GDPR And PDPA Compliance For Singapore Companies

Governments and political activists have worked cooperatively over the past ten years to protect the personal data (PD) of persons that tech businesses acquire as part of their operations. 

The goal is to safeguard such data while also defending the fundamental liberties relating to privacy and personal information. Failing to provide such protection can lead to substantial harm.

New regulations that limit how our personal information may be gathered and used by any organization with the authority to do so have been enacted by a number of governments. 

The sharing or abuse of information about private individuals is prohibited by new privacy or data protection legislation. 

Almost 80 nations have now passed comprehensive PD protection legislation, including the majority of those in Europe, the European Union, and numerous more in Asia, Africa, Latin America, and the Caribbean. 

Singapore is not an exception; it has some of the most thorough legal frameworks in this area that achieve a balance between privacy rights and technological advancement. 

All businesses doing business in Singapore are required to abide by these laws.

WHAT IS PDPA?

Singapore’s law, known as the Personal Data Protection Act ( PDPA ), governs the gathering, use, and disclosure of personal data by organizations there. 

The primary goals of the act are to a) make sure that all personal data is processed in a way that respects people’s privacy and ownership rights, and b) make sure that organizations only utilize personal data for legitimate commercial objectives. The law was passed in October 2012 and went into effect over the course of four months, from January 2013 to July 2014.

WHO IS REQUIRED TO FOLLOW THE PDPA?

Companies and unincorporated bodies conducting business in Singapore are required to abide by the PDPA’s regulations with regard to the gathering, use, and disclosure of personal data.

Nonetheless, the following people are exempt from the act:

• Individuals acting in their personal or household capacity; 
• Public agencies; and 
• Organizations acting on behalf of a public agency in relation to the processing of the PD.

Throughout the course of their professional activity, employees of an organization are required to abide by the policies of the organization to ensure PDPA compliance. Employees, however, are not subject to personal liability for a company’s violation of the PDPA.

WHAT SORTS OF DATA ARE PROTECTED BY THE PDPA?

Any information—true or false—about a person who can be identified from that information, or from that information and additional information to which the organization has or may have access, is considered personal data under the PDPA, which protects that information.

The following PD types are covered:

• Full name;
• National Registration Identity Card (NRIC) number or Foreign Identification Number;
• Photographs or video images of an individual;
• Personal mobile telephone number;
• DNA profile;
• Passport number;
• Thumbprint;
• Iris image;
• Voice recording of an individual.

It should be noted that business contact details like name and title, business phone number, business address, and email are not regarded as PD.

STEPS TO COMPLY WITH THE PDPA

The organization must abide by the following requirements whenever it gathers, uses, or discloses personal data in Singapore:

Step 1: Appointing a Data Protection Officer

Your Singapore company must appoint at least one person to serve as the Data Protection Officer (DPO), who is in charge of making sure the company complies with the PDPA. The following people may be given DPO duties:

• Workers whose primary duties are limited to data protection, 
• personnel who include data protection as one of their many duties, or
• a third-party service provider.

Public access to DPO’s corporate contact details is required.

Step 2: Informing Public and Requesting Permission

Do not require customers to provide their consent to the processing of their PD in excess of what is necessary to deliver the good or service. Only use the data for the reasons for which the entity has consent. Inform the customer of the reason for  processing their data when the company requests any PD and have their permission. 

Any application form may contain a consent clause, such as this one: “I accept that [organization name] may collect, use, and disclose my personal data, which I have submitted in this form. The consumer must be given the option to revoke this consent at any time.

Step 3: Responding When Clients inquire About PD

If a client requests information about the PD the business has acquired about them, as well as how that information was used and released in the previous year, the company must respond as soon as is possible. 

The company may impose a fair fee to compensate for the expense of processing the request. If the company is unable to react within 30 days, they must let the individual know and let them know when they will be able to.

Step 4: Assuring Accuracy; allowing PD Correction

Do all necessary measures to ensure that the PD acquired is precise and comprehensive. The business is required to comply with a client’s request to remedy an error or omission in their personal data. It is suggested that you have a suitable application form on the website so that anyone wishing to make a request can give a description of the problematic Condition.

Step 5: Protecting the PD That The Organization Has

Take the appropriate precautions to a) safeguard the PD held by the organization and b) avoid risks such as unauthorised access, collection, use, or disclosure of the data. These measures can include frequently backing up data, implementing firewalls and virus-checking software on employees’ PCs, and password-protecting any PD housed electronically that could hurt a person if lost or stolen.

