PDPA Singapore Checklist: Free Essential PDPA Compliance Guide for Singapore Businesses : The Importance of PDPA Compliance for Companies - PDPA Singapore Checklist to Comply PDPA: The Complete PDPA Compliance Guide for Business & Companies in Singapore
PDPAComplianceSingapore-PDPA-AwarenessTalk-2
PDPAComplianceSingapore-PDPA-AwarenessTalk-1
PDPAComplianceSingapore-PDPA-AwarenessTalk-3

What is PDPA?

The Personal Data Protection Act 2012 (PDPA) governs the collection, use and disclosure of personal data. The PDPA was passed by Parliament in October 2012 and came into force in 4 stages between January 2013 and July 2014.

The PDPA recognises both:

1. The right of individuals (natural persons, whether living or dead) to protect their personal data; and

2. The need of organisations (all corporate bodies – e.g. companies – and unincorporated bodies, including those formed or resident outside of Singapore) to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate.

What is Personal Data?

What is Personal Data?

Personal data means:

  • Data about an individual who can be identified from that data itself; or
  • Data about an individual who can be identified from that data and other information to which your business has or is likely to have access

Examples of personal data that can, on its own, identify an individual include:

  • Biometric identifiers (face geometry or fingerprints)
  • Name and NRIC number
  • Photograph or video image of an individual
  • Voice of an individual
  • DNA profile

Note that the PDPA also protects, to a limited extent, the personal data of individuals who have been dead for less than 10 years. For such personal data, only the provisions relating to the disclosure and protection of personal data will apply.

Do You know your Business Obligations under PDPA?

The Importance of PDPA Compliance

These are the following reasons why compliance to the PDPA is important.

      1. A business that is able to demonstrate compliance will certainly be able to gain better customer loyalty.
      2. Builds trust among stakeholders that include customers, employees, shareholders and in the case of non-profit organisations, volunteers, donors and beneficiaries too.
      3. Eliminates time wasted in re-aligning processes and procedures to react and comply with legislative requirements of data protection by starting out with the objective to comply with the PDPA.
      4. Compliance to PDPA can help to reduce the probably of a data breach and lower the impact in the event a breach really occurs.
      5. Prevents or minimize regulatory penalties in the unlikely event of a breach

The PDPA Singapore Checklist Revealed!!

Is there such a thing as a PDPA Singapore checklist?

There are several considerations that companies and businesses should consider when accessing on whether are they PDPA complaint or not and these can be broadly classified to be uder the following:

    1. Collection, Management, Retention & Disposal of Personal Data.
    2. Update & Maintenance of Personal Data
    3. An Individual Rights to Personal Data Access & Deletion
    4. PDPA Compliance Governance & Process Transparency

Collection, Management, Retention & Disposal of Personal Data

  1. Does your organisation ensure that the personal data collected is necessary for the purpose alone and not some other hidden agenda or purpose?
  2. Are the individuals that are involved in this data collection process be made fully aware of the data collection purpose on or before the collection of their personal data?
  3. Organisations should also ensure collection of sensitive data is limited and necessary only if needed and should not be unnecessarily be collected.
  4. Is the consent sought and obtained by your organisation for the collection, use and disclosure of personal data?
  5. Does your organisation also ensure that third party involved in data collection is clear on their PDPA obligations as well as adhere to the strict guidelines set by PDPC with regards to the handling and collection of personal data by third party?
  6. Does your organisation ensure proper use and disclosure of personal data collected?
  7. Does your organisation know how to handle transfer of personal data and ensure that the transfer of data overseas is in compliance with PDPA?
  8. Does your organisation know and understand the fulfilment of the PDPA obligations when it comes to working with 3rd party (eg data intermediary, agent) of the company handling the personal information data transfer.

Security, Update & Maintenance of Personal Data

  1. Does your organisation have appropriate security measures in place to prevent unauthorised access, collection and use of its personal data in its possession or under its control?
  2. These security measures must be developed based on relevant risk assessments, type and sensitivity of personal data and likelihood and harm of unauthorised access, erasure or other use.
  3. Organisations should ensure these security measures are regularly updated and communicated to relevant stakeholders.
  4. Organisations should also ensure processes are in place for 3rd parties to make reasonable arrangements to protect personal data.
  5. Does your organisation have appropriate data retention policies for different types of personal data? This also applies to 3rd parties in possession of its personal data.
  6. Does your organisation have processes in place to handle unsolicited personal data?
  7. Does your organisation have processes in place to dispose of personal data? This also applies to 3rd parties in possession of its personal data.
  8. Does your organisation ensure that its personal data is accurate and that personal data disclosed to other organisation is accurate and complete?
  9. How does your organisation deal with inaccurate data?

An Individual Rights to Personal Data Access & Deletion

  1. Does your organisation have a system or process in place and provide information on how individuals may withdraw consent on the use of their personal data and the consequences of withdrawing the consent?
  2. Does your organisation have a system or process in place and provide information on how individuals can request access to their personal data. Is there a process in place to respond to the individual’s request
  3. Does your organisation have a system or process in place and provide information on how individuals can correct their personal data under its possession?

PDPA Compliance Implementation, Governance & Process Transparency

  1. Does your organisation have policies and practices in place to manage personal data?
  2. Does your organisation communicate its data protection policies and practises to relevant internal and external stakeholders?
  3. Does your organisation regularly review and update data protection policies and practices, and monitor compliance of practices with these policies?
  4. Does your organisation receive and respond to queries on the collection, use and disclosure of personal data by your organisation?
  5. Does your organisation conduct risk and impact assessments to identify, assess and address data protection risks?
  6. Does your organisation take into account Data Protection by Design in the development of a product, service, system or process?
  7. Does your organisation have a data breach management plan? The plan should include the following:
    Personnel on management of data breach incident
    Timeline for reporting data breach incident
    Processes for notifying affected individuals/organisations and relevant regulators/enforcement authorities
  8. Does your organisation have a Data Protection Officer (DPO) who is well versed in your data protection policies and PDPA?
  9. Is the business contact information of the DPO made available to the public?
  10. Is the DPO Properly trained? DPO should also have received formal training on data protection compliance with the PDPA.
  11. Does your organisation conduct regular training to employees on company’s data protection policies and practices?

Come Speak with Us! Schedule Your Visit

Do you need to speak to our experienced Advisory Team for PDPA Implementation advise?