SINGAPORE Law and Practice Contributed by: Lim Chong Kin, David N Alfred, Albert Pichlmaier and Goh Boon Yeow, Drew & Napier LLC
tions which product developers use, to establish the security requirements of their IT products in a standardised language. The PDPC and the IMDA jointly developed the Data Protection Trustmark (DPTM) Certification to help organisations demonstrate compliance with the PDPA. The DPTM Certification serves as a visible indicator that organisations have adopt - ed sound data protection practices, strengthen - ing trust between customers, business partners and regulators to increase business competitive - ness. The DPTM Certification aligns its require - ments with the PDPA and also incorporates elements of international benchmarks and data protection best practices. Singapore has also joined the APEC Cross-Bor - der Privacy Rules System and Privacy Recog - nition for Processors System in 2019 (see 3.5 International Data Transfers ).
ance with their obligations under the PDPA. Specifically, these requirements include: • appointing a data protection officer to over - see compliance with the PDPA; • developing and implementing data protec - tion policies, practices and procedures (which include technical security arrangements) to ensure proper processing of personal data; • providing adequate training to staff that han - dle and process personal data; and • conducting a data protection impact assess - ment to determine that the proposed collec - tion, use or disclosure of the personal data is not likely to have an adverse effect on the individual (where applicable). Protection Obligation Additionally, under the protection obligation (Section 24 of the PDPA), an organisation is required to make reasonable security arrange - ments to protect personal data in their posses - sion or under their control in order to prevent (i) unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks; and (ii) the loss of any storage medium or device on which personal data is stored. Data Breach Notification With effect from 1 February 2021, a mandatory data breach notification regime has been intro - duced into the PDPA. A “data breach” in relation to personal data is defined in the PDPA to mean: • the unauthorised access, collection, use, disclosure, copying, modification, or disposal of personal data; or • the loss of any storage medium or device on which personal data is stored in circumstanc - es where the unauthorised access, collection,
6. Cybersecurity in Other Regulations
6.1 Cybersecurity and Data Protection In terms of broad focus and application, the Cybersecurity Act addresses national cyberse - curity issues and protects computers and com - puter systems in Singapore by imposing obliga - tions on owners of CII. In contrast, the PDPA seeks to protect consumers and individuals by imposing obligations on private sector organi - sations that collect, use, disclose or otherwise process personal data. General Requirements Under the PDPA In the context of personal data protection, organisations are required to, amongst other things, put in place data protection policies and practices to ensure and demonstrate compli -
240 CHAMBERS.COM
Powered by FlippingBook