11 PDPA obligations – why ‘POPCORN’ matters

Are you an organisation handling personal data? If your answer is yes, then it is your duty under the Singapore Personal Data Protection Act (PDPA) to fulfil these obligations. You have been entrusted by your beloved customers and employees with their valuable personal data.

Meeting these 11 obligations is what's expected of a data protection officer, or DPO. If you don’t want to let your customers and employees down, then it is imperative to learn these 11 data protection obligations by heart!

Get an operational perspective of the Singapore PDPA by attending our one-day course here. 

1. Purpose limitation obligation: You must collect, use, or disclose personal data only for purposes which are reasonable to provide your product or service, or for which you have been granted consent.

2. Consent obligation: You must obtain consent for your specific purpose before you can collect, use, or disclose personal data.  You must allow individuals to withdraw their consent when they wish to do so.

3. Accountability Obligation: You are responsible for the personal data entrusted to you by your customers and employees. You show responsibility by making sure you are compliant with the 11 obligations. You ensure compliance by appointing a data protection officer (DPO) and implementing data protection policies, among many other best practices for data protection (which you can learn about in our DPEX courses!)

4. Notification obligation: Your customers or employees must always be informed or notified of your purpose for collecting, using, or disclosing their personal data.

5. Transfer Limitation Obligation: You must ensure that the cross-border transfer of personal data is done securely and responsibly, according to the guidelines of regulating bodies.

6. Retention Limitation Obligation: You must not retain or keep any personal data that is no longer needed to fulfil any business purpose. You must dispose of the data accordingly.

7. Accuracy Obligation: Make sure that the personal data in your possession is accurate and complete, especially when these data will be used for making decisions about the individual.

8. Protection Obligation: The most commonly violated obligation. You must take measures to actively secure the personal data in your possession from unauthorised access, collection, use, or disclosure.

9. Access and Correction Obligation: You must allow an individual to access his/her personal data upon request, including records of how his data was used or disclosed.   You must correct errors in your personal data records, and relay these corrections to other organisations to whom you have previously shared or disclosed the data.

10. Data Protection Notification Obligation: You should notify both the affected individuals and the PDPC when a data breach occurs, especially when the breach may cause harm or if a large number of individuals were affected.

11. Data Portability Obligation: When an individual requests for transfer of his/her data, you must transfer the data to another organisation in a common machine-readable format. (We are still waiting for the PDPC to issue regulations for this obligation.  Data Portability will be enforced once regulations are released.)

What does 'POPCORN' have anything to do with PDPA?

Can’t seem to remember all these obligations? Don’t know how to start applying it? We created an easy way for you to know these obligations by heart.

Just remember, ‘POPCON EXTRAS, ADD (butter)’ – as a pun on popcorn and a memory aid! Every time you collect personal data, ask yourself these POPCON questions to ensure that you are fulfilling your 11 obligations under the PDPA.

To view the full infographic, use this link: https://www.dpexnetwork.org/research/infographics-11-data-protection-obligations-under-pdpa-popcon-add

For other Foundation courses on data protection, go to https://www.dpexnetwork.org/courses