Summary of: Walkthrough of the Singapore Personal Data Protection Act 2021 Update

Singapore’s Personal Data Protection (PDPA) is the country’s primary data privacy regulation, with more business-friendly aspects to offer than Europe’s GDPR.

Disclaimer: This is a summary of the content that I originally created for the Sourced Blog. I am keeping summaries of my external content in my own blog to have a single place where all of my written content can be found.

Many FinTech start-ups prioritise the often stricter regulation of their industry such as the Monetary Authority of Singapore’s (MAS) over the PDPA privacy regulation when it comes to business relationships. However, while MAS regulations focus on data security and loss, the PDPA emphasizes data collection and usage, an equally important aspect for all businesses these days.

Interestingly, the latest PDPA update in February 2021 puts forth a stronger focus on compliance and consequences, adding a sizeable fine of up to 10% of revenue to ensure that organizations comply with the privacy regulations. The cost impact outside of the fine will still be significant for smaller businesses with less revenue, while small-to-medium enterprises (SMEs) and multinational corporations (MNCs) could also face huge legal and other costs.

If there’s one thing that the PDPA makes clear, it is the renewed emphasis on the requirement that processes and policies must not be for show alone. “Having a document with procedures is inefficient on its own; they want to see that these documents have been socialised with the organisation and that employees know how to respond to events. This will be scrutinised in the event of a breach and when determining the fine to be levied against the organisation. The data breach plan is a critical component of these procedures.”

The article also highlight the right course of action in case of a breach, and key statistics about the frequency and probability of data breaches. Relevant team members should be on-call and available during the weekend to deal with potential data breaches as quickly as possible. The article recommends practice drills for executing various scenarios so that businesses are better prepared. Evidence of having conducted regular drills can provide proof that the organisation followed PDPA guidelines to the best of their ability in the event of an actual data breach.

Several businesses might also want to question whether spending time and money to achieve PDPA compliance is worthwhile when they can use the same resources achieving the European Union's GDPR. The GDPR is the strictest regulation globally, but being compliant with it most likely means that the organisation is compliant in most, if not all, other regions. It really depends on whether or not the company plans for growth outside of Singapore.

If not, the PDPA proves to be more business-friendly and attractive compared to GDPR for businesses focussed on the local Singaporean market. There are several flexibilities in the PDPA that make things easier for businesses, such as business email addresses not considered personal data, specific exemptions to go ahead without obtaining explicit content for new uses of data, straightforward requirements around international data transfer, and, in general, a less prescriptive outcome-driven approach to privacy regulation.

In summary, if an organisation plans on remaining local, it would be easier to comply with PDPA, and, to go back to my first point, compliance with either, on top of any industry-specific regulators, is now a must.

Read the original article here: https://www.sourcedgroup.com/blog/walkthrough-of-the-singapore-personal-data-protection-act-2021-update


Video

February 2021 witnessed significant updates to the Personal Data Protection Act (PDPA) of Singapore, the aim being to bring it more in line with its European counterpart, the GDPR. While the updates are all set to impact all industries, their effect would be even more pronounced for businesses sticking to industry-specific regulations or startups with limited resources that have not prioritised privacy compliance so far. This is why organisations must make it a point to, firstly, understand what the PDPA update is all about and, secondly, adapt their policies and operations to the regulatory requirements. This video will help throw light on all these aspects, besides helping plan PDPA compliance for your organisation.

Watch the video here: https://www.youtube.com/watch?v=y-TG_NmsZDU