With accelerating growth in data-centric technologies such as Internet of Things and Artificial Intelligence there is an exponential increase in the volume of personal data generated, collected and processed around the world and in Singapore. The new Personal Data Protection (Amendment) Bill 2020 just passed on 2 November 2020 seeks to strengthen the accountability of organisations, to recalibrate the balance between individual’s consent and organisational accountability to harness data for appropriate and legitimate purposes, to grant greater consumer autonomy over their own personal data, and to strengthen the effectiveness of enforcement efforts by the Personal Data Protection Commission (PDPC).
The amendments to the PDPA are timely in the fast-changing landscape of the digital economy, and bring Singapore’s personal data protection laws up to date and aligned with international standards, such as the GDPR.
Notwithstanding the potential increase in operating costs for companies (especially SMEs) in order to comply with the new obligations, the investment spent in being digitally secure far outweighs the cost of a data breach, as reputational damage cannot be quantified and it will take more time and effort to restore consumer or business confidence in a company which is publicly fined for failing in its data protection obligations.
Personal data is any data that can be used to identify an individual on its own, which is considered uniquely identifying data. In addition, generic data used along with uniquely identifying data is also considered personal data.
PDPA 11 Obligations is to safeguard personal data entrusted to the organizations by employees or customers
Undertakle measures to ensure that organisations meet their obligations under the PDPA such as making information about your data protection policies, practices and complaints process available upon request and designating a data protection officer (DPO) and making the business contact information available to the public.
Notify individuals of the purposes for which the organisation is intending to collect, use or disclose their personal data.
Only collect, use or disclose personal data for purposes which an individual has given his/her consent to.
Allow the individual to withdraw consent, with reasonable notice, and inform him/her of the likely consequences of withdrawal. Once consent is withdrawn, make ensure to that collect, use or disclose the individual’s personal data has been ceased
Only collect, use or disclose personal data for the purposes that a reasonable person would consider appropriate under the given circumstances and for which the individual has given consent.
An organisation may not, as a condition of providing a product or service, require the individual to consent to the collection, use or disclosure of his or her personal data beyond what is reasonable to provide that product or service.
Make reasonable effort to ensure that the personal data collected is accurate and complete, especially if it is likely to be used to make a decision that affects the individual or to be disclosed to another organisation.
Reasonable security arrangements have to be made to protect the personal data in the organisation’s possession to prevent unauthorised access, collection, use, disclosure or similar risk.
Cease retention of personal data or dispose of it in a proper manner when it is no longer needed for any business or legal purpose.
Transfer personal data to another country only according to the requirements prescribed under the regulations, to ensure that the standard of protection is comparable to the protection under the PDPA, unless exempted by the PDPC.
Upon request, organisations have to provide individuals with access to their personal data as well as information about how the data was used or disclosed within a year before the request.
Organisations are also required to correct any error or omission in an individual’s personal data as soon as practicable and send the corrected data to other organisations to which the personal data was disclosed (or to selected organisations that the individual has consented to), within a year before the correction is made.
In the event of a data breach, organisations must take steps to assess if it is notifiable. If the data breach likely results in significant harm to individuals, and/or are of significant scale, organisations are required to notify the PDPC and the affected individuals as soon as practicable.
At the request of the individual, organisations are required to transmit the individual’s data that is in the organisation’s possession or under its control, to another organisation in a commonly used machine-readable format.
Copyright © 2023 Syberhub. All Rights Reserved.