While the Singapore Personal Data Protection Act (PDPA) 2020 Amendment phases came into effect on Feb 1, 2021, starting on October 1, 2022, the maximum financial penalty for breaches of PDPA will be increased. Here’s what you need to know for the next phase of PDPA and how to ensure your information security practices are compliant to avoid penalties.
What You Need to Know About PDPA
To start, PDPA like other privacy regulations governs the collection, use, and disclosure of individuals’ personal data by organizations. It recognizes both the right of individuals to protect their personal data and the fact the organizations need to collect, use, and disclose personal data for reasonable business purposes.
The 2020 Amendment to the original Personal Data Protection Act 2012 (No. 26 of 2012) introduced several new provisions to ensure accountability, including:
- A mandatory data breach notification requirement and guidance on the notification and substance. Organizations who suffer a data breach must notify the PDPC and any affected individuals of the breach unless an exception applies.
- Expansion of the scope of deemed consent under the PDPA and new exceptions to the requirement to obtain consent from individuals before collecting, using, or disclosing their personal data.
- Additional exceptions to express consent; including legitimate interest exception and a business improvement purposes exception.
- Introduction of criminal offenses including fines and imprisonment for knowingly or recklessly mishandling or disclosing personal data.
- Private Right of Action which allows an individual that is harmed because an organization violated the PDPA, to be able to file a lawsuit for civil damages.
- An enhanced financial penalty regime.
Currently the Personal Data Protection Commission (PDPC) can impose a financial penalty of up to SGD 1 million on organizations that have breached the Data Protection provisions under PDPA. Starting Oct 1, 2022, the PDPC will be able to impose increased financial penalties of up to 10% of an organization’s annual turnover in Singapore (if the organization’s annual turnover in Singapore exceeds SGD 10 million), or SGD 1 million, whichever is higher.
How to Prepare for the Changes to PDPA
Chances are you are already complying with local privacy regulations that are applicable to your organization or the previous version of PDPA. If you do business European Union, you already need to comply with GDPR. Compliance with any of the global privacy regulations will set a good foundation for meeting PDPA requirements.
To ensure compliance with any Privacy regulation, including PDPA, here’s some important steps to follow:
- Know what regulations apply to your company.
- Update any privacy compliance and data governance plans to include the new regulatory changes and requirements for PDPA and other guidelines applicable to you.
- Conduct employee training on any new applicable policies around data handling and protection.
- Understand what types of personal data are in your organization’s custody and where it is stored and processed.
- Ensure that all personal information in your systems is appropriately classified and protected from unauthorized access and use.
Automating Personal Data Discovery and Protection
Many breaches are avoidable. The majority of security incidents are caused by simple human error. The wrong file was simply sent to the wrong person(s) or uploaded to the wrong location. Theft of personal data by malicious employees can also be mitigated. The key is to have proactive security solutions in place that restrict what actions can be taken with the personal data in your organization’s care. Solutions that can help you identify, tag and protect personal data covered by PDPA are your best line of defense to protect against data breaches, unauthorized access and misuse.
NC Protect ensures data compliance and security by continuously monitoring and auditing content (files, chats, messages) in your enterprise collaboration tools. If sensitive data is discovered, it will not only classify if – but also protect it – according to policies you set to ensure compliance with PDPA and other regulatory policies. Dynamic data protection policies ensure that only authorized users have access to personal data and restricts what they can do with it to prevent accidental sharing and theft of data. For example, prevent users from downloading personal data or copying it. It can also automatically encrypt personal data being exchanged with authorized third parties via email.
NC Protect is fully integrated with Microsoft 365 apps including SharePoint Online, OneDrive, Teams, and Exchange. It also supports SharePoint on-premises, Windows File Shares and Nutanix Files, to identify and protect personal data and other sensitive information (IP, HR, Financials, etc.) across all of your enterprise collaboration tools
Learn more about how NC Protect helps ensure PDPA compliance across your collaboration tools.