Introduction
On 5 October 2020, the Personal Data Protection (Amendment) Bill (the “Bill”) was introduced in Parliament. The Bill proposes significant amendments to the PDPA, which came into force in July 2014. In the meantime, organisations should start preparing to implement the necessary policies and safeguards in anticipation of the new requirements under the proposed law. We have summarised the significant proposed changes in the Bill below and how we can prepare you to navigate the impending changes.
Mandatory Data Breach Reporting
Under the Bill, organisations will need to notify the Personal Data Protection Commission (“PDPC”) of a data breach that (i) results in, or is likely to result, in significant harm to the individuals to whom any personal data affected by a data breach relates; or (ii) is of a significant scale. Organisations will also need to notify affected individuals (clients of a company) if the data breach is likely to result in significant harm to the clients.
Consent
Under the Bill, individuals would be deemed to have given consent to the processing of their personal data in the following situations: (i) where it is reasonably necessary for the organisation to process their personal data for the conclusion or performance of a contract/transaction involving the individuals; and (ii) where the organisation provides appropriate notification to the individuals and the individuals did not opt-out.
In addition, 3 new exceptions to the consent requirement have also been introduced, namely: (i) Legitimate Interests; (ii) Business Improvement; and (iii) Research.
‘Do Not Call’ Provisions
Under the Bill, the following ‘Do Not Call’ (“DNC”) provisions have been proposed:
- A person must have valid confirmation that a Singapore telephone number is not listed in the DNC Register before sending a specified message to the telephone number.
- Checkers (i.e. individual(s) or organisation(s) which provide information on whether a Singapore telephone number is on the DNC Register) are required to communicate accurate DNC Register results to their clients. Checkers will be liable for DNC infringements resulting from any erroneous information provided by them.
Data Portability Obligations
An individual will be allowed to request that an organisation transfer his or her personal data in the organisation’s possession or control to another organisation in a machine-readable format unless the request falls under one of the proposed exceptions, and in which case the organisation may reject the request.
Increased Penalty for Breach
Currently, the maximum financial penalty that the PDPC can impose for data breaches is S$1 million. Under the Bill, the maximum financial penalty will be increased to (i) 10% of an organisation’s annual turnover in Singapore, if the organisation’s annual turnover exceeds S$10 million; or (ii) S$1 million, whichever is higher.
GDPR Benchmarking Exercise
Multinational corporations based in and/or operating in both Europe and Singapore may want to review and co-ordinate their mandatory data breach reporting policies and procedures to comply with both GDPR and the proposed amendments.
Action Plan
In the light of the above impending changes, organisations may need to carry out the following review:
- Develop or enhance their technical and legal assessment processes to detect and report data breaches;
- Review and renegotiate contractual liabilities with 3rd party suppliers and clients;
- Review your cyber insurance posture;
- Review your collection of personal data under different circumstances;
- Manage the new exceptions on consent to support an organisation’s digital strategy;
- Develop new data portability policies;
- Review your IT data governance policy;
- Review your marketing policies and practices to ensure compliance and manage outsourced marketing vendors; and
- Review the implication of the increased financial penalty.