From Inception to Impact: Singapore’s PDPA After Ten Years

By Shaun Jarmen, Industry Development Manager, Straits Interactive

2024 marks 10 years since Singapore’s Personal Data Protection Act (PDPA) came into full effect. Since then, numerous enforcement cases have dotted the Personal Data Protection Commission’s (PDPC) legacy and Act amendments have surfaced to fit the demands of changing times. So how has the regulation impacted businesses and how should Data Protection Officers (DPOs) chart their course to compliance?

Last week, my team and I held a talk to answer these very questions. I was joined by my fellow Industry Development Director, Wendy Lim, Industry Development Manager, Raani (Arunesaraani Arunasalam), as well as the Assistant Vice President of Certification at Guardian Independent Certification Group (GICG), Baljit Singh, an Assessment Body (AB) for the Data Protection Trustmark (DPTM). In the session, we laid out the blueprint of the PDPA, examined compliance insights and how DPOs may approach data privacy for the enterprise.

An Overview of Singapore's PDPA And Its Key Provisions

Enacted in 2012, the PDPA acts as a baseline law that sets out the rules and standards of protection on the collection, use, disclosure and storage of personal data so that organisational accountability and good data governance may be demonstrated. The Act not only recognises the right of consumers to protect their data, but the need of organisations to collect personal data as well. 

The Act has come a long way since the landmark launch of the Do Not Call (DNC) Registry in 2014. Still, a central founding principle persists and shapes the provisions of the Singapore PDPA - Accountability. It refers to a risk-based approach in identifying, monitoring and responding to risks throughout the data life cycle. The obligations of the Act are divided based on the three broad phases of the data life cycle, with Accountability as the overarching theme entrenched within it. 

The PDPA started out with 9 key obligations and that list has now expanded to include the Data Breach Notification and Data Portability obligations, bringing the total to 11. 

While a Data Breach Management Plan has been required since the introduction of the DPTM in 2019, the addition of the Data Breach Notification obligation to the PDPA in 2021 has since made it mandatory to report a data breach to the PDPC within 72 hours of determining that it is notifiable (i.e. Significant Harm to Affected Individuals or Significant Scale). The Assessment Body will require you to have a well-implemented and tested Data Breach Management Plan, supplemented with regular tabletop simulations that are documented. PDPC has a CARE framework for breach responses, which we have adopted ourselves.

The Data Portability obligation will take effect only after the regulations are issued. At the request of the individual, organisations are required to transmit the individual’s data that is in the organisation’s possession or under its control, to another organisation in a commonly used machine-readable format.

Penalties and What It Means for Businesses

The PDPC is also enhancing its penalty and enforcement regime to deter irresponsible behaviour, with new offences for individuals and increased penalties for organisations. 

For data breaches, the financial penalty cap has increased to 10% of an organisation’s Annual Gross Turnover (AGTO) since 1 October 2022. Aligning with the MAS Act and the Public Sector Governance Act (PSGA), new offences are also introduced to hold individuals accountable in egregious mishandling of personal data in the possession of or under the control of an organisation.

The introduction of these offences does not detract from PDPC’s position to primarily hold organisations accountable for data protection. Organisations remain liable for the actions of their employees in the course of their employment with the organisations. The new offences are intended for knowing or reckless misconduct by individuals whose actions had not been authorised by the organisation. 

To counteract the risk of data breaches and incurring these penalties, organisations must have a Data Protection Management Programme (DPMP) for developing, implementing and improving policies and practices to ensure employees of an organisation comply with the PDPA. This is essential to manifesting Accountability company-wide.

To this end, the PDPC has provided a 4-step framework for organisations to set up a DPMP. Notice that it is not just the responsibility of the DPO, but also the organisational leaders who have a part to play in the success of the DPMP. They need to be involved in the identification of risks as part of their organisational risk management exercise. 

Achieving Data Protection Excellence 

Where establishing a DPMP is critical to establishing a baseline for your organisation’s data protection compliance, achieving a Data Protection Trustmark (DPTM) certification in Singapore testifies an organisation’s commitment to data protection.

There are a couple of best practices organisations can adopt in order to certify for the DPTM. 

Having a library of Standard Operating Procedures (SOPs) for running your DPMP is foundational to maintaining consistency in execution and therefore faring well during the DPTM assessment. It is common for SOPs to involve multiple departments but it is also a common mistake for these to be siloed. As such, it is important that these SOPs are visible to those who are actually running the processes. This enables anyone enrolled into the data protection office to successfully operate the DPMP and for others to seamlessly take over if needed. 

It is also recommended to adopt a systemised and automated tool to help you oversee the lifecycle of your DPMP. Documenting one’s Data Inventory Map or Process Map involves multiple stakeholders and heavy databases. Using traditional spreadsheets becomes unwieldy when you need to update them and produce them in an assessment. And it becomes particularly labour-intensive when you need to demonstrate you have performed a Data Protection Impact Assessment (DPIA) for every new process or technology that interacts with personal data. All this can be made more manageable with a data protection management platform that allows you to track decisions made and communication points established. 

By having a formalised method for documenting risks and assessments with actionable Risk Registers, it also enables DPOs to aggregate similar risks across departments and recommend common controls to save duplication and effort. Since getting the management’s buy-in to sign off on a policy must be supported by documented events that necessitate that policy, having these things logged helps you achieve this. Furthermore, a system makes it easy to update one’s Data Breach Management Plan to meet the requirements of the Data Breach Notification obligation too.

From Data Protection to AI Governance

New data privacy challenges have swept in for regulators and businesses amid the AI fanfare that skyrocketed in the past year. And the DPO must step up to face the evolving world of AI Governance too.

Since March, there have been new governance developments in the EU and Singapore. Most notably, the PDPC published the finalised Advisory Guidelines on use of Personal Data in AI Recommendation and Decision Systems. While the Advisory Guidelines are not legally binding, the PDPC is likely to interpret and enforce the PDPA in a way that is consistent with them. As such, organisations are compelled to adhere to the Advisory Guidelines to ensure PDPA compliance for AI systems being developed or deployed. To keep up with the latest data governance requirements, privacy professionals must continually upskill themselves in AI Governance as well as understand responsible and ethical use of generative AI. 

In times of rapid digital transformation, investing in data protection is paramount to organisations building consumer trust and standing out from your competitors. The PDPA has undeniably transformed Singapore's data privacy landscape, placing accountability at the forefront for businesses. With evolving regulations and growing consumer demands for data control, organisations must prioritise data protection efforts. By establishing a robust Data Protection Management Programme (DPMP) and leveraging best practices, businesses can not only ensure compliance but also foster trust and achieve a competitive edge in the digital age. 

Capabara, our Next-Gen AI Capability-as-a-Service platform, is currently available on beta. Sign up as a beta user, and stay tuned to our latest announcements on its development by following our CAPABARA Linkedin page or heading over to capabara.com to find out more about how your organisation can be empowered through safe and secure Gen AI. 

This article was first published on The Governance Age on 24 April 2024.