Complying with the PDPA

Leave a Comment / PDPA / By

The Personal Data Protection Act (PDPA) passed Parliament in 2012 and officially launched in 2014. After the GDPR was launched in May 2018, Singapore starts to show more emphasis on the PDPA. This involves letting organisations know that it is a mandatory regulation. However, till today, many bosses still do not know how to comply with the PDPA. Many said simply register a DPO into ACRA Bizfile will do, while others said say copy-and-paste the website Privacy Policy is complying with the PDPA.

So what exactly does it means based on the PDPA that organisations need to know?

There are altogether 11 Obligations under the PDPA as shown in the diagram below:

PDPA 11 Obligations – 1343

To put it simply, PDPA is a regulatory guide for organisation to enhance their existing processes so as to better protect the personal data they have in their possession.

Every organisation will collect, store, use & disclose, and dispose of the data once it is no longer in use. This can be the personal data of their staff, customers or any other stakeholders.

To comply which simply means to comply with the Accountability obligation means organisation needs to:

  • Appoint a Data Protection Officer (DPO); preferably with a DPO team comprising of Departmental heads or Data handlers/processors.
  • Draft out the Data Protection Management Programme (DPMP) showing how the organisation complies with the PDPA with all the necessary documentation – notices, SOPs, policies, etc.

In short, organisation needs to look into three key processes:

COLLECTION:

Is there a Notification put forward to inform of the Purpose and then obtain Consent while ensuring the data collected is Accurate?

STORAGE:

Where are all these data residing – in paper format stored in drawers or cabinets, or in digital format stored in hard-disk or the cloud storage, and what is the protection effectiveness of these storage. Is there a Retention SOP put up to monitor on the stored data and when to dispose of them once the purpose is no longer valid. Is there a proper process for data-subject to access and correct their data.

USE & DISCLOSURE:

How the data are used or disclosed to which entity, and does these entity comply with the PDPA?

What if there is a Data Breach Incident, what must the organisation do?

For more information on the PDPA, you can visit PDPC website, which is Singapore’s Personal Data Protection regulator at: www.pdpc.gov.sg

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Book Consultation
Book Consultation