On 15 March 2021, the Personal Data Protection Commission (PDPC) released the revised Guide on Managing and Notifying Data Breaches (Data Breach Guide) and revised Guide on Active Enforcement (Enforcement Guide) in view of recent amendments to the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA) which took effect on 1 February 2021.
The Data Breach Guide provides guidance on compliance with the new data breach notification (DBN) obligation introduced in the PDPA and the Personal Data Protection (Notification of Data Breaches) Regulations 2021 (DBN Regulations) and recommends practices to prepare for and manage data breaches.
Data Breach Notification Obligation
Under the PDPA and the DBN Regulations, a data breach is notifiable if, after assessing the data breach, the organisation determines that:
The PDPC should be notified of the data breach as soon as practicable and no later than 3 calendar days after it is assessed to be notifiable. The affected individual(s) should also be notified of the data breach as soon as practicable, at the same time or after notifying the PDPC, unless notification is excepted or prohibited.
Preparing for and Managing Data Breaches
The Data Breach Guide gives practical tips on how to prepare for and manage data breaches, including:
The Enforcement Guide explains the PDPC’s approach to enforcing the PDPA, including in respect of the amended PDPA provisions on alternative dispute resolution, erring organisations’ written voluntary undertakings and financial penalties.
Alternative Dispute Resolution
Due to their private nature, some data protection complaints are better resolved through alternative dispute resolution methods. Accordingly, the PDPA was amended to grant the PDPC additional powers to promote resolution of complaints through facilitation of communication and (if the dispute remains unsolved) mediation between the complainant and the relevant organisation. Referral to mediation does not require the consent of any party. On the other hand, resort to alternative dispute resolution is not a pre-requisite to the PDPC conducting a full investigation into the complaint. In other words, the PDPC may directly proceed to exercising its other enforcement powers where it determines that alternative dispute resolution is inappropriate in the circumstances.
Voluntary Undertaking by an Organisation
Under the new Section 48L of the PDPA, an erring organisation may now provide a written voluntary undertaking to the PDPC in lieu of the PDPC conducting a thorough investigation in relation to a specific incident.
In providing a voluntary undertaking, an erring organisation:
The voluntary undertaking is effective upon its acceptance by the PDPC; however, the PDPC has full discretion whether or not to accept it. The PDPC is more likely to do so where PDPA enforcement through such undertaking will be more efficient and/or effective than through an investigation. On the other hand, the PDPC is unlikely to accept a voluntary undertaking where, among others, the organisation denies responsibility, the incident is a repeat of a previous breach with a similar cause, there is no remediation plan (or the plan does not show how the organisation can comply with the PDPA) or the incident was willful or flagrant.
If the PDPC determines that an organisation has violated any term(s) of the voluntary undertaking, it may take enforcement measures against the organisation, including issuing directions to comply with the undertaking.
The amended PDPA increases the financial penalty that the PDPC may impose on breaching organisations. Previously, the maximum financial penalty was S$1million. Once the amendment takes effect (on a date no earlier than 1 February 2022), the maximum amount will be the higher of S$1 million and 10% of the organisation’s annual turnover in Singapore.
In determining the financial penalty amount to impose, the PDPC will consider several factors, including:
Among the PDPC’s key aims in enforcing the PDPA is to instill a compliance and an accountability culture in organisations. In this regard, the PDPC will look not only to an erring organisation’s acts which led to a data breach, but also to how that organisation conducted itself after the breach occurred. Accordingly, while organisations should take appropriate steps to comply with the PDPA and to prevent data breaches, they should also take responsibility for and promptly implement suitable measures to remedy any breach that may occur.
OrionW regularly advises clients on data protection matters. For more information about the Personal Data Protection Act, or if you have questions about this article, please contact us at firstname.lastname@example.org.
Disclaimer: This article is for general information only and does not constitute legal advice.