Personal Data Protection Act (PDPA)
Singapore Personal Data Protection Act 2012 (PDPA) is a law that governs the collection, use and disclosure of personal data by all private organisations. The Act has come into full effect on 2nd July 2014 and has been updated recently with new amendments that takes effect on 2 November 2020. Organisations which fail to comply with PDPA may be fined up to $1 million and suffer reputation damage.
Are you prepared?
- What is PDPA?
- How do you comply?
- Description of PwC services offerings
- What are your benefits by engaging PwC?
What is PDPA?
1. Purpose limitation
Only use or disclose personal data for the purposes defined.
2. Notification
Inform the individuals on the purposes for collection, use and disclosure of their personal data during collection.
3. Consent
Ensure that the consent has been obtained from the individuals before collecting, using or disclosure of the personal data.
4. Access and correction
Upon request, provide the personal data of the individual and information on how the individual’s personal data has been used or disclosed in the past year. Correct an individual’s personal data upon request.
5. Accuracy
Ensure that personal data is accurate and complete during collection or when making a decision which will affect the individual.
6. Protection
Keep personal data in your possession secure from unauthorised access, modification, disclosure, use, copying, whether in hardcopy or electronic form.
7. Retention limitation
Retain personal data only for business/legal purposes and securely destroy personal data when no longer needed.
8. Transfer limitation
Ensure overseas external organisations provide a standard of protection comparable to the protection under the Singapore PDPA.
9. Openness
Designate a Data Protection Officer and publish his/her business contact information. Make available personal data protection policies and practices to public and employees, including complaint process.
10. Do-Not-Call (DNC)
Do not send marketing messages to individuals who have registered in the National DNC registry through voice, text messages or fax unless you have obtained their clear and unambiguous consent or have an on-going relationship (for text / fax).
How do you comply?
PDPA Requirements
- Designate a Data Protection officer (DPO)
- Map organisation’s personal data Inventory, implement personal data protection policy
- Communicate to employees on the personal data protection policies
- Incorporate data protection as part of BAU
- Establish regular compliance program to verify adherence to PDPA requirements
PwC PDPA service offerings
- Personal data protection support office
- Gap assessment and framework development
- Training/ awareness
- Compliance review
Description of PwC services offerings
Gap assessment
Conduct gap assessment against the PDPA requirements
Framework development
Define data protection policy and processes to kick start your compliance programme
Training/ awareness
Provide training and awareness programs to employees on organisation’s personal data protection policies and processes
Personal data protection support office
Offer all-round administrative and advisory support for your data protection office
Compliance review
Perform compliance review and testing against PDPA’s requirements
What are your benefits by engaging PwC?
Depending on the services, your organisation will
- Stay on track with PDPA requirements
- Be able to concentrate on core businesses while maintaining PDPA compliance
- Be able to leverage on PwC readily available knowledge base and capabilities.
