Your 2024 Guide to the PDPA in Singapore

Data breaches among corporations have been occurring over the years.

When this happens, firms can face substantial fines, especially since the recent changes to Singapore’s data protection laws last year. How are consumers’ personal data safeguarded in Singapore, and why is it essential to do so?

In this article, we guide you through Singapore’s key Personal Data Protection Act (PDPA), which ensures organisations take ownership of personal data.

What is the Personal Data Protection Act (PDPA) in Singapore?

The Personal Data Protection Act (PDPA) was enacted in Singapore on 15th November, 2012. It came into effect on 2 July 2014. The PDPA regulates the collection, use, and disclosure of personal data by organisations to safeguard the privacy of individuals.

This guide provides an overview of the key requirements of the PDPA and will be updated as new developments arise.

Related Read: The Importance of Data Protection »

What is Considered Personal Data?

Personal data includes data on an individual who can be identified through that data. It can also include such personal data and other information that a company is likely to have access to.

Here are some examples of personal data:

Name
Date of birth
Phone number
Residential address
Photograph of the individual
Voice of the individual
National registration identity card number (NRIC)

What is Covered Under the PDPA?

The PDPA encompasses all electronic and non-electronic personal data, whether true or false.

Is the PDPA Mandatory in Singapore?

Yes, it applies to all organisations, including public agencies, private companies, sole proprietorships, partnerships, and associations that collect, use, or disclose personal data.

Who is Excluded From the PDPA?

Both the living and deceased’s personal data are protected under the PDPA. However, those deceased for at least 10 years are excluded from the PDPA’s protection.

It also does not apply to personal data maintained in a record that has existed for a minimum of 100 years. Neither does it apply to business contact information, which includes an individual’s name, business title, business telephone number, and business electronic mail address.

What Are the 11 PDPA Obligations?

What are the PDPA obligations that organisations must comply with?

Accountability
Collection of Personal Data	Care of Personal Data	Individual’s Autonomy Over Personal Data
Notification	Accuracy	Access and Correction
Consent	Protection	Data Breach Notification
Purpose Limitation	Retention Limitation Transfer Limitation	Data Portability

Accountability Obligation

Corporations must take on methods to fulfil their obligations under the PDPA. For example, information must be made available when requested. You must also designate a Data Protection Officer (DPO) and make your company contact information publicly accessible.

Notification Obligation

Consent Obligation

Businesses must only collect, use, or reveal personal data for the purposes that the person has consented to.

The individual must be able to withdraw consent with a reasonable notice period while being informed of any consequence of doing so. After permission is withdrawn, you must stop any activity of collecting, using, or disclosing personal data.

Purpose Limitation Obligation

You must only use, collect, or reveal an individual’s personal data for appropriate purposes in the situation where consent has been provided.

You cannot request that the person allow the use, collection, or disclosure of personal data beyond reasonable limits, as a condition of delivering a product or service.

Accuracy Obligation

Companies must make a reasonable effort to make sure that the personal data they collect is whole and precise. This is especially so if the data is highly likely to be used to make a choice that affects the customer or will be revealed to another business.

Protection Obligation

Organisations must ensure that they undertake reasonable security arrangements to safeguard the personal data in possession. This is to avoid risks like unauthorised access, use, collection, or disclosure of personal data.

Retention Limitation Obligation

Companies must stop withholding personal data or get rid of it properly when it is not needed for any business or lawful reason.

Transfer Limitation Obligation

You can only transfer personal data to another country according to the guidelines stated under regulations. This ensures that the standard of protection can be compared to the PDPA’s protection unless not required by the PDPA.

Access and Correction Obligation

Organisations must provide individuals with access to their personal data and details on how it was used or revealed within 1 year from the date of request.

They must also rectify any error or omission in the personal data as soon as possible. After which, they must send this data to other organisations where it was disclosed within 1 year before making the correction.

Data Breach Notification Obligation

When a data breach occurs, associations must implement ways to determine if it has to be notified. If this breach leads to substantial harm to individuals and is large, they must inform the Personal Data Protection Commission (PDPC) and the affected people as soon as possible.

Data Portability Obligation

When requested, companies must port over an individual’s personal data under its possession or control to another organisation. It must be in a frequently used format that is machine-readable.

Tips to Stay Compliant With the Personal Data Protection Act

You can implement some measures to help ensure that you remain compliant with the PDPA requirements.

