Singapore's proposed amendments to the PDPA: how does this affect your organisation?
If it is passed into law, organisations in Singapore might face increased costs and regulatory exposure. Here's a summary of the major conditions proposed:
- If your organisation suffers from a data breach, you must: (1) assess the breach (2) notify the PDPC and (3) potentially notify the individuals affected.
- Increased penalty: Instead of the present maximum of S$1 million, the PDPC may impose a financial penalty of up to 10% of an organisation's annual gross turnover in Singapore or S$1 million, whichever is higher.
- Individuals (e.g. employees of organisations) who egregiously mishandle personal data will be guilty of an offence.
- PDPC has wider powers: organisations will be guilty of an offence if they do not comply with PDPC's notices to produce information or give statements.
- Data portability obligation: Consumers have greater autonomy over their data. They can request your organisation to transmit a copy of their personal data to another organisation.
The proposed amendments to the PDPA will fundamentally change the landscape of how businesses handle data in Singapore and deal with potential breach scenarios. This is part of a wider global trend of Privacy data regulations becoming more stringent, as we have seen with the implementation of the General Data Protection Regulation (GDPR) in the EU and the California Consumer Privacy Act (CCPA) in recent times.
Significantly, there is no current data breach notification requirement in Singapore. The Bill now proposes introducing mandatory notification for “notifiable” data breaches to both the PDPC and affected individuals.
Under the new Bill, a notifiable data breach is one that:
(a) Results in, or is likely to result in significant harm to the individual; or
(b) Affects more than a prescribed number of individuals (500).
These obligations alone have the potential to occupy significant resources in your organisation and can affect the balance sheet adversely in light of a breach event materialising.
On top of this, the Bill proposes the PDPC to impose fines of up to 10% of an organisation's gross annual turnover in Singapore, or S$1 million, whichever is higher. This again is a huge change to the existing regime whereby only a maximum S$1 million fine can be issued. Comparatively under the GDPR, the maximum fine that can be issued is up to 4% of an organisation's annual turnover for non-compliance.
How Lockton can help
Lockton is uniquely positioned to help you manage your Cyber and Privacy Risk.
Insurance coverage for Non-Compliance of data protection regulation, including the existing PDPA and amendments thereafter, can be found under a typical Cyber Policy including:
- Managing a Breach/Incident and Notification: Insurance not only pays for, but it helps you connect with privacy counsel, forensic computer consultants and communications firms at short notice. This will assist you with understanding your obligations, knowing the scope of the incident and getting your crisis messaging right. These immediate costs will become largely unavoidable under the proposed Bill, including that to notify affected subjects and to deal with regulatory investigations.
- Liability. A Cyber insurance Policy will cover the material or non-material damage to individuals following a breach that may be awarded against you. The proposed amendments to the PDPA may change the landscape regarding privacy action in Singapore, with people able to seek compensation for material or non-material damage they suffer. Litigation will likely increase, a good Cyber policy will covers costs arising from regulatory, privacy or security liability.
If you would like to discuss risk transfer solutions for privacy and network security risks, do not hesitate to reach out to: