If you experience a data breach under Singapore’s jurisdiction, you must comply with Singapore’s PDPA breach requirements to notify relevant parties and reduce the breach’s effect.
Data breaches can feel overwhelming, but panic and inaction won’t help the situation. Instead, you need to keep calm, act fast, and follow legal guidelines to the letter.
This article will walk you through Singapore’s PDPA data breach requirements. We’ll go over how long you have to report a breach, the content of a breach notification, penalties for non-compliance, and much more.
Let’s get into it.
Key Takeaways
In Singapore’s fast-growing economy, the Personal Data Protection Act (PDPA) is the primary law overseeing consumer privacy and data protection.
Under Singapore’s PDPA, organizations that suffer a “notifiable data breach” must inform affected individuals and the regulatory authority at most three (3) calendar days after discovering the breach.
Failing to comply with Singapore’s PDPA can trigger financial penalties of up to SGD 1 million and other significant consequences, including criminal liability.
PDPA Singapore Explained
PDPA Singapore Checklist Steps for Compliance.jpg
The Personal Data Protection Act (PDPA) is a comprehensive privacy law that protects the personal data of Singapore’s residents. It was passed in October 2012 and came into force in stages between January 2013 and July 2014.
The PDPA was created in response to the increasing value and vulnerability of personal data. To address this, the law gives Singaporeans significant control over their data through several privacy rights.
While focused on protecting consumers, the PDPA doesn’t aim to wreck business operations. It acknowledges the need for legitimate data use in commerce and innovation. As such, it provides a framework for balancing individual rights with business needs.
To keep the law recent and effective, Singapore’s government recently updated the PDPA in 2020 through the Personal Data Protection Amendment. This update brings the PDPA up to par with modern standards and top-tier data regulations such as the EU’s GDPR.
Like the GDPR, PDPA compliance means fulfilling key obligations like maintaining a transparent privacy policy, obtaining consent for specific data processing, and, of course, submitting timely notifications for notifiable data breaches.
What is the Scope of the Singapore PDPA
What is the Scope of the Singapore PDPA.jpg
Like many other data protection laws, the PDPA boasts a global reach. This means as long as Singaporean resident data is involved, the PDPA is triggered — regardless of location.
The law also regulates all actions performed on personal data, from collecting to storing to deleting it.
To better clarify, let’s break down the PDPA’s scope:
Extraterritorial Coverage: Simply put, as long as you collect Singapore residents’ data, the PDPA applies to your business – whether you’re based in Singapore or halfway across the globe,
Legal Entity: Like the GDPR, the PDPA doesn’t discriminate. It covers private individuals, groups, and organizations — both local and international — as long as they handle Singaporean data.
Data Intermediaries: Singapore’s law also applies to data intermediaries (the equivalent of data processors under the GDPR. While data intermediaries enjoy lenient coverage under the PDPA, they must still comply with data security and retention obligations.
Exemptions to Singapore’s PDPA
Despite its broad scope, the PDPA includes several important exemptions from its coverage, including:
Personal and Domestic Activities: The PDPA doesn’t apply to data processing carried out for personal or non-commercial purposes. So, actions like collecting the email addresses of family members to organize an event aren’t regulated by the law.
Employment-Related Activities: Singapore’s law also excludes employees acting in an employment or professional capacity from its scope. For instance, collecting employees’ banking details to process their salaries won’t attract the PDPA’s attention.
The Public Sector: Public-sector organizations in Singapore are regulated by different rules outlined in the Government Instruction Manual on Infocomm Technology & Smart Systems Management and the Public Sector (Governance) Act of 2018.
Do you Have to Notify of Data Breaches Under Singapore’s PDPA?
It depends. Singapore’s PDPA requires you to notify both the Personal Data Protection Commission (PDPC) and affected consumers of “notifiable data breaches.”
A notifiable data breach under Singapore’s law is one that:
Causes significant harm to consumers (i.e., includes the special class of data in the PDP (DBN) 2021)
Involves large-scale exposure of data (i.e., affects at least 500 consumers)
This implication here is that you’ll need to conduct a quick assessment to know if any breach you experience can be classified as a “notifiable data breach.”
How to Handle Data Breaches Under Singapore’s PDPA
If your business suffers a notifiable data breach, Singapore’s PDPA gives you three (3) calendar days after discovering the breach to report it to the PDPC. Your notification to the PDPC can be through any of the following mediums:
Official website: https://eservice.pdpc.gov.sg/case/db.
Official phone number: +65 6377 3131 (for urgent notification of major cases)
Remember: You must notify affected individuals simultaneously or immediately after reporting the breach to the PDPC.
Now, what exactly should your data breach notification entail? Let’s find out.
What to include in your data breach notification to the PDPC
The PDPC requires businesses to show that they’re taking proactive steps to manage and fix notifiable data breaches.
To this end, the commission asks that you provide the following details in your breach notification:
Facts of the data breach, including:
The date and circumstances in which you first became aware of the data breach
How the data breach happened
The number of consumers affected by the breach
The personal data or classes of personal data compromised during the breach
The potential harm to the consumers resulting from the breach
Data breach handling, including:
A chronological account of the steps you took after becoming aware of the breach, including your assessment that the breach was “notifiable”
Any action you’ve taken or plan to take to reduce harm to the affected individuals and fix the root cause of the breach
Your plan to inform affected consumers (or the public) about the breach and how they can reduce harm to themselves
Contact information of at least one authorized representative for more information or assistance.
