PDPA Regulations For Businesses In Singapore


The Personal Data Protection Act (PDPA) relates to data privacy in Singapore. Centered on other regulations and standards such as the former United Kingdom data protection act and the Asia-Pacific Economic Cooperation (APEC) Privacy System, the PDPA was signed into law in October 2012 and introduced in four distinct phases the next two years to allow companies plenty of time to comply. The last of these stages was launched on 2 July 2018 and has since been in effect.


PDPA obligations beyond the DNC, which companies must satisfy while gathering, analyzing, and reporting data. Including:

1: Consent

An individual must be asked for permission to

collect, process, or disclose their data.

Like GDPR’s “Right to Be Forgotten,” individuals may withdraw their consent at any time, and organizations must comply with that withdrawal.

2: Purpose

Businesses shall only collect and or disclose personal details of an individual for the particular reason the individual has consented.

3: Notification

The business must notify the individuals of the intentions of gathering, using, or disclosing the data.

4: Access and correction

Like requests for access to data subjects, people are entitled to inquire which data the company holds or controls. They may also ask for information on how the data was used or published in the past year.

Organizations are legally obliged to comply with these demands and correct any mistakes or omissions until it is appropriate not to do so.

5: Accuracy

Businesses must make every reasonable effort to ensure that the personal data they collect is accurate and complete when that data is used to make decisions that affect the individual to whom the data relates or when that data is to be disclosed to another organization.

6: Protection

To secure any sensitive data which is obtained, appropriate protection measures must be placed in place. This must include, where applicable, technical, organizational, and any other actions.

7: Retention

Organizations must hold personal data only for as long as required to execute commercial or legal functions.

8: Transfer

If personal data is shared abroad, including being processed with overseas-based cloud providers, the transfer must follow strict criteria laid down by PDPA.

9: Openness

Organizations must provide public information about the practices and processes they use to ensure compliance with PDPA. If you’re familiar with GDPR when it comes to data security rights, you’ll no doubt find any parallels between the two regulations. This, of course, provides room for streamlining regulatory initiatives that can lead to long-term cost reductions and greater productivity.

Consultancy in data protection will help you find crucial areas for such a simplistic analysis.

Find out how you can grow your business while ensuring that you meet your PDPA obligations; visit https://thegenia.com.