GDPR and PDPA Compliance: a Checklist for Singapore Companies
This article will provide you with the information necessary to ensure that your Singapore-operating company is compliant with the two applicable regulations — the Singapore Personal Data Protection Act (PDPA) and the European Union’s General Data Protection Regulation (GDPR).
Over the past decade, there has been a concerted effort by governments and political activists to ensure the protection of personal data (PD) of individuals that technology companies collect in the course of their business. The objective isn’t merely to secure such data, but to protect the fundamental rights and freedoms related to personal information and privacy. Failure of such protection can result in serious harm, for example, criminals are able to extract money from a person’s bank account; blackmail a person by threatening to expose embarrassing sexual secrets; or harm someone by manipulating their health information.
Several governments have imposed new laws that circumscribe how our personal information can be collected and used by any organization that has the ability to collect such information. New privacy or data protection laws prohibit the disclosure or misuse of information about private individuals. Today, more than 80 countries around the world, including most countries in Europe as well as the European Union and many in Asia, Africa, Latin America and the Caribbean have adopted comprehensive PD protection laws. Singapore is no exception; it has some of the most comprehensive laws in this field that strike a balance between technology innovation and privacy rights. All companies that operate in Singapore must comply with these laws.
This article includes the following topics:
- Personal Data Protection Act Compliance
- GDPR Compliance
Personal Data Protection Act Compliance
What is PDPA?
The Personal Data Protection Act (PDPA) is Singapore’s law governing the collection, use, and disclosure (collectively called “processing”) of personal data by organisations in Singapore. The main purpose of the act is to ensure that a) all personal data is processed in a manner that respects individuals’ privacy and ownership rights and b) organisations use such data for legitimate business purposes only. The act was passed in October 2012 and came into force in 4 stages between January 2013 and July 2014.
Who Must Comply With the PDPA?
Compliance with PDPA rules is obligatory for organisations operating in Singapore (companies and unincorporated bodies) with respect to the collection, use, and disclosure of personal data.
The following persons, however, are not bound by the act:
- Individuals acting in a personal or domestic capacity;
- Public agencies;
- Organisations acting on behalf of a public agency in relation to the processing of the PD.
Employees of an organisation must adhere to the organization’s policies for ensuring compliance with the PDPA in the course of their professional activity. The employees, however, cannot be held personally liable for an organisation’s breach of the PDPA.
What Types of Data Does the PDPA Protect?
The PDPA protects personal data and defines it as any data — whether true or not — about an individual who can be identified from that data, or from that data and other information to which the organisation has or may have access.
The following PD types are covered:
- Full name;
- National Registration Identity Card (NRIC) number or Foreign Identification Number (FIN);
- Photographs or video images of an individual;
- Personal mobile telephone number;
- DNA profile;
- Passport number;
- Iris image;
- Voice recording of an individual.
Note that business contact information such as name and business title, business telephone number, business address and email are not considered to be PD.
Steps for PDPA Compliance
If your company collects, uses or discloses personal data in Singapore, it must adhere to the following obligations:
1. Appoint a Data Protection Officer
Your Singapore organisation is required to designate at least one person as a Data Protection Officer (DPO), who would be responsible for ensuring that the organisation complies with the PDPA. The DPO functions may be delegated to:
- One or a group of employees whose scope of work solely relates to data protection; or
- Employees who take on this role as one of their multiple responsibilities; or
- An external service provider.
DPO's business contact information must be available to the public.
2. Notify Purposes and Seek Consent
Do not make clients consent to the processing of their PD beyond what is reasonable to provide the product or service. Process the data only for the purposes for which consent was obtained. When requesting any PD, notify the customer of your purpose for processing this data and seek the customer’s consent. The consent clause may be included in any application form, for example: “I agree that <organisation name> may collect, use and disclose my personal data, which I have provided in this form”. You must also allow the customer to withdraw such consent at any time.
3. Respond When Clients Ask About PD
When your client wants to know what PD your company has collected about him or her and how it has been used and disclosed in the past year, you must provide that information as soon as reasonably possible. You may charge a reasonable fee to cover the processing cost for the request. If you are unable to provide a response within 30 days, you must inform the person within 30 days and let him or her know when you can respond.
4. Ensure Accuracy; Allow Correction of PD
Make reasonable efforts to ensure the PD collected is accurate and complete. When your client requests correction of an error or omission in their personal data, your company must do so. You are advised to place an appropriate application form on your website through which the requester can submit a description of the PD that needs to be corrected.