Step 6: Getting Rid of PD That Isn’t Required

When the business no longer needs the PD for business or legal purposes, stop holding it. Decide on a retention timeframe for distinct PD types. Just keep data as long as it is necessary for commercial or legal reasons. Use specialist software for electronic data, destroy the paper papers, or safely delete the PD. 

The PDPA does not specify the length of time that enterprises must keep personal data in order to adhere to any applicable legislative or industry-specific standards. 

For instance, proceedings based on a contract (among others) must be initiated within 6 years on the date the cause of action accrued under the Limitation Act (Cap. 163). So, an organization may want to keep documents on its contracts for 7 years after the contract was terminated, and maybe for longer if an inquiry or legal action should start during that time.

Step 7: Before transferring information overseas, make sure it is protected.

If the business sends personal data (PD) outside of Singapore, take the necessary precautions to ensure that the data is still in compliance with the PDPA while it is in custody or under control. 

Make sure that the recipient organization is subject to legally binding responsibilities to offer protection on par with the PDPA standard. These legally binding obligations may be imposed by local law or, in the absence of local legislation, by a contract with the recipient.

Step 8: Monitoring Service Providers Who Handle Personal Data Carefully

Even if the business uses a service provider to host, store, or process their personal data, they are still in charge of keeping it safe. So, when negotiating a service contract with the service provider, be careful to include clauses requiring the provider to take appropriate steps to ensure PDPA compliance.

Step 9: Checking the Do Not Call Registry

The DNC Registry is a database where people can register their phone numbers to opt out of getting unsolicited marketing calls and messages. This database contains telephone numbers that Singapore corporations are not permitted to deliver specific marketing messages to.

Hence, unless the subscriber has expressly consented to receiving such messages, check the DNC Registry before sending marketing materials to subscribers or users of Singapore telephone numbers if the business engages in telemarketing.

Step 10: Sharing Your Data Protection Procedures, Policies, and Practices

Providing the DPO’s company contact details so that clients can reach out to them with questions about the PDPA. 

Provide details regarding the data protection policies, procedures, and complaint procedures online and make them accessible to customers upon request. Ensure staff members are aware of and follow the PD protection procedures. 

Mention how they protect PD and make sure the business conforms with the PDPA.

---

WHAT IS GDPR?

General Data Protection Regulation (GDPR) is a privacy and data protection policy from the European Union. It went into effect on May 25, 2018. 

A  regulation is an EU legal act that is instantly and concurrently enforceable as national law in each of the member states; it does not need to be translated into national law. But, the GDPR has an even wider scope and territorial ramifications, meaning that it also applies to businesses that are not based in an EU member state.

Is A Singapore-Incorporated Business Affected by the GDPR?

The EU data protection regulation typically covers:

• Every business that is registered in the EU and gathers or processes personal data (PD) from people who dwell there; 
• any business that is registered in the EU; and 
• any business that is registered outside the EU but gathers or processes PD from people who reside there.

So, you must adhere to the GDPR rules if your Singaporean firm collects and processes PD of customers, workers, or other individuals who reside in the EU.

What Types of PD Should the Company Protect Under the GDPR?

Both the GDPR and PDPA have similarities and differences. The GDPR’s mandate is generally more expensive than the PDPA’s. Under the GDPR, the following personal information is protected:

• identifying particulars such name, address, and ID numbers;
• Web data, including IP address, cookie data, location or movement information, and RFID tags;
• genetic and medical information;
• Biometric data;
• Racial or ethnic data;
• Political opinions;
• Sexual orientation;
• Data on person’s performance at work;
• Economic information;
• Personal preferences and interests;
• Other personal metrics such as reliability, behaviour patterns, etc.

What Data Management Principles Should The Business Adopt to Comply with GDPR?

While the Singapore PDPA protection strategy and the GDPR standards are comparable overall, there are several areas where they differ and are more complicated. Make sure the business follows the following European data protection principles in order to be GDPR compliant.

