In Singapore, all organisations must comply with the Personal Data Protection Act 2012. Under the PDPA, all organisations are required to develop and implement policies and practices necessary to fulfil their obligations under the PDPA. Specifically, organisations must designate at least one individual as the Data Protection Officer (DPO) to oversee data protection responsibilities and ensure compliance with the PDPA.
Appointment of a Data Protection Officer
Under the PDPA, it is mandatory for organisations to:
Responsibilities of the DPO
The PDPA does not state the responsibilities that DPO has to undertake. However, your organisation could task your DPO with:
Given the importance of such tasks, should you decide to appoint an employee as your DPO, you may consider appointing someone from the middle to senior management levels.
Organisations must register their DPO information with the PDPC via ACRA BizFile+ (www.bizfile.gov.sg) by 30 September 2024 to fulfill this obligation.
PDPA Obligations
Organisations are responsible for the personal data in their possession or under their control and must comply with the 11 data protection obligations (“11 obligations”) under the PDPA. For more information on the 11 obligations, please refer to the link below: –
For more assistance, including subsidised training, online courses, and checklists on how to comply with the PDPA, please visit PDPC’s Help and Resources.
Consequences of a Personal Data Breach
The PDPC’s enforcement powers have been strengthened, allowing it to accept voluntary undertakings from organisations as part of its enforcement regime. Additionally, the maximum financial penalty for PDPA breaches has increased. Previously capped at S$1 million, the penalty can now reach up to 10% of the organisation’s annual turnover in Singapore for those with an annual local turnover exceeding S$10 million, whichever amount is higher.