5. Secure the PD Held By Your Organisation
Take necessary steps to a) protect the PD your company holds, and b) prevent unauthorised access, collection, use or disclosure of the data and other similar risks. These steps may include encrypting or password-protecting any PD held electronically that would cause harm if lost or stolen; regularly backing up information; installing firewalls and virus-checking software on employees’ computers etc.
6. Dispose of PD That is No Longer Needed
Stop holding the PD when you no longer have any business or legal use for it. Set a retention period for various types of PD. Keep data only as long as there is a business or legal purpose. Safely delete the PD, shredding the paper documents, or use specialized software for electronic data. The PDPA does not prescribe a specific retention period for personal data that organizations would need to comply with any legal or specific industry-standard requirements that may apply. For example, under the Limitation Act (Cap. 163), actions founded on a contract (amongst others) must be brought within 6 years from the date on which the cause of action accrued. Hence an organization may wish to retain records relating to its contracts for 7 years from the date of termination of the contract and possibly for a longer period if an investigation or legal proceedings should commence within that period.
7. Ensure Protection of Personal Data When Transferring Overseas
If your company transfers PD overseas, take steps to ensure that the data remains in compliance with the PDPA while it is in your possession or control even though the data may be outside Singapore. Ensure that the receiving organisation is bound by legally enforceable obligations to provide protection comparable to the standard under the PDPA. Such legally enforceable obligations may be imposed by the laws of that country or, failing that, by entering into a contract with the recipient.
8. Closely Manage Service Providers That Handle Personal Data
If you engage a service provider to process PD (for hosting, storing, or processing the data), you are still responsible for the protection of this PD. So when entering into a service agreement with the service provider, ensure terms are included that require the provider to take sufficient measures to ensure compliance with PDPA requirements.
9. Check the Do Not Call Registry
Singapore companies are prohibited from sending certain marketing messages to telephone numbers registered with the DNC Registry — a database where individuals can register their telephone numbers to opt out of receiving unsolicited marketing messages and calls.
So if you conduct telemarketing to subscribers or users of Singapore telephone numbers, check the DNC Registry before sending marketing materials, unless the subscriber has given his or her clear consent to receiving such messages.
10. Communicate Your Data Protection Policies, Practices and Processes
Provide the business contact information of your DPO so that the customers can contact the person for PDPA-related inquiries. Place information about your data protection policies, practices and complaint process on your website and make them available upon request by customers. Make sure the employees know and adhere to the processes for protecting PD. Point out their roles in safeguarding PD and ensuring that the company complies with the PDPA.
To learn more about PDPA, refer to these practice guidelines.
What is GDPR?
The General Data Protection Regulation (GDPR) is an European Union regulation on data protection and privacy. It became effective on 25 May 2018. In the EU context, a regulation means a legal act of the EU that becomes immediately enforceable as law in all member states simultaneously; it doesn’t need to be transposed into national law. However, GDPR has even more broad reach and has exterritorial implications, i.e. it also applies to companies which are not residents of any of the EU states.
Does the GDPR Affect My Singapore-Incorporated Company?
Generally the EU data protection regulation applies to:
- A company that is registered in the EU and collects or processes PD of persons (residents) of the EU;
- A company registered in the EU;
- A company that is registered outside the EU but collects or processes PD of persons (residents) of the EU.
So if your Singapore company collects and processes PD of clients, employees, or other persons who are residents of the EU, you must comply with the GDPR requirements.
What Types of PD Should My Company Protect Under the GDPR?
The GDPR and PDPA have some overall and some differences. In general, the GDPR mandate is broader than that of the PDPA. The following personal data is protected by the GDPR:
- Basic identity information such as name, address and ID numbers;
- Web data such as location or movements, IP address, cookie data and RFID tags;
- Health and genetic data;
- Biometric data;
- Racial or ethnic data;
- Political opinions;
- Sexual orientation;
- Data on person’s performance at work;
- Economic information;
- Personal preferences and interests;
- Other personal metrics such as reliability, behaviour patterns, etc.
What Data Management Principles Should My Company Follow to Become GDPR Compliant?
Generally, the GDPR standards are similar to the Singapore PDPA protection approach, however they are more detailed and complicated when it comes to certain issues. To be GDPR compliant, make sure your company acts in line with the following European data protection principles.
Lawfulness, Fairness and Transparency
Your company must process personal data lawfully, fairly, and in a transparent manner in relation to the person who is the subject of that data.
The organization must only collect personal data for a specific, explicit and legitimate purpose. You must clearly state what this purpose is and only collect data for as long as necessary to complete that purpose.
You are required to ensure that PD you process is adequate, relevant and limited to what is necessary in relation to processing purposes.
You must take every reasonable step to update or remove data that is inaccurate or incomplete. Individuals have the right to request that you erase or rectify erroneous data that relates to them, and you are required to do so within a month.
