PDPA & GDPR: Does my company need to comply?

8 min read

With the rapid growth of online transactions, personal data has become an important commodity. Companies that collect data are facing an increasingly high risk of cyber-attacks and identity thefts. Some may even misuse these personal data for illegitimate purposes.

Here is some information about PDPA and GDPR for your company’s officers, especially your company’s Data Protection Officer, to read through. At this point, if you need to quickly talk to someone on registering a Data Protection Officer for your company, we can assist you, just drop us a chat.

What this article will cover:

What is PDPA?
The Importance of PDPA for companies in this digital age
Does PDPA apply to my company?
What Kind of Data Does PDPA Protect?
PDPA Checklist
Who Should Be Responsible for Compliance?
Seeking Consent
PDPA vs GDPR
Does GDPR apply to Singapore Registered Companies?
PDPA Breach Cases
How Should Companies Improve their Compliance for the Future?

What is PDPA?

PDPA stands for Personal Data Protection Act. The act was passed in October 2012.

The purpose of this data protection law is to govern the processing and managing of data. It protects the individuals’ personal data and respects their rights to their personal data. It is also to ensure that companies who collect data are using it for legitimate purposes.

The Importance of PDPA for Companies in this Digital Age

With the current sophisticated technology available today, it is inevitable that individuals are concerned about how their personal data is being used. Now that we have a PDPA Act in place, there are clearer guidelines for Singapore companies to review their current data processes.

The consequences of not following the PDPA act and protecting your stakeholder’s data are serious!

Aaron Lee, a regulatory lawyer in Singapore advises, “It is mandatory that firms handle and safeguard personal data in an appropriate manner, and address the risks of unauthorised disclosure, cybersecurity and identity theft. Already there have been high-profile incidents of this nature reported in the news. The penalties for offending firms can be severe, not to mention the damage to industry reputation. So, this is a topic that deserves the close attention of business leaders, entrepreneurs and company directors.”

Does PDPA Apply to My Company?

As long as your company handles personal data, PDPA regulations apply to your company. It doesn’t matter if you are a new start-up or an SME.

Kelvin has just started an F&B start-up. He collects orders online and delivers food to the customers. He receives personal data from his customers, such as name, address and mobile number. In this case, Kelvin needs to adhere to the PDPA regulations.

However, if you are acting on behalf of public agencies while collecting or processing the data, you are exempted parts III to VI of the PDPA.  

For example, the government plans to launch a healthy lifestyle campaign. To understand the needs of the people, the government engages an external agency to do a nationwide survey. For this, the external company will be exempted from PDPA as the government will take responsibility in safeguarding that data.

What Kind of Data Does PDPA Protect?

You may be wondering what kind of data does PDPA protect under this new regulation.

As we have mentioned previously ‘personal data’ is data about an individual and secondly, the data would need to be able to identify a particular individual from the data, even if the data is true or false.

Here are some examples of personal data:

  • Full Name
  • National Registration Identity Card (NRIC) or Foreign Identity Number (FIN)
  • Passport Number
  • Mobile Number
  • Personal Email Address
  • Residential Address
  • Thumbprint
  • Voice recording of an individual
  • Photograph or video image of an individual

These data points are like an identity to a person.

However, if someone gives in personal information, such as your name, designation, business telephone number, address, email address or fax number, for business purposes, it will not be covered under the data protection obligations.

Let’s take a closer look at what that means:

You have a meeting with a potential client. Before the meeting commences, both of you exchange your respective business cards. Now, you have your client’s business card in your hand. The card includes his name, designation, business telephone number and email address. However, you are not obliged to protect his business contact information, as this does not apply to PDPA.

PDPA Checklist

To comply with PDPA, there are some things that need to be in place in your company.

Here is a simple checklist for you to refer to:

  • Appointment of Data Protection Officer (DPO)
  • Notifying Purposes
  • Seeking Consent
  • Responsive to Individuals when Asked about Personal Data
  • Ensure Accuracy of Personal Data
  • Secure Collected Personal Data
  • Retention & Disposal of Outdated Personal Data
  • Protection of Personal Data During Transferring of Systems
  • Ensure Proper Handling of Personal Data with Service Providers
  • Check Do Not Call Registry
  • Transparent about Data Protection Policies, Practices and Processes

Who Should Be Responsible for Compliance?

A Data Protection Officer (DPO) is one who is responsible for the compliance of PDPA. It is a requirement for all Singapore registered companies to appoint at least one individual to be the DPO. The role of a DPO is to ensure that the company is in compliance with PDPA and the data collected are properly managed.

Read: How to Appoint a Data Protection Officer in Singapore

The DPO may be a staff or a group who work closely with data security. It can also be an employee who is able to take on this role as part of his multiple responsibilities.

Ideally, the DPO should be your staff from the management team. Alternatively, you could appoint an external provider to process and manage your data. Even if you do so, you will still need to work with them closely. This is to ensure that the security checks are being put in place.

