Personal Data Protection Act Amendments

Amendments have been introduced to the Personal Data Protection Act 2012 (PDPA) on the 5 October 2020 to keep Singapore’s data protection laws up to date with evolving technology developments, global regulatory trends and to enhance Singapore's relevancy and stability as a global business hub.

Key summary of changes to the bill include:

  1. Compulsory reporting for data breaches and larger financial penalty for data breaches
  2. Expansion rules on deemed consent 
  3. Introduction of offences relating to mishandling of personal data
  4. Rights to data portability 
  5. Expansion of protection from unsolicited messages 

We summarise what the new amendments mean for you below.

1. Compulsory data Breach Reporting

Organisations will be required to notify the Personal Data Protection Commission (“PDPC”) regarding any data breaches that are likely to result in harm to individuals and companies. The timeframe for reporting these breaches to the Commission is now within three calendar days from the date of the breach.

Financial penalties will also be increased to 10% of annual turnover in Singapore (if the organisation’s annual turnover in Singapore exceeds SGD $10 million), or $1 million SGD, whichever is higher.

2. Expanded consent

The concept of “deemed consent” will be expanded to include:

1. Use or disclosure of personal data reasonably necessary to conclude or perform a contract or transaction. 

2. Where individuals have been notified of the purpose of the intended collection, use or disclosure of personal data are given a reasonable opportunity to opt-out

3. Introduction of offences relating to mishandling personal data 

Individuals will be held accountable for mishandling personal data through the introduction of new  criminal offences including: 

1. Knowing or reckless unauthorised disclosure of personal data; 

2. Knowing or reckless unauthorised use of personal data for a  gain or wrongful loss to any person

4. Right to data portability

Organisations must, at the request of an individual, transfer an individual’s personal data that is in the organisation’s possession or under its control, to another organisation in a common machine-readable format

5. Expanded protection from unsolicited messages

The sending of unsolicited messages to telephone numbers will be prohibited under the ‘Do Not Call’ provisions of the PDPA.

The Spam Control Act will also be amended to cover commercial text messages sent to instant messaging accounts and in bulk.

How do these changes affect businesses? 

Organisations will need to adapt or change their approach to PDPA compliance and data protection in general to meet the new requirements and expectations of individuals, regulators and the community.

They will need to review existing company polices on consumer data, and strengthen the gaps where needed. Adjustments and coordination will also need to be carried out to manage data breach reporting policies and procedures.

How can Hawksford help?

Navigating the complexities of meeting your data obligations can be difficult, that’s why outsourcing your data protection requirements to a specialist provider, like Hawksford can help keep costs low, save time, and provide a peace of mind.

Our Data Protection Services

Regardless of the scale and size of your operations, Hawksford can take away the administrative burden so that you can focus on the most important factors which are relevant for your company’s growth and improvement.

Our services include:

  • Outsourcing of Data Protection Officer (“DPO”)
  • Template Policy and Procedures
  • Staff Data Protection Training
  • Compliance Assessments DPO registration

This material is intended for general information purposes only and does not constitute legal advice.

Contact our expert team today

Hawksford offers a range of outsourced data protection services to suit your operational requirements, and ensure your business meets Singapore data protection obligations.

contact us

Back to top