Singapore's proposed amendments to the PDPA: how does this affect your organisation?

Singapore PDPA
Singapore's Ministry of Communications and Information (MCI) and the Personal Data Protection Commission (PDPC) have recently proposed enhancements to the current Personal Data Protection Act 2012 (PDPA).

If it is passed into law, organisations in Singapore might face increased costs and regulatory exposure. Here's a summary of the major conditions proposed:

  1. If your organisation suffers from a data breach, you must: (1) assess the breach (2) notify the PDPC and (3) potentially notify the individuals affected.
  2. Increased penalty: Instead of the present maximum of S$1 million, the PDPC may impose a financial penalty of up to 10% of an organisation's annual gross turnover in Singapore or S$1 million, whichever is higher.
  3. Individuals (e.g. employees of organisations) who egregiously mishandle personal data will be guilty of an offence.
  4. PDPC has wider powers: organisations will be guilty of an offence if they do not comply with PDPC's notices to produce information or give statements.
  5. Data portability obligation: Consumers have greater autonomy over their data. They can request your organisation to transmit a copy of their personal data to another organisation.

The proposed amendments to the PDPA will fundamentally change the landscape of how businesses handle data in Singapore and deal with potential breach scenarios. This is part of a wider global trend of Privacy data regulations becoming more stringent, as we have seen with the implementation of the General Data Protection Regulation (GDPR) in the EU and the California Consumer Privacy Act (CCPA) in recent times.

Significantly, there is no current data breach notification requirement in Singapore. The Bill now proposes introducing mandatory notification for “notifiable” data breaches to both the PDPC and affected individuals.

Under the new Bill, a notifiable data breach is one that:

(a) Results in, or is likely to result in significant harm to the individual; or
(b) Affects more than a prescribed number of individuals (500).

These obligations alone have the potential to occupy significant resources in your organisation and can affect the balance sheet adversely in light of a breach event materialising.

On top of this, the Bill proposes the PDPC to impose fines of up to 10% of an organisation's gross annual turnover in Singapore, or S$1 million, whichever is higher. This again is a huge change to the existing regime whereby only a maximum S$1 million fine can be issued. Comparatively under the GDPR, the maximum fine that can be issued is up to 4% of an organisation's annual turnover for non-compliance.

How Lockton can help

Lockton is uniquely positioned to help you manage your Cyber and Privacy Risk.

Insurance coverage for Non-Compliance of data protection regulation, including the existing PDPA and amendments thereafter, can be found under a typical Cyber Policy including:

  • Managing a Breach/Incident and Notification: Insurance not only pays for, but it helps you connect with privacy counsel, forensic computer consultants and communications firms at short notice. This will assist you with understanding your obligations, knowing the scope of the incident and getting your crisis messaging right. These immediate costs will become largely unavoidable under the proposed Bill, including that to notify affected subjects and to deal with regulatory investigations.
  • Liability. A Cyber insurance Policy will cover the material or non-material damage to individuals following a breach that may be awarded against you. The proposed amendments to the PDPA may change the landscape regarding privacy action in Singapore, with people able to seek compensation for material or non-material damage they suffer. Litigation will likely increase, a good Cyber policy will covers costs arising from regulatory, privacy or security liability.

If you would like to discuss risk transfer solutions for privacy and network security risks, do not hesitate to reach out to:

Fred Boles
Frederic.Boles@asia.lockton.com

Nanda Chinnatamby
C.Nandakumar@asia.lockton.com

Rory Young
Rory.Young@asia.lockton.com

Coco Yap
Coco.Yap@asia.lockton.com

Similar articles

Coronavirus Outbreak Insurance Coverage
Insight

Coronavirus Outbreak and Insurance Coverage

Protect your business and employees from the emerging risks

Buildings of Singapore
Insight

Protecting unoccupied property amidst COVID-19

Many of our real estate sector clients and their tenants will be following Government advice and have arranged for their employees to conduct business from home, rather than at their usual place of work. This is likely to become more widespread as time goes by, with a large number of premises becoming unoccupied or occupied intermittently.

D&O
Insight

COVID-19 creates new D&O claims risk

The COVID-19 outbreak is affecting the risk of litigation against Directors and Officers as potential plaintiffs scrutinise the way the board manages the company through the coronavirus crisis. While Asia is yet to see the impact, US courts have received the first securities class actions against company directors and there are set to be more claims once health concerns around the outbreak slow or are contained.