Without a DPO, there is a risk of having the data being compromised and misused. Similarly, individuals may request to access or correct their data from time to time. Some individuals may even complain about their data being used for illegitimate purposes. For both matters, the DPO has to step in and address these concerns.

To comply with PDPA, companies have to seek consent from the individuals if they are agreeable to have their personal data stored in the system, or used for other purposes. This is to give awareness to the individuals on how their data are being used.

To get permission from the individuals, a PDPA disclaimer has to be included in any written form.

It can be written in this manner:

  • I acknowledge that I have read and understood the above Data Protection Notice, and consent to the collection, use and disclosure of my personal data by XX organisation for the purposes set out in the notice.

Similarly, individuals should also be given a choice to withdraw their consent if they are not comfortable with companies holding on to their personal data for any reason at all. If you get such a request, your company should stop using their data immediately. You should also inform them of the consequence of withdrawing the consent.

Useful tool for SMEs
Too many things to remember and need some help? Here is a tool to generate your first few data protection template and notices to inform your customers and employees on how you manage their data.

PDPA vs GDPR

You might have asked yourself these questions before: What is the difference between PDPA and GDPR? Do Singapore companies have to follow both?

GPDR stands for General Data Protection Regulation, a European Union regulation on data protection and privacy. It took effect on 25 May 2018. The two are quite similar in many ways, however, the GDPR has a broader reach and other implications such as, other companies that are not part of the European Union.  One big difference however, PDPA does not apply to business contact information, but with GPPR, it applies.

Here is a non-exhaustive list of types of personal data collected by PDPA and GDPR:

PDPA (Singapore) GDPR (European Union)
  • Full Name
  • National Registration Identity Card (NRIC), Foreign Identity Number (FIN)
  • Passport Number
  • Mobile Number
  • Personal Email Address
  • Residential Address
  • Thumbprint
  • Voice Recording of an Individual
  • Photograph or video image of an individual
  • Full Name, Address and ID Numbers
  • Web Data such as IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data such as thumbprint
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation
  • Economic information
  • Personal preferences and interests
  • Data about a person’s performance at work
  • Other personal metrics such as reliability, behaviour patterns and etc.

Does GDPR apply to Singapore Registered Companies?

It depends.

If your company collects, uses and discloses personal data of a European Union citizen for either work or other purposes, you are bound by GDPR regulations. This means you will need to process their personal data according to GDPR regulations.

Let’s look at some examples where the GDPR would apply and not apply in the situation:

YG Institute, a Korean Language School in Singapore offers an online course targeting EU nationals (e.g. French-Korean lessons). Its website is accessible in, French, Italian, Dutch and English. The website also allows individuals in the EU to submit their enrolment application and make payment in Euros. GDPR would apply in the processing of the application.

Ltfybook, a car booking service in Singapore allows anyone around the world to make advance reservations through its website, including travellers from the EU. The website is in English and accepts credit card payments of deposits for reservations in Singapore dollars only. The GDPR is most likely not applicable in this situation.

PDPA Breach Cases

Personal data has to be secured and protected due to its sensitive nature. However, as of January 2020, there have been more than five cases of PDPA breach in Singapore.

Here are some cases of PDPA breach:

Lack of Accuracy

AIG Asia Pacific Insurance had printed an incorrect facsimile number on the policy renewal notices issued to their policyholders. As a result, policyholders faxed their renewal submissions to an unrelated party instead of the insurance company. This horrendous error led to the exposure of policyholders’ personal data such as the policy holder’s name, address and policy details.

Lack of Openness

A former tutor, who registered with Champion Tutor, found the tuition agency’s tutor list displayed fully online by searching it on Google. The list contained the name, contact number and email address of more than 4,000 individuals. After an investigation, it was discovered that Champion Tutor did not appoint a DPO, and had failed to develop and implement any internal protection policies. This resulted in the data being compromised.

Lack of Stringent Checks

A customer entered her passport number in the booking form on Horizon Ferry’s website during her purchase of a ferry ticket, and discovered her personal data were automatically populated in the corresponding field in the form. This led to an investigation. It was later found out that the company did not appoint a DPO to oversee the data management. There were even insufficient stringent checks on their new data management system.

Due to these oversights, these companies face a heavy penalty. Some companies may think appointing a DPO is not necessary. Some companies may have appointed a DPO, but have not performed necessary checks on their processes. Either way, it causes inconvenience to the individuals, and to the related companies as well.

How Should Companies Improve their Compliance for the Future?

The trend of e-commerce will continue to grow in the coming years. Technology will play a huge part in people’s lifestyle. As a result, companies have to improve their PDPA compliance. Overall,it will be beneficial for the companies, industries, and  individuals.

Now that you understand more about PDPA and GDPR, it’s time to appoint a Data Protection Officer for your company, which is also a requirement for all companies. Yes, it is mandatory. You can do it yourself but you don’t have to. Contact our experienced Corporate Secretaries for help.

  • E27
  • Entrepreneur
  • foundr
  • sgsme.sg
  • Tech in Asia
  • Vulcan post
We’re using cookies! What does it mean?
Scrolled to bottom