Table of Contents
If your company collects names, emails, phone numbers, or any other personal information in Singapore, you’ve probably heard of the PDPA. It often comes up in contracts, vendor agreements, and compliance checklists. But what does the acronym actually mean, and why does it matter?
The Personal Data Protection Act is Singapore’s main data protection law, making it relevant for organizations handling personal data. In this guide, we’ll break down what PDPA is, who it applies to, and what organizations need to do to stay compliant.
What is the purpose of PDPA?
The PDPA was introduced in 2012 to establish a clear set of rules for how organizations in Singapore process personal data. As organizations began collecting increasing amounts of customer details, employee records, and online identifiers, there needed to be a consistent standard for how that information is managed.
Its purpose is to protect individuals’ personal data while allowing organizations to use it for legitimate organization activities. The law doesn’t prevent organizations from collecting or processing data, but regulates how it is collected, used, stored, and shared, making responsible handling a requirement, not an option.
What qualifies as personal data under PDPA?
Under the PDPA, personal data refers to any data about an individual who can be identified from that data, either on its own or when combined with other information an organization has or is likely to have access to. It applies to both digital and physical records. In practical terms, examples of personal data include:
- Names
- NRIC or passport numbers
- Phone numbers and email addresses
- Home addresses
- Photographs
- IP addresses that can be linked to a specific individual
- Employment records
- Customer transaction histories linked to a specific person
What matters is whether the information can identify someone, directly or indirectly. The PDPA generally applies to data about living individuals. Organisation contact information, such as an employee’s name, organization phone number, or corporate email address used strictly in an organization context, is treated differently under the law.
Who does PDPA apply to?
Besides defining personal data, the PDPA also sets out who is expected to comply:
Private sector organizations in Singapore
The PDPA applies to private sector organizations that handle personal data as part of their operations, including startups, SMEs, and large enterprises across industries. Whether you’re running an e-commerce platform, managing employee records, or operating a SaaS product, the size of your organization does not change your obligations under the law.
Foreign organizations handling personal data in Singapore
An organization does not need to be physically based in Singapore to fall under the PDPA. If it collects, uses, or discloses personal data in Singapore, it may be subject to the law. For example, a company offering services to customers in Singapore and collecting their personal data as part of that process could fall within scope.
Organizations using third-party service providers
While organizations remain responsible for personal data under their control, service providers that process personal data on their behalf must comply with specific protection and retention requirements. Outsourcing doesn’t remove accountability, and organizations must ensure that vendors handling personal data do so in line with PDPA standards.
What does the PDPA require organizations to do?
The PDPA sets out a series of obligations that organizations must comply with when handling personal data. These include:
- Accountability: Organizations must designate at least one individual, such as a Data Protection Officer (DPO), to oversee compliance and implement policies and practices to meet their obligations under the PDPA.
- Notification: Organizations must inform individuals of the purposes for which their personal data will be collected, used, or disclosed.
- Consent: Organizations may only collect, use, or disclose personal data with the individual’s consent, unless an exception applies. Individuals must also be allowed to withdraw consent with reasonable notice.
- Purpose limitation: Personal data may only be collected, used, or disclosed for purposes that a reasonable person would consider appropriate. Organizations cannot require consent beyond what is reasonable to provide a product or service.
- Accuracy: Organizations must make reasonable efforts to ensure that personal data is accurate and complete, particularly where it may be used to make decisions about an individual or disclosed to another organization.
- Protection: Organizations must implement reasonable security arrangements to protect personal data from unauthorized access, collection, use, disclosure, or similar risks.
- Retention limitation: Personal data should not be retained longer than necessary for organization or legal purposes and must be disposed of appropriately when no longer required.
- Transfer limitation: When transferring personal data outside Singapore, organizations must take appropriate steps to provide a comparable standard of protection.
- Access and correction: Individuals have the right to request access to their personal data and information about how it has been used or disclosed within the past year, and to request corrections where necessary.
- Data breach notification: Organizations must assess data breaches and notify the PDPC and affected individuals where the breach is likely to result in significant harm or is of significant scale.
- Data portability: When in force, organizations must transmit an individual’s personal data in a commonly used machine-readable format to another organization upon request, in accordance with regulatory requirements.
How to become PDPA compliant
Meeting the PDPA’s requirements involves implementing specific internal measures:
Appoint a data protection officer
Every organization must designate at least one individual for developing internal policies, responding to data protection queries, and serving as a point of contact for individuals and the PDPC. The DPO’s organization contact information must also be made publicly available.
Map and assess your data flows
Organizations should understand what personal data they collect, why they collect it, where it is stored, who has access to it, and whether it is shared with third parties or transferred overseas. Without visibility into data flows, it is difficult to meet obligations.
Update privacy notices and consent processes
Review how consent is obtained and whether individuals are clearly informed of the purposes for data collection and use. Privacy notices should accurately reflect current practices, and mechanisms should exist for individuals to withdraw consent where required.
Implement reasonable security measures
Organizations must put in place safeguards appropriate to the sensitivity of the data they handle, including access controls, encryption, secure storage, internal policies, etc. Security measures should be reviewed periodically and updated where necessary.
Establish retention and disposal policies
Personal data should not be retained indefinitely. Organizations should define retention periods based on legal or operational needs and implement processes to securely dispose of data that is no longer required.
Put in place breach response procedures
Organizations should have internal processes to detect, assess, and respond to data breaches. This includes determining whether a breach is notifiable and providing timely notification to the PDPC and affected individuals where required.
Manage third-party risks
If personal data is handled by vendors or service providers, organizations remain responsible for compliance. Contracts and due diligence processes should address how personal data is protected, retained, and transferred.
Document policies and train staff
Compliance is not a one-time exercise. Organisations should document their data protection policies, maintain records of decisions, and provide employees with clear guidance on their responsibilities when handling personal data.
Penalties for non-compliance with PDPA
The Personal Data Protection Commission (PDPC) may take these enforcement actions against non-compliant organizations:
- Financial penalties: For organizations with annual turnover in Singapore exceeding S$10 million, fines can be up to 10% of annual turnover in Singapore or S$1 million, whichever is higher.
- Regulatory directions: Organizations may be required to stop non-compliant data practices or modify how personal data is collected, used, or disclosed.
- Corrective measures: The PDPC may direct businesses to strengthen internal controls, improve security arrangements, or update data protection policies.
- Public disclosure: Enforcement decisions are generally published, which may affect an organization’s reputation and stakeholder trust.
Frequently asked questions
The PDPA sets out 11 data protection obligations that organizations must comply with when handling personal data. These obligations cover areas such as consent, notification, purpose limitation, accuracy, protection, retention, transfer of data overseas, breach notification, and accountability.
The PDPA protects personal data relating to living individuals. Any information that can identify a person either on its own or when combined with other data an organization has or is likely to have access to is covered. Examples include names, identification numbers, contact details, and employment records.
The PDPA applies to private sector organizations that collect, use, or disclose personal data in Singapore. This includes companies of all sizes, as well as foreign organizations handling personal data in Singapore. Organizations remain responsible for personal data under their control, even when processing is outsourced to third-party service providers.
