Data protection laws are relatively new in Singapore, as the Data Privacy Provisions of the Personal Data Protection Act (“PDPA”) came into force just two years ago, shortly after the “Do Not Call” (“DNC”) regime was introduced. However, compliance is stringent under this new law, and many companies are still unaware of their vulnerability to a potential breach of their PDPA obligations.

 Regulations in Singapore

Millions of individuals’ personal information are being stored by banks, hospitals, internet service providers, and other service providers in this digital age. Even SME’s are not spared and are held to strict compliance. Numerous issues have to be tackled concerning more efficient data protection. What are the common mistakes made by organizations that result in personal data leaks? Recent cases in Singapore emerged where numerous organizations were issued warnings or fines by the Personal Data Protection Commission (“PDPC”), Singapore’s main administration and enforcement body of the PDPA.

Firstly, when organizations must deal with third-party data intermediaries (like Finantech Holdings), they should ensure adequate contractual safeguards to handle the personal data transferred to them. Appointing a competent Data Protection Officer (“DPO”) might be an important step to ensure such compliance issues are sorted out. The appointed DPO could stress and educate the importance of PDPA compliance with the relevant data intermediaries and conduct regular monitoring to ensure adequate data protection compliance.

The PDPA empowers the PDPC to issue financial penalties of up to S$1,000,000. At a recent Personal Data Security Seminar, Dr. Yacoob Ibrahim, Minister for Communications and Information, emphasized that it is no longer a choice to handle data protection as an afterthought. As the range of companies taking action by the PDPC against them grows, it may be time for all organizations to take the PDPA more seriously to ensure adequate enforcement when managing personal data and appropriate safeguards to secure these data. The PDPC’s latest actions against the many organizations are an immediate warning to all of us of the adverse effects of PDPA noncompliance.

The consequences for noncompliance with the PDPA may result in more just financial penalties. There could be increased time and financial costs of organizations dealing with numerous client/customer complaints in a suspected PDPA breach. Furthermore, negative publicity could have adverse effects on organizations when the PDPC takes action for PDPA noncompliance. Clients/customers might lose the trust and confidence in organizations in the event of a personal data leak, which may ultimately lead to loss of business and revenue down the line.

Now may be a reasonable time to review the companies’ internal procedures and ensure conformity with PDPA adheres properly. Compliance review of data protection is not an alternative and should not be treated as a mere afterthought. Compliance review with the PDPA is essential, and the time is now. To learn more about business, visit