Introduction
On 5 October 2020, the Personal Data Protection (Amendment) Bill (the “Bill”) was introduced in Parliament. The Bill proposes significant amendments to the PDPA, which came into force in July 2014. In the meantime, organisations should start preparing to implement the necessary policies and safeguards in anticipation of the new requirements under the proposed law. We have summarised the significant proposed changes in the Bill below and how we can prepare you to navigate the impending changes.
Mandatory Data Breach Reporting
Under the Bill, organisations will need to notify the Personal Data Protection Commission (“PDPC”) of a data breach that (i) results in, or is likely to result, in significant harm to the individuals to whom any personal data affected by a data breach relates; or (ii) is of a significant scale. Organisations will also need to notify affected individuals (clients of a company) if the data breach is likely to result in significant harm to the clients.
Consent
Under the Bill, individuals would be deemed to have given consent to the processing of their personal data in the following situations: (i) where it is reasonably necessary for the organisation to process their personal data for the conclusion or performance of a contract/transaction involving the individuals; and (ii) where the organisation provides appropriate notification to the individuals and the individuals did not opt-out.
In addition, 3 new exceptions to the consent requirement have also been introduced, namely: (i) Legitimate Interests; (ii) Business Improvement; and (iii) Research.
‘Do Not Call’ Provisions
Under the Bill, the following ‘Do Not Call’ (“DNC”) provisions have been proposed:
- A person must have valid confirmation that a Singapore telephone number is not listed in the DNC Register before sending a specified message to the telephone number.
- Checkers (i.e. individual(s) or organisation(s) which provide information on whether a Singapore telephone number is on the DNC Register) are required to communicate accurate DNC Register results to their clients. Checkers will be liable for DNC infringements resulting from any erroneous information provided by them.
Data Portability Obligations
An individual will be allowed to request that an organisation transfer his or her personal data in the organisation’s possession or control to another organisation in a machine-readable format unless the request falls under one of the proposed exceptions, and in which case the organisation may reject the request.
Increased Penalty for Breach
Currently, the maximum financial penalty that the PDPC can impose for data breaches is S$1 million. Under the Bill, the maximum financial penalty will be increased to (i) 10% of an organisation’s annual turnover in Singapore, if the organisation’s annual turnover exceeds S$10 million; or (ii) S$1 million, whichever is higher.
GDPR Benchmarking Exercise
Multinational corporations based in and/or operating in both Europe and Singapore may want to review and co-ordinate their mandatory data breach reporting policies and procedures to comply with both GDPR and the proposed amendments.
Action Plan
In the light of the above impending changes, organisations may need to carry out the following review:
- Develop or enhance their technical and legal assessment processes to detect and report data breaches;
- Review and renegotiate contractual liabilities with 3rd party suppliers and clients;
- Review your cyber insurance posture;
- Review your collection of personal data under different circumstances;
- Manage the new exceptions on consent to support an organisation’s digital strategy;
- Develop new data portability policies;
- Review your IT data governance policy;
- Review your marketing policies and practices to ensure compliance and manage outsourced marketing vendors; and
- Review the implication of the increased financial penalty.
HEP Free On-Boarding Process
With the proposed mandatory data breach reporting requirement, organisations are imposed with new obligations, including compliance with fixed reporting timelines in the event of a data breach. Every organisation should conduct a gap analysis to ensure that it has the necessary policies and procedures to comply with the new requirements.
To this end, HEP is pleased to offer a free on-boarding process to your organisation, which involves a brief gap analysis with HEP as your appointed data breach coach. More details including a briefing session on the amendments and other relevant information on corporate cybersecurity will be provided if an organisation joins in the on-boarding process. Please write to the undersigned if your organisation is interested to sign up for the on-boarding process.
K. K. Lim
Head, Cybersecurity, Privacy & Data Protection
Harry Elias Partnership LLP | Singapore
kklim@harryelias.com | Office: +65 6361 9307 | Mobile: +65 9456 6191
KK heads the firm’s Cybersecurity, Privacy and Data Protection Practice Group. He has more than 25 years of experience in technology advisory and commercial matters, with a focus in representing clients and advising matters involving privacy and data protection, cybersecurity, mobile security, audit, and compliance advisory. He is the Chairman of the Cybersecurity and Data Protection Committee of the Law Society of Singapore (2017 to 2019) and current Co-Chair and an Adjunct Faculty member of The Institute of Systems Science (NUS) and Singapore Institute of Technology.
Valencia Soh
Senior Legal Associate | Harry Elias Partnership LLP | Singapore
ValenciaSoh@harryelias.com | +65 6361 9829
Valencia is a Senior Legal Associate in the International Arbitration, Litigation and Dispute Management Team in Singapore. She handles a broad range of legal work, from civil and commercial dispute resolution to corporate and advisory work covering aspects including privacy, data protection and cybersecurity. She has also handled matrimonial and criminal matters in the course of her practice. She is an Accredited Mediator of the Singapore Mediation Centre.
Harry Elias Partnership Cybersecurity, Privacy and Data Protection Practice Group
The Harry Elias Partnership Cybersecurity, Privacy and Data Protection Practice Group is led by practice leaders with extensive legal and technical experience in cybersecurity and data protection. We provide legal advisory to Singapore based SMEs, regional and global companies on both Singapore data protection laws and the General Data Protection Regulation. The Practice Group has extensive working relationships with leading legal, forensic, accounting and tax advisory firms in member states of ASEAN and is well-positioned to support our clients throughout this region.
Harry Elias Partnership International Arbitration Practice
The Harry Elias Partnership International Arbitration Practice is committed to providing its clients with cost-efficient and effective solutions. We regularly provide advice on complex international commercial disputes. We have extensive experience in advising and successfully representing multinational entities and our team is comprised of trained and experienced litigation, mediation and arbitration advocates. As a full-service Singapore law firm, we have full rights of audience before all tiers of Singapore Courts and are well-placed to advise and support our clients in arbitration and mediation-related court applications.