Singapore’s Take on the GDPR
Research
November 13, 2020

Singapore’s Take on the GDPR

The country has approved an amendment to their landmark Personal Data Protection Act

Singapore has passed a comprehensive amendment to the 2012 Personal Data Protection Act (PDPA). Companies in the country are now allowed to use personal data without consent for certain purposes. This may sound like a free-for-all (especially compared to the GDPR), but the amendment includes a list of guidelines that transition a considerable amount of responsibility to companies. They must perform risk assessments, give consumers opt-out periods, and follow a slew of other directives. Choosing not to comply will lead to immense fines. Singapore’s version of the GDPR serves its purpose well - it is a compromise between a small country and large companies.

Click here if you’d like to read the amendment in full. Find a brief breakdown of the amendment below:

When can personal data be used?

  1. For business improvement purposes
  2. For research and development purposes
  3. For instances in the legitimate interests of an organization or another person
  4. For instances of contractual necessity

What are the consequences of noncompliance?

Companies will be awarded increased financial penalties for violating the PDPA.

  • Companies bringing in more than S$10 million annually will be subject to fines of up to 10% of their turnover
  • Companies bringing in less than S$10 million annually will be subject to fines of up to S$1 million

How will companies be held accountable?

  • Companies will be mandated to notify consumers of data breaches
  • A Data Protection Trustmark certification will be awarded to companies that meet certain standards
  • Specific risk assessments will be required

How will this empower consumers?

  • Consumers will be able to request that companies send copies of their personal data to other companies operating in Singapore (data portability)
  • Consumers will receive additional protections from unsolicited messages, dictionary attacks, harvesting software, and commercial text messages


Sources: Lexology, Pinsent Masons