Recent PDPA Amendments - w.e.f. 1 Feb 2021

May 4 2021
Stone Forest IT
Recent PDPA Amendments - w.e.f. 1 Feb 2021

From 1 February 2021, the following three key changes to the Singapore Personal Data Protection Act (PDPA) will take in phases: 

 

1.  Mandatory data breach notification

A data breach is deemed to cause significant harm (and therefore notifiable) if the data breach results in the compromise of an individual’s full name or national identification number or account information. 

A data breach is also deemed notifiable if it is of a significant scale, i.e. if the data breach affects 500 or more individuals.

Who and when to notify?

  • Organisations must notify PDPC no later than three calendar days after the data breach has been identified.
  • Affected individuals must also be notified as soon as practicable, at the same time or after notifying the PDPC. 

What to notify?
See regulations on notification of data breaches for a prescribed list of minimum information that the notification must contain.

2.  Introduction of offences concerning mishandling of personal data by individuals

Individuals will be held accountable for knowingly or recklessly committing any unauthorised:

  •  Disclosure of personal data
  •  Use of personal data for wrongful gain or causing a wrongful loss to any person
  •  Re-identification of anonymised data.

A maximum fine of SGD 5,000 or a maximum two years imprisonment or both.

3.  Expansion of consent framework

The two new ways consent can be given are:

  • Contractual necessity
  • Notification 

The new exceptions that remove the need for consent are:

  • Legitimate interests
  • Business improvement
  • Research purposes

 

Other notable upcoming changes, expected to be implemented once regulations are issued:

 

4.  Increased financial penalties

Up to 10% of an organisation's annual turnover in Singapore, or SGD 1 million, whichever higher. This higher financial penalty cap will take effect no earlier than 1 February 2022. 


5.  The right to data portability

Organisations must, at the request of an individual, transmit an individual’s personal data that is in the organisation’s possession or under its control, to another organisation in a common machine-readable format.

 
 View full infographic
Infographic- Summary of PDPA Amendments - w.e.f. 1 Feb 2021


KEY TAKEAWAYS
 

backup policy

Continuous review of existing data protection policies and procedures
 must be carried out to ensure the organisation is prepared and always compliant.

backup test

Data breach management plans
 must be updated to reflect new requirements on mandatory data breach notifications. 

training

Internal communications and training
should be also conducted regularly to keep staff informed of the latest update, requirements and data breach threats.

 

For a more in depth understanding of the recent PDPA amendments and how it will affect your business and data handling processes, do have chat with us.

For more information about how you can get DPO advisory and to simplify your data protection program, learn more about DPO2SMETM.     

Source: PDPC’s announcement; the gazetted Commencement Notification