THE PERSONAL DATA PROTECTION ACT IN SINGAPORE (PDPA)
Personal data in Singapore is protected under the Personal Data Protection Act 2012 (PDPA).
Balancing both the protection of individuals and the needs of organisations, it draws largely on existing best practices in the EU, UK, Canada, Hong Kong, Australia and New Zealand, as well as the OECD Guidelines on the Protection of Privacy and Transborder Flow of Personal Data, and the APEC Privacy Framework. As such, it is broadly parallel with legislation such as the EU’s General Data Protection Regulation, GDPR.
KEY CONSIDERATIONS FOR PDPA
There are some key differences that foreign firms need to consider to ensure compliance:
- While there is no ‘right to erasure’, there is provision for Access and Correction, which imputes similar obligations to the right to erasure/be forgotten.
- A critical additional obligation relates to the transfer of data outside of Singapore – applying also to third-party vendors – including to the cloud, when that cloud resides outside Singapore.
- Singaporean requirements also include the need to establish a Do Not Call (DNC) register and, as of 1 September 2019, there are limitations on the collection of National Registration Identification Card (NRIC) and similar identification data including, but not limited to, date of birth, FIN and passport numbers.
Solidatus helps to build a digital dashboard which shows managers how personal data is being used and where it is stored. This provides a demonstrable compliance with cloud storage regulations, the Right to Access and Correction, in addition to both DNC and NRIC legislation by understanding the flow and location of data.
To become compliant firms need to:
- understand where contact information is held to avoid breaching DNC regulations, and
- review and delete personal data collected prior to the new NRIC guidelines.
Solidatus for PDPA
Organisations need a tool to help them identify required consent and ensure that the use of personal data within their firm is purposeful, appropriate and reasonable. Solidatus provides these essential elements to comply with PDPA.
Solidatus plays a vital role in PDPA by:
- mapping the flow of data within an organisation,
- allowing for full transparency on how it is used, and
- laying the groundwork should regulators ever ask a business to prove their compliance.
By using Solidatus, an organisation gains invaluable insight into its data landscape. The tool enables users to visualise and analyse lineage showing what type of data they have and how it moves through their systems. It is impossible for senior management to be completely confident that the organisation is not inadvertently contravening some aspect of PDPA without this, leaving them open to enforcement and reputational risks.
Through its collaborative and crowdsourcing model, Solidatus allows for quick and effective enterprise wide identification of where personal information is held. Working with all teams across the organisation, a clear understanding can be made of exactly where data is and how it’s being used in business and IT processes.
Visualise and map Metadata
Data flow can be clearly mapped out to visualise each contact point and ownership can then be assigned. Once an organisation possesses this knowledge they can quickly and confidently ensure compliance with Access and Correction, ensuring DNC data is managed properly and that legacy NRIC data is deleted.
Proactive approach to compliance
Solidatus enables companies to prove to the regulator that they are taking a proactive approach to PDPA by clearly documenting and auditing their data landscape and creating their Data Privacy Impact Assessment (DPIA) in terms of both location of data and the modelling of the processes deployed to achieve compliance. Solidatus can quickly discover, document and share models, simplifying the process of being compliant.
Demonstrate PIA risk
While implementing a DPIA alone does not ensure compliance, Solidatus can demonstrate to the regulator how and when a DPIA was conducted and prove how information is collected, stored, used, deleted and who has access to it. It also clearly shows that data privacy is a key consideration for future change.
- Build an operational data blueprint that can be further leveraged, turning an obligation into an asset.
- Achieve a competitive advantage around areas such as data analytics, and generate efficiencies to broader system transformation by identifying lineage, modelling data quality and managing user access rights and data retention.
- Identify data redundancy and duplication, allowing efficiencies and cost savings over the entire data lifecycle from data capture, through storage, retention, and timely managed destruction.
- Create a transparency environment which allows data vendor and licence costs to be rationalised and optimised for economy and efficiency.
Accelerate your PDPA Compliance