What to include in your data breach notification to consumers
When notifying affected consumers, Singapore’s PDPA requires you to include the following details about the breach:
Facts of the data breach, including:
How you become aware that a notifiable data breach had occurred
What personal data relating to affected individuals was compromised in the breach
Data breach management and remediation plan, including:
Potential harm to affected individuals as a result of the breach
What steps have you taken or will you take to reduce damage to affected individuals and fix the root cause of the breach?
Contact information of at least one authorized representative for more information or assistance.
For more information on handling data breaches under Singapore’s PDPA, check out the official guide: Managing and Notifying Data Breaches Under the PDPA.
How to Prepare for a Data Breach Under Singapore’s PDPA?
How to Prepare for a Data Breach Under Singapore’s PDPA.jpg
Data breaches are (unfortunately) all too common today, but taking proactive preparation measures empowers you to address vulnerabilities quickly and slam the door on intruders.
The PDPC provides the following guidance:
Monitor your security systems to prevent data breaches
One of the most effective ways to prevent data breaches is to constantly monitor your cybersecurity protections. To do this, the PDPC recommends using monitoring tools to help detect and fix weak spots before attackers exploit them.
Specifically, you should consider using the following:
A dedicated monitoring software to track your inbound and outbound traffic for strange network activities
Real-time intrusion detection software to catch unauthorized operations and attacks
Security cameras to monitor the internal and external secure areas such as data centers and server rooms
Develop a comprehensive data breach management plan
Your data breach management plan should do the following:
Clearly define what constitutes a data breach to help employees identify them and take swift action.
Establish steps for internal reporting and specify key roles — such as a Data Protection Officer (DPO) — to oversee data breach notifications.
Include a robust response strategy using simulation exercises to test your readiness.
Adopt the PDPC’s Recommended C.A.R.E Framework
To handle data breaches effectively, the PDPC recommends using the C.A.R.E. framework:
Contain: Isolate the affected data to prevent further exposure. Think firewalls, passwords, and deactivating compromised accounts.
Assess: What data was exposed? How many individuals are affected? Understanding the breach helps you prioritize and target your response.
Report: Notify the PDPC and affected consumers appropriately within three calendar days of discovering the breach
Evaluate: Find out what went wrong and fix weak spots in your cybersecurity systems to minimize the risk of future breaches.
Aside from these preparation tips, the PDPC also recommends developing crisis management, communications, and continuity plans to support your data breach program.
Penalties for Non-Compliance with Singapore’s PDPA
If the PDPA applies to you, compliance with its requirements isn’t optional. Failing to comply not only attracts significant consequences from the PDPC but also creates a negative public image, leading to a loss of consumer trust.
Let’s look more closely at what awaits violators:
Administrative Penalties, including: Bans of data processing activities, deletion of illegally obtained data, and restriction of access to data
Financial Penalties: Up to 10% of annual turnover in Singapore (for businesses with over SGD 10 million annual turnover), a maximum fine of SGD 1 million, and up to SGD 50,000 for misusing personal data or hiding key information
Criminal Penalties: Significant financial sanctions or criminal liability, including imprisonment
Civil Liability: Including but not limited to damages, injunctive orders, and other penalties as imposed by the Singapore court
How Can Captain Compliance Help?
However unsettling a data breach is, approaching it calmly and swiftly can help you regain your footing and make things more manageable.
Having understood Singapore’s PDPA data breach requirements, you’re one step closer to achieving compliance. Now, it’s time for execution.
Not sure where to start? We’ve got you covered!
At Captain Compliance, we’re dedicated to ensuring you don’t just understand the law but can seamlessly translate that knowledge into action.
From conducting risk assessments to crafting breach response plans, we can help you with your data breach compliance.
Ready to hit the ground running with Singapore’s law? Get in touch today!
FAQs
What’s considered a “data breach” under Singapore’s PDPA?
Any unauthorized access, alteration, copying, modification, disclosure, or loss of personal data falls under the PDPA’s definition of a data breach. Data breaches typically occur due to human error, malicious activities, and computer system defects.
See also: Marina Bay Sands Data Breach Incident
Do I need to notify anyone about a breach under the PDPA?
It depends. If the breach will likely cause “significant harm” or involves a large-scale data exposure, you must notify the PDPC and affected individuals within three calendar days. Prompt action minimizes damage and shows good faith to both consumers and authorities.
See also: Connecticut Data Breach Notification Law
What steps should I take if I suspect a breach under the PDPA?
Act fast using the PDPC’s recommended C.A.R.E framework. Contain the breach, assess the damage, report the incident to relevant parties, and evaluate results to prevent future occurrences.
Learn about GDPR Data Breach Notification Best Practices in our guide
Can I avoid a data breach altogether?
Prevention is always better than cure. Investing in robust cybersecurity measures like firewalls, data encryption, and corporate compliance training are all effective measures to make your data fortress harder to breach.