From Inception to Impact: Singapore’s PDPA After Ten Years

By Shaun Jarmen, Industry Development Manager, Straits Interactive

2024 marks 10 years since Singapore’s Personal Data Protection Act (PDPA) came into full effect. Since then, numerous enforcement cases have dotted the Personal Data Protection Commission’s (PDPC) legacy and Act amendments have surfaced to fit the demands of changing times. So how has the regulation impacted businesses and how should Data Protection Officers (DPOs) chart their course to compliance?

Last week, my team and I held a talk to answer these very questions. I was joined by my fellow Industry Development Director, Wendy Lim, Industry Development Manager, Raani (Arunesaraani Arunasalam), as well as the Assistant Vice President of Certification at Guardian Independent Certification Group (GICG), Baljit Singh, an Assessment Body (AB) for the Data Protection Trustmark (DPTM). In the session, we laid out the blueprint of the PDPA, examined compliance insights and how DPOs may approach data privacy for the enterprise.

An Overview of Singapore's PDPA And Its Key Provisions

Enacted in 2012, the PDPA acts as a baseline law that sets out the rules and standards of protection on the collection, use, disclosure and storage of personal data so that organisational accountability and good data governance may be demonstrated. The Act not only recognises the right of consumers to protect their data, but the need of organisations to collect personal data as well. 

The Act has come a long way since the landmark launch of the Do Not Call (DNC) Registry in 2014. Still, a central founding principle persists and shapes the provisions of the Singapore PDPA - Accountability. It refers to a risk-based approach in identifying, monitoring and responding to risks throughout the data life cycle. The obligations of the Act are divided based on the three broad phases of the data life cycle, with Accountability as the overarching theme entrenched within it. 

The PDPA started out with 9 key obligations and that list has now expanded to include the Data Breach Notification and Data Portability obligations, bringing the total to 11. 

While a Data Breach Management Plan has been required since the introduction of the DPTM in 2019, the addition of the Data Breach Notification obligation to the PDPA in 2021 has since made it mandatory to report a data breach to the PDPC within 72 hours of determining that it is notifiable (i.e. Significant Harm to Affected Individuals or Significant Scale). The Assessment Body will require you to have a well-implemented and tested Data Breach Management Plan, supplemented with regular tabletop simulations that are documented. PDPC has a CARE framework for breach responses, which we have adopted ourselves.

The Data Portability obligation will take effect only after the regulations are issued. At the request of the individual, organisations are required to transmit the individual’s data that is in the organisation’s possession or