Changes to the Singapore Personal Data Protection Act – why they matter to you

The Personal Data Protection Act affects organisations in Singapore and internationally

The Singapore PDPA has been significantly strengthened and imposes new responsibilities on businesses that work with Singaporeans

Earlier this year, nearly 130,000 Singaporeans, who were customers of telecommunications company Singtel, had their personal data stolen. Singtel announced that hackers had accessed customers’ NRIC numbers, dates of birth, mobile numbers and addresses. They even accessed bank account details of former Singtel staff and credit card details of Singtel corporate customers.

But the most worrying part was that this scenario could have been entirely avoided. The Singtel hackers accessed this data by exploiting a vulnerability in a third-party file-sharing system, which hadn’t been patched in over two decades.

With customers paying more attention to their personal data – and expecting your organisation to have proper safeguards in place to protect it – ensuring compliance with data security laws such as the Personal Data Protection Act 2012 (the “PDPA”) is more important than ever.

In particular, whether your organisation is based in Singapore, or handles the data of Singaporean customers and organisations, you need to know about crucial amendments to the PDPA, passed in February 2021.

What has changed?

Notifiable data breaches

A major development is that organisations need to notify Singapore’s Personal Data Protection Commission (PDPC) and affected individuals of any notifiable data breach within 3 days of assessing it.

Notifiable breaches include those which result in significant harm to an affected individual, especially if they involve sensitive personal data. In Singtel’s case, they notified individuals and organisations via email or post about what data was accessed and how best to manage those risks.

They also include data breaches which affect more than 500 individuals. Examples are abundant – just this year, 580,000 Singapore Airlines customers had their membership numbers, tier status and membership names exposed by a “highly sophisticated” attack at an external IT firm.

Even though the breach luckily did not involve sensitive personal information, such as passwords, credit card numbers or passport numbers, Singapore Airlines was required to notify the PDPC and affected customers, under the PDPA amendments.

It’s also important, as both of these cases show, to ensure that every supplier, vendor or third-party that you deal with has robust processes to protect personal data.

New criminal offences

Along with from unintended data breaches, the PDPA also takes a strong stance against certain intentional acts, imposing fines of SGD 5,000 or imprisonment for 2 years for unauthorisedly:

·        disclosing personal data

·        using personal data for wrongful gain, or causing a wrongful loss

·        re-identifying anonymised data

These penalties are severe and are applied to the individual, so it is important to roll out training, including a PDPA Course, to update staff on this new law.

More instances of deemed consent

In some circumstances, individuals are automatically deemed to consent when an organisation collects, uses or discloses their personal data.

Under the PDPA amendments, this also applies if sharing an individual’s personal data with a third party is reasonably necessary for the organisation to carry out a contract with the individual. For example, if an employee requests a workplace investigation, they may be deemed to consent to their organisation disclosing some of their personal data to an external investigator.

Deemed consent can also arise if an individual, after a reasonable period and an adequate notification by the organisation, does not opt out of sharing their personal data for a particular purpose.

More exceptions to requiring consent

There are also some exceptions where an organisation does not need to gain consent to use a customer’s personal data.

Under the new law, this includes the “legitimate interests” of an organisation, which outweigh any adverse effect on individuals; and “business improvement purposes”, such as improving, enhancing or developing goods and services, or understanding customer preferences. However, this doesn’t necessarily authorise using personal data to send marketing messages.

What’s next for my organisation?

This article is only a quick snapshot of the PDPA amendments. As the amendments have already come into force, organisations should develop strong data protection policies, and train all staff on their new obligations, as a matter of priority.

Training is a priority

The best way to prevent data breaches is to implement strong incident response plans – including clear responsibilities for individuals – and ensure that all staff, from Board level to front-line customer care officers, are properly and regularly trained on their roles and responsibilities. Training is crucial in developing a culture of compliance in your organisation.

Personal Data Protection Singapore Training

Personal Data Protection Singapore is GRC Solutions five-module online elearning training for Singapore businesses and businesses that do business with Singapore residents.

It covers

  • Protecting Personal Data
  • Protecting Personal Data  (Advanced)
  • Do  Not Call – your rights and responsibilities (for sales and marketing staff)
  • Preventing  and responding to data breaches
  • GDPR

The training is available off-the-shelf or is fully customisable to suit your business’s requirements.

We can also build a bespoke training course for your business.

GRC Solutions’ Privacy Training Resources around the world


Privacy -Covering the Privacy Act and the Australian Privacy Principles

Privacy for Schools – Covering the Privacy Act and the Australian Privacy Principles as they apply to schools

Australia- Financial Services

Financial Services Privacy Training – covering the Privacy Act and the Australian Privacy Principles

Credit Reporting – covering the Credit Reporting Act

New Zealand

Privacy – New Zealand – covering privacy in New Zealand under the 2020 updates to the law


General Data Protection Regulation – covering the GDPR – which has global implications


Data Protection Malaysia – covering the Personal Data Protection Act 2010 and also the implications of the GDPR


California Consumer Privacy Act

GRC Solutions’ Cyber Security Training Resources

Cyber Security – Australia

Cyber Security – USA

Cyber Security – Non-Jurisdictional