For example, you should regularly keep track of these aspects:

The type of personal data collected: Knowing the personal data collected allows you to make better decisions around data protection
The purpose(s) of the personal data being collected
The person collecting the personal data: Only someone who is authorised and who has obtained suitable training in PDPA should take part in the collection process
The location in which the personal data is stored
Who the personal data is revealed to: Before you disclose personal data, you should always verify the identity of the person you are disclosing it to. One way to do so is to ask for verification documents

It is also necessary to use data protection policies to ensure that you are compliant with the data protection obligations. They could be physical or technical measures, like providing personal data only to authorised personnel and securing physical records appropriately.

You can also install robust anti-virus software on your computer systems to avoid information from being leaked online. In addition, it is compulsory to engage at least 1 Data Protection Officer (DPO) to oversee personal data collection, use, and disclosure.

These are some of a DPO’s responsibilities:

Responsible for ensuring compliance with the PDPA
Responsible for reviewing and updating your firm’s personal data protection policies and processes
Acts as a point of contact for people to connect with your company for PDPA-related matters

What Are the Consequences of Failing to Comply With the PDPA Regulations?

Businesses in Singapore are accountable for their PDPA compliance.

If a corporation fails to adhere to the compliance requirements, an individual may file a complaint to the PDPC. The PDPC will investigate the matter.

If your business is found to be non-compliant, you can expect these penalties:

A financial penalty of up to S$1 million
A financial penalty of 10% of the firm’s turnover in Singapore if annual turnover exceeds S$10 million
Your company may no longer be able to disclose personal data, use, or collect it
Your business may be required to destroy personal data collected

Stay PDPA Compliant With InCorp’s Advisory Solutions

It is vital to comply with the different PDPA obligations to ensure that your business is not penalised. Engage our PDPA professionals who are ready to help assess and manage your PDPA needs today!

Frequently Asked Questions About PDPA in Singapore

What is the importance of the PDPA?
The PDPA protects individuals’ personal data and ensures it is not misused or collected without consent.

What are examples of personal data?
These are some examples of personal data:
- Name
- Passport number
- NRIC number
- Individual’s photo
- Phone number

What is covered under the PDPA?
The Personal Data Protection Act covers both electronic and non-electronic (physical) personal data.

Speak to Our Expert

Get our expert advice on PDPA matters for your company!

About the Author

Nipun Arora

Nipun has over 14 years of experience in transfer pricing, having worked with the Big 4 accounting firms for most of his career. Nipun provides advisory services on transfer pricing to SMEs and multinational companies from the industries of automotive, retail, telecom, FMCG, and luxury goods. He assists clients in preparing year-end transfer pricing documentation to ensure their Transfer Pricing policies adhere to the arm’s length principle and the BEPS Action Plan.

More on Business Blogs

How Agritech in APAC Helps to Feed Global Needs

How Consumer Innovation in Singapore Drives Corporate Ventures

Header Top Bar

Meet Our Executive TeamOur executive team takes pride in fostering a culture of growth and well-being in all our regional and local teams.Read More

Check our PartnersWe possess a reputation for technical excellence and have listed a number of awards and accolades.Find out more

About Our CSRInCorp Global is dedicated to making a positive contribution to the world in every aspect of our business.Read More

Life at InCorp GlobalInCorp Global is only as successful as its people. We thrive by ensuring our employees combine enthusiasm, integrity and professionalism while making sure they are looked after both in and beyond the workplace.Learn More

Check our BlogsRead our curated blogs to know more about doing business in Singapore and the Asia region!Learn More

Check our Client Success StoriesFind out what our esteemed clients have to say about us at InCorp!Learn More

Check our eBooksGet ahead of the curve doing business in the Southeast Asia region with our ebooks!Read More

Check our EventsCheck out InCorp Global’s events across the region Learn More

Check our InfographicsOur infographic guides across our main corporate services turn key details into bite-sized information for your easy understanding at a glance.Learn More

Pro Business Podcast Season 1Gain powerful insights on Southeast Asia’s business trends, emerging industries, and opportunities with InCorp’s newest podcast, in partnership with the Singapore Economic Development Board (EDB).Read More

Pro Business Podcast Season 2Navigate Singapore as Asia’s key business hub and why you should expand your footprint in Hong Kong, India, Indonesia, Malaysia, the Philippines and Vietnam.Read More

Check our Press ReleasesRead more about InCorp Group’s press releasesLearn More

Locations

Insights

Search Business Blogs

Select Topic