The Singaporean Personal Data Protection Act (PDPA) has been a topic of much discussion in the APAC region since 2012, when it was first introduced.
However, the new amendments which were passed in late 2020 brought the regulation up to date with changes in the way organisations are handling data today - thanks to digital transformation and rise of the data economy. The new regulation puts the privacy of individuals front and centre, while mandating that businesses need to be accountable for the data they collect. Both of which will have implications for Australian entities that intend to do business with Singapore.
Similar to the GDPR in Europe, and the NDB scheme in Australia, the PDPA is a baseline standard of protection for personal data in Singapore. It complements sector-specific legislative and regulatory frameworks such as the Banking Act and Insurance Act. By recognising both the need to protect individuals’ personal data and the need of organisations to collect, use or disclose personal data for legitimate and reasonable purposes, it aims to safeguard personal data from misuse and maintain individuals’ trust in organisations while positioning the country as a trusted hub for business.
The legislation comes in response to the evolution of the digital economy caused by the increased use of networking and the flow of data between stakeholders. The PDPA takes into account both the need to protect consumers’ personal data and the need of organisations to collect, use or disclose personal data for legitimate and reasonable purposes. Given how pervasive and important data is in the modern economy, Singapore has taken a commendable step towards securing one of the most important new commodities - personal data.
However, the advent of PDPA comes with its own set of challenges. Most immediate of which are the implications it will have on how business is conducted in the APAC region. Singapore is Australia’s largest trade partner in ASEAN, with business worth $27 billion taking place in 2020 (Department of Foreign Affairs and Trade). Therefore, the introduction of a new set of regulations dictating how data can be handled by organisations and individuals within the country and its trading partners is bound to cause anxiety among Australian entities who are now bound to meet these new standards.
Advice for Australian businesses
Back in 2014, the regulators laid out nine obligations which would comprise PDPA, they were: consent, purpose, notification, access and correction, protection, accuracy, retention limitation, transfer limitation and accountability. In 2020 however, data breach notification and data portability requirements were added while accountability and consent were updated. Out of these eleven obligations, Australian businesses would have to pay special consideration to accountability, data breach notification, and data portability requirements.
Looking firstly at accountability. The new changes mean that accountability is more than just an openness obligation, businesses will now have to take a ‘data protection by design’ approach to all data handling.
New accountability guidelines will require that organisations have a clear, transparent policy on data collection, usage and protection. It will mean organisations likely need to implement appropriate governance controls to manage data within their organisation and throughout their supply chains to manage every step of the data lifecycle. Ensuring you can identify, monitor and respond to personal data risks whether you are collecting, storing, retaining or even disposing of personal data.
Secondly, the new changes on data portability requirements. The goal is to allow any individual to request their data be shared across service providers: meaning that the data economy can continue to thrive and a person can experience seamless services should they switch, let’s say, from service provider A to service provider B.
The third and most impactful change however is the notification requirement of a PDPA incident. Organizations will now have to report incidents within 72 hours if they are of significant scale (exceeding 500 entries) or may result in significant harm to an individual. Organisations need to quickly identify what data is being lost and take action to resolve it. This will require quite a few changes to legacy systems and it's really difficult for organisations to classify the magnitude of an incident in that short timeframe as the true scale of the event can only be uncovered by forensics after this timeframe has passed. This is further to a common challenge for organisations who continue to work in silos, looking at “privacy technologies” and “data protection technologies” separately; but they are all part of a bigger whole. We can’t just use DLP, for example, to undertake forensic analysis after the event: it should be in place to protect organisations and stop the breach happening in the first place.
Ultimately, it's great to see further legislation that seeks to protect data in an increasingly digital world. The PDPA is a good step towards securing data and will complement some of the behaviours Australian businesses are already adopting as a result of legislation like the Notifiable Data Breaches Scheme.
For organisations that aren’t actively developing plans around data handling, security strategies and notification processes, it will pose quite the challenge. Especially in the short term as they look to re-invent their legacy systems in accordance with the new standards. However, this is also an opportunity for organisations to take a look within and use the PDPA as a springboard to identify and resolve security risks which, although are not a problem at the moment, could cause a vulnerability in the future.
Proactive data management conversations can be a positive conversation about how organisations can operationalise the technology they need to not just be compliant as a box-ticking exercise, but also deliver on the spirit of the regulation too - while supporting a more collaborative, digital future.