Companies are required, in accordance with the Personal Data Protection Act (PDPA), to appoint a data protection officer (DPO) to ensure that the company is compliant with the act. The details of the DPO should be made publicly available. Typically, companies will put this information on their website. In the event of a breach or if a member of the public were to complain about a data breach, the DPO and the company will be notified. This is why the contact details of the DPO needs to be available in the public sphere.
All companies should have the relevant measures in place to endure that their processes comply with the Personal Data Protection Act (PDPA). However, if breaches are found, the Personal Data Protection Commission (PDPC) can enforce the following measures:
- Officers from the PDPC can enter the company’s premises to investigate the breach
- Get the company to stop collecting and using the personal data in the breach
- Get the company to destroy the data collected that breached the PDPA
- Compel the company to pay a fine of up to $1,000,000
There have been incidents of breaches by companies and directors where they were fined. Here are some incidents that were reported in the local news.
5 firms fined over data breaches
5 companies, including Genki Sushi and CDP, fined $117k for not securing personal data
Tuition agency, director each face 37 charges for flouting DNC rules
The PDPA is an important matter with serious repercussions if breaches are made. Thus it is important that companies take the act very seriously. You can start by first appointing a DPO. If you have any queries as to how to appoint a DPO or would like to have an audit of data protection practices, do contact us at [email protected].
When in doubt, seek legal advice or consult an experienced ACRA Filing Agent.
The editorial team at Singapore Secretary Services
For more useful articles and videos, visit the Singapore Secretary Services resource page.