. Notification obligation: 

Your customers or employees must always be informed or notified of your privacy policy, or the purpose for collecting, using, or disclosing their personal data.

5. Transfer Limitation Obligation: 

You must ensure that the cross-border transfer of personal data is done securely and responsibly, according to the guidelines of regulating bodies.

6. Retention Limitation Obligation: 

You must not retain or keep any personal data that is no longer needed to fulfil any business purpose. You must dispose of the data accordingly.

7. Accuracy Obligation: 

Make sure that the personal data in your possession is accurate and complete, especially when these data will be used for making decisions about the individual.

8. Protection Obligation: 

The most commonly violated obligation. You must take measures to actively secure the personal data in your possession from unauthorised access, collection, use, or disclosure.

9. Access and Correction Obligation: 

You must allow an individual to access his/her personal data upon request, including records of how his data was used or disclosed. You must correct errors in your personal data records, and relay these corrections to other organisations to whom you have previously shared or disclosed the data.

10. Data Protection Notification Obligation: 

You should notify both the affected individuals and the PDPC when a data breach occurs, especially when the breach may cause harm or if a large number of individuals are affected.

11. Data Portability Obligation: 

When an individual requests for transfer of his/her data, you must transfer the data to another organisation in a common machine-readable format. (We are still waiting for the PDPC to issue regulations for this obligation. Data Portability Obligation will be enforced once regulations are released.)

The DPO's role

DPOs play a crucial role in helping organisations comply with the 11 personal data protection obligations set. Here's how DPOs assist in each of these key obligations:

1. DPOs can develop clear policies and procedures for obtaining and documenting consent from individuals before collecting, using, or disclosing their personal data. They can also conduct training sessions to educate staff on the importance of consent and how to obtain it appropriately.

2. DPOs are responsible for ensuring that the organisation implements reasonable security arrangements to protect personal data. This includes conducting risk assessments, recommending security measures (such as encryption and access controls), and overseeing the training of employees on data protection best practices.

3. DPOs can establish and enforce data retention policies to ensure that personal data is only retained for as long as necessary. They can help identify when data is no longer needed and oversee its proper disposal or anonymisation.

4. DPOs must ensure that any transfer of personal data outside of Singapore complies with the PDPA’s requirements, assessing the adequacy of data protection in the recipient country and implementing appropriate safeguards such as contractual clauses.

5. DPOs can help organisations develop and communicate clear policies regarding personal data protection, ensuring that these policies are easily accessible to stakeholders. They can also facilitate transparency by responding to inquiries about the organisation’s data practices.

6. DPOs serve as the point of contact for compliance with the PDPA and are responsible for monitoring adherence to data protection policies. They can implement training programs and audits to ensure ongoing compliance and accountability across the organisation.

7. DPOs can establish procedures for individuals to access their personal data and request corrections. They will ensure that these processes are user-friendly and comply with the PDPA’s timelines and requirements.

8. DPOs can lead the organisation in conducting DPIAs when introducing new projects or data processing activities that may impact personal data protection, ensuring risks are identified and mitigated beforehand.

9. DPOs can regularly review and update the organisation’s data protection practices to reflect changes in laws, regulations, or organisational processes, ensuring ongoing compliance with the PDPA.

10. DPOs act as the primary liaison with the Personal Data Protection Commission (PDPC). They can facilitate communication, respond to inquiries, and ensure that the organisation cooperates with any investigations or audits conducted by the PDPC for legal purposes.

What does 'POPCORN' have anything to do with PDPA?

Can't seem to remember all these data protection obligations? Don't know how to start applying it? We created an easy way for you to know these obligations by heart. Check it out here!

Just remember, ‘POPCORN EXTRAS, ADD (butter)' – as a pun on popcorn and a memory aid! Every time you collect personal data, ask yourself these POPCON questions to ensure that you are fulfilling your 11 obligations under the PDPA.

To view the full infographic, use this link: https://www.dpexnetwork.org/research/infographics-11-data-protection-obligations-under-pdpa-popcon-add

For other Foundation courses on data protection, go to https://www.dpexnetwork.org/courses