Global Compliance Demands: The Singaporean Personal Data Protection Act (PDPA) Reviewed

The push for data privacy regulation has exploded in recent years, with the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) taking center stage. Gartner predicts  “ By 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations, up from 10% today.”

For much of the world, this regulatory shift will have a substantial impact on the way businesses collect and process information. However, organizations carrying out activities involving personal data in Singapore have already been operating under such a framework since the passage of the Personal Data Protection Act (PDPA) in 2012.

The PDPA established a general data protection program, focused on the following key obligations:

• Consent Obligation: An organization must obtain the consent of the individual before collecting, using, or disclosing their personal data for a purpose
• Purpose Limitation Obligation: An organization may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned
• Notification Obligation: An organization must notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual’s personal data on or before such collection, use, or disclosure of the personal data
• Access and Correction Obligation: An organization must, upon request, (i) provide an individual with his or her personal data in the possession or under the control of the organization and information about the ways in which the personal data may have been used or disclosed during the past year; and (ii) correct an error or omission in an individual’s personal data that is in the possession or under the control of the organization.
• Accuracy Obligation: An organization must make a reasonable effort to ensure that personal data collected by or on behalf of the organization is accurate and complete if the personal data is likely to be used by the organization to make a decision that affects the individual concerned or disclosed by the organization to another organization.
• Protection Obligation: An organization must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks.
• Retention Limitation Obligation: An organization must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that (i) the purpose for which the personal data was collected is no longer being served by retention of the personal data, and (ii) retention is no longer necessary for legal or business purposes.
• Transfer Limitation Obligation: An organization must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA.
• Openness Obligation: An organization must implement the necessary policies and procedures in order to meet its obligations under the PDPA and shall make information about its policies and procedures publicly available

Similar to other data protection compliance mandates, the PDPA sets out to address concerns about the unauthorized access and permissions to personal data, as well as placing controls over who has access to it, and what they (and their organization) can do with it. It also aims to empower the end-user to manage and control the use of their personal data.

It’s important to note the PDPA’s applicability and scope. These provisions apply to ALL organizations carrying out activities involving personal data in Singapore, and includes (but is not limited to) the following examples of sensitive personal data:

• Pink National Registration Identity Cards (NRICs) for Singapore citizens
• Blue NRICs for Singapore permanent residents
• Birth certificate numbers
• Passport numbers
• Foreign Identification Numbers (FIN)
• Work permits

Where do we go from here?

Data privacy must take into consideration the critical interests of the business. Complying with privacy regulations, like PDPA, should be top-of-mind. All organizations need to consider risks. If you fail to comply, you need to understand the risks your company is willing to take. To understand the risk requires a gap analysis of your legal, regulatory and reputational obligations, and how your organization measures up.

Data privacy and data security are not mutually exclusive:

In order to prevent breaches and maintain regulatory compliance, you need:

• Controls for managing different data types
• Policies and processes for managing access
• Least-privilege access controls

This will reduce the likelihood of a breach and put you in a more defensible position with regulatory authorities. Secure data infrastructure provides robust data privacy, protection against breaches, and regulatory compliance.  

To safeguard private and sensitive data, organizations need technology and policies that prevent unauthorized access to critical or sensitive data and respond to real-time threats. Organizations need less human involvement to achieve effective data privacy. They need more technology that automatically discovers heterogeneous data repositories, determines which repositories have personally identifiable data, and ensures controls for who has access to what. The technology needs to identify the owner of the data, with workflows that allow data owners to review sensitive data and govern access.

Data security can be accomplished without data privacy, but you can’t achieve data privacy without data security. And when it comes to complying with regulations, or protecting against breaches, if you don’t know your data, you won’t know what to do with the data.

How Stealthbits Can Help with PDPA:

Stealthbits provides a range of capabilities that allow users to identify, secure, and report on consumer data and personally identifiable information (PII).

Stealthbits’ StealthAUDIT, a full-fledged Data Access Governance (DAG) solution, can:

Discover Hosts: Identify the different platforms within your network that may contain various unstructured and structured data repositories, to ensure a comprehensive view of your organization’s privacy data footprint.

Discover Sensitive Data: Analyze content for patterns or keywords that match built-in or customized criteria related to customer privacy, and classify that data.

Understand Access Rights: Once sensitive data has been discovered, determine who has access to that data and what they’re doing with it.

Perform Remediation Actions: Automate all or portions of the tasks you need to perform to demonstrate compliance with data privacy regulatory standards, including responding to Data Subject Access Requests (DSARs) and deletion or archival of stale data.

About Stealthbits Technologies

IDENTIFY THREATS. SECURE DATA. REDUCE RISK.

Stealthbits Technologies, Inc. is a customer-driven cybersecurity software company focused on protecting an organization’s sensitive data and the credentials attackers use to steal that data. By removing inappropriate data access, enforcing security policy, and detecting advanced threats, our highly innovative and infinitely flexible platform delivers real protection that reduces security risk, fulfills compliance requirements, and decreases operational expense. 

For more information, visit stealthbits.com, email sales@stealthbits.com, or call +1-201-447-9300.

The Stealthbits logo and all other Stealthbits product or service names and slogans are registered trademarks or trademarks of Stealthbits Technologies, Inc. All other trademarks and registered trademarks are property of their respective owners.