Your company must delete personal data when it no longer needs it. The time scale in most cases isn’t defined. It depends on your business’s circumstances and the reasons you collect this data.
Integrity and Confidentiality
You must keep PD safe and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
In addition to satisfying the above data processing principles, GDPR requires that the organization be able to demonstrate to authorities its compliance with the regulations, in particular by showing that the following steps are taken:
1. Implementing your data protection policy
This policy document serves as the core of an organisation’s GDPR compliance practices. It must explain the GDPR’s requirements to employees and state the organisation’s commitment to compliance.
2. Implementing security mechanisms
All the PD processed should be protected with appropriate technical and organizational measures. Technical measures include encryption, and organizational measures are things like limiting the amount of personal data you collect or deleting data you no longer need.
Pay special attention to processing of sensitive PD. You must encrypt it, make sure that it does not fall into the logs in its pure form, and limit access to the production database. The following PD is considered sensitive:
- PD on ethnic origin, political opinions, religious or philosophical beliefs;
- Trade-union membership;
- Genetic data, biometric data processed solely to identify a human being;
- Health-related data;
- Data concerning a person’s sex life or sexual orientation.
Implement a security policy that ensures team members are knowledgeable about data security. The policy should include guidance about email security, passwords, two-factor authentication, device encryption, and VPNs.
3. Protecting PD when working with other companies
Your organization should establish data protection contracts with third-party processors. This includes any third-party services that handle the personal data you are responsible for, including analytics software, email services, cloud servers, etc. Most processors have a standard data processing agreement available on their websites for you to review. You should only work with third parties that can provide GDPR compliant data protection guarantees. In other words, you cannot circumvent your GDPR obligations by outsourcing data processing to third-parties.
4. Documenting processing activities
This requirement is obligatory for companies with 250 employees or more. Such organisations must maintain a special list of information processed which includes: the purposes of the processing, what kind of data you process, who has access to it in your organisation, any third parties (and where they are located) that have access, what you're doing to protect the data (e.g. encryption), and when you plan to erase it (if possible).
However, organizations with fewer than 250 employees are obliged to document processing of routine but not of occasional PD (that is, activities that they perform rarely need not be documented); or which is likely to result in a risk to the rights and freedoms of individuals (e.g., something that might be intrusive or adversely affect individuals); or involve special category data (such as criminal conviction and offence data).
5. Conducting data protection impact assessments
Your organization should carry out data protection impact assessments. The requirement is obligatory when the PD processing in your company is subject to high risks.
6. Reporting PD breaches
You must record and report PD breaches to the individual and relevant state authority within 72 hours (Personal Data Protection Commission in Singapore).
7. Appointing a Data Protection Officer
This step is obligatory for companies whose core activity includes systematic monitoring of PD on a large scale, processing sensitive data as listed in Step 2 above, or data related to criminal convictions and offences. However, other companies are also encouraged to appoint a DPO. This person should be an expert on data protection. His or her job must include monitoring GDPR compliance, assessing data protection risks, advising on data protection impact assessments, and cooperating with regulators.
8. Ensuring privacy rights
You must ensure that your customers are able to:
- Request and receive all their PD you process;
- Request to update, correct, stop processing, or delete their PD;
- Object to processing such data.
In addition, if you make decisions about people based on automated processes, you must have a procedure to protect their rights.
9. Having a legal justification for data processing
Your company should be able to give, upon request by authorities, one of the six reasons (justifications) for processing PD. Processing is considered to be lawful only if at least one of the following applies:
- Consent: the person has given clear consent to process his/her personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because he/she has asked to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary to perform a task in the public interest that has a clear basis in law.
- Legitimate interests: the processing is necessary for the legitimate interests of the organization or those of a third party, unless there is a good reason to protect the PD, which overrides legitimate interests.
The most important ground is consent to process PD. You should include the clause on a person’s consent to process his or her PD in contracts with your clients, employment agreements, etc.
Your company is also advised to use cookie banners on your website to receive users’ consent if you use any cookies, except strictly necessary cookies — those essential to browse the website and use its features, such as accessing secure areas of the site.
How can we help with your plans in Singapore?
PDPA and GDPR are complicated regulations designed to ensure the protection of individuals’ fundamental rights related to collection of their personal data, its use, and disclosure. To prevent thefts or leaks of the PD your company processes — and monetary penalties that can result — it is important to have a clear understanding of the business’s data protection obligations under these regulations.
Eddy and Hannah
Your Customer Service Team
Work with a team that reflects Singapore's tradition of excellence in diversity. We speak many languages, come from different backgrounds, but we share one goal — your success in Singapore!
David and Yana