PDPA Amendments enter into force

published on 8 February 2021 | reading time approx. 3 minutes

On 1 February 2021, most of the amendments to the Personal Data Protection Act (“PDPA”) came into force. This is the first comprehensive review and update of the PDPA since it was first enacted in 2014 in Singapore.

The aims of the amendments are to strengthen public trust, enhance business competitiveness, and provide greater organizational accountability and assurance to consumers, in support of Singapore’s digital economy.

The amendments will bring the PDPA more in line with global and regional standards – e.g. the European Union’s General Data Protection Regulation – allowing international organisations to adopt a more consistent compliance approach.

Mandatory breach notification:

Organizations need to notify the PDPC and or the affected individuals if a data breach is (a) likely to result in a significant harm to the affected individuals; or (b) of a significant scale (500 or more individuals).

Mishandling personal data:

Organizations acting on behalf of public agencies, and employees acting in the course of their employment with an organization will no longer be exempted from the main data protection obligations. Individuals and service providers may be liable for the knowing or reckless unauthorized handling of personal data, subject to certain defenses.

New exceptions to consent requirement:

Legitimate interests – organizations may process personal data without consent where it is in the legitimate interests of the organization or another person and the benefit to such organization or person is greater than any adverse effect on the individual.
Business improvement – organizations may use personal data for business improvement purposes, including, operational efficiency and service improvements; developing, enhancing or personalizing products / services; and learning and understanding its customers’ behavior and preferences.

Expanded categories of deemed consent:

Contractual necessity – allows personal data to be passed from an organization to successive downstream entities to fulfil a contract with a customer.
Notification – allows organizations to notify customers of a new purpose and provide a reasonable period for them to opt-out.

Some key amendments are not yet in force but are expected to be implemented in 2021:

Data portability provisions – the obligation which will allow individuals with an existing direct relationship with an organization to request for a copy of their personal data to be transmitted in a commonly used machine-readable format to another organization which has a business presence in Singapore); and
Enhanced penalties provisions – the maximum financial penalty will amount to either 10% of an organization’s annual turnover in Singapore; or SGD 1 million, whichever is higher

Organizations should review their personal data policies and processes for compliance with the new requirements; implement SOPs for data breach incident management, remediation and notification; review current consent collection procedures in the light of the revised consent requirements and exceptions; review contracts with data intermediaries, particularly in terms of mandatory breach notification; and undertake PDPA training for staff.