LEGAL UPDATE: PDPA (PERSONAL DATA PROTECTION ACT – 10/2/2021
New amendments to the Personal Data Protection Act (“PDPA”) were announced November 2020. While many revisions are not technology-centric, and construct increasing responsibility on any business having contact with personal data, most have direct impact of increasing the compliance burden to technology services businesses holding personal data.
It is felt that one of the driving forces for the key amendments is the increasing monetization of information relating to individuals and consequently, personal data, coupled by the increasing cyber security risks that would impact individuals.
Some key revisions are examined here:
(a) Enhanced financial penalty regime – increased to 10% of annual turnover or S$1 million, whichever higher.
(b) Enhanced DNC provisions – Prohibition of the use of dictionary attack and address-harvesting techniques. This will place additional burdens on data intermediaries and service providers handling or personal data or even service providers having personal data passing through their servers to conduct additional due diligence to the parties providing personal data. There will be a need to put in place additional operating procedures to ensure compliance and to demonstrate to the PDPC that adequate measures are put in place, should an investigation is initiated.
(c) Personal data portability – Significantly, individuals may request for a copy of their personal data residing with a business. Again, operating procedures should be checked to ensure that the business is ready to comply when the situation arises and to demonstrate the same to the PDPC.
(d) Significant exemption removed – All private sector organisations will be responsible under the PDPA, even if they were acting on behalf of public agencies. Although government bodies are still exempted, this is a step in the right direction.
(e) Mandatory notification obligation – PDPC must be notified if a data breach is of a substantial nature. There will be more colour provided in time, but at this moment a good yardstick is a breach involving 500 individuals.