• Legitimacy, fairness, and transparency – In relation to the individual whose personal data is being processed, your business must do so legally, fairly, and openly.
• Purpose Restriction – The organization may only gather personal information if it has a clear, stated, and justifiable reason for doing so. The business must specify this purpose in full and only gather data as long as it takes to achieve that purpose.
• Data reduction – The business must make sure that the PD you process is sufficient, pertinent, and restricted to what is required for processing reasons.
• Accuracy – The business must make every effort to correct or get rid of outdated or insufficient data. People have the right to ask them to delete or correct inaccurate information about them, and they have a month to comply with their request.
• Storage Capacity – When a corporation no longer requires personal information, it must remove it. Most of the time, the time frame is not specified. It relies on the specifics of the company’s operations and the goals behind the data collection.
• Integrity and discretion – Using the proper organizational or technical safeguards, the business must keep PD secure and secured from unauthorized or unlawful processing as well as accidental loss, destruction, or damage.

In addition to adhering to the aforementioned data processing principles, the GDPR mandates that the business be able to prove to authorities that it is in compliance with the rules, specifically by showing that the actions listed below are taken:

• Implementing the data protection policy – The foundation of an organization’s GDPR compliance procedures is this policy document. Employees must be informed of the obligations of the GDPR, and the organization’s commitment to compliance must be stated.
• Implementing security measures – Every processed PD should be safeguarded using the proper organizational and technical controls.

Organizational precautions include things like restricting the quantity of personal data the business gathers or deleting data it no longer needs, while technical measures include encryption.

Pay close attention to how sensitive PD is processed. It needs to be encrypted, protected against pure form falling into the logs, and only authorized users are allowed access to the production database.

The following PD is regarded as sensitive:

• PD on ethnic origin, political opinions, religious or philosophical beliefs;
• Trade-union membership;
• Genetic data, biometric data processed solely to identify a human being;
• Health-related data;
• Data concerning a person’s sex life or sexual orientation.

Ensure team members are educated about data security by implementing a security policy. The policy should provide instructions on how to secure emails, create strong passwords, use two-factor authentication, encrypt devices, and use VPNs.

PD protection when collaborating with other businesses

Contracts for data protection should be made between the company and any outside processors. This includes any third-party services, such as analytics software, email services, cloud servers, etc., that handle the personal data it is in charge of. 

It can review the usual data processing agreement from the majority of processors on their websites. Working with third parties who cannot guarantee GDPR-compliant data protection should be avoided. In other words, outsourcing data processing to third parties will not allow the business to avoid its GDPR duties.

Documenting processing operations

Companies with 250 or more employees must comply with this regulation. Such organizations are required to keep a special list of the data they process, which must include the following information: the reasons for the processing, the types of data you process, who has access to it within the organization, any third parties (and where they are located), what steps they are taking to protect the data (such as encryption), and when they intend to delete it (if possible).

Organizations with fewer than 250 employees, however, are required to document the processing of routine PD but not occasional PD (i.e., activities that they perform infrequently do not need to be documented); or which is likely to put people’s rights and freedoms at risk. 

Carrying out data protection impact analyses

The business should do data protection impact analyses for your company. The criteria must be met if your company’s PD processing involves significant risks.

Documenting PD violations

Within 72 hours, the company must document and report PD violations to the offender and the appropriate governmental body (Personal Data Protection Commission in Singapore).

Appointing a Data Protection Officer

Companies who process sensitive data as indicated above, monitor PD on a wide scale, or process information about criminal convictions and offences are required to do this step. Yet other businesses are also urged to name a DPO. 

This individual must be knowledgeable about data security. Monitoring GDPR compliance, identifying data protection issues, offering guidance on data protection impact analyses, and collaborating with authorities must all be part of his or her duties.

Protection of privacy rights

The business must make certain that the clients can:

Request and obtain all of their PD that you handle;

To request an update, correction, halt processing, or deletion of their personal data.

Additionally, if the business uses automated systems to make choices about people, it needs to have a framework in place to safeguard their rights.

Having a legal basis for the processing of data

When authorities ask, the business should be able to provide one of the six justifications for processing PD. Processing is only regarded as legal if at least one of the following conditions holds true:

• Consent: The individual has formally authorized the processing of his or her personal data for the desired outcome.
• Contract: The business and the person have a contract, or the person has asked them to take certain actions before the business engages into a contract, which makes the processing required.
• Legal requirement: the processing is required to uphold the law (not including contractual obligations).
• Vital interests: the processing is required to save a life.
• Public task: The processing is required to carry out a task that is in the public interest and has a solid legal foundation.
• Legitimate interests: Unless there is a compelling need to protect the PD, which takes precedence over legitimate interests, the processing is required for the organization’s or a third party’s legitimate interests.

Reach out to us at Relin Consultants for more information.