Cybersecurity 2025

SINGAPORE Law and Practice Contributed by: Lim Chong Kin, David N Alfred, Albert Pichlmaier and Goh Boon Yeow, Drew & Napier LLC

use, disclosure, copying, modification, or dis - posal of the personal data is likely to occur. Where an organisation has reason to believe that a data breach affecting personal data in its pos - session or control has occurred, it must conduct an assessment of whether the data breach is a “notifiable data breach” in a reasonable and expeditious manner. A data breach is a “notifiable data breach” if the data breach (i) results in, or is likely to result in, significant harm to an affected individual; or (ii) is, or is likely to be, on a significant scale (ie, affecting at least 500 persons). According to the Personal Data Protection (Noti - fication of Data Breaches) Regulations 2021 (the “Data Breach Regulations”), a data breach is deemed to result in significant harm to an indi - vidual if the data breach relates to the following: • the individual’s full name or alias or identifica - tion number, and any of the personal data or classes of personal data relating to the indi - vidual as set out in the schedule to the Data Breach Regulations. • all of the following personal data relating to an individual’s account with an organisation: (a) the individual’s account identifier, such as an account name or number; or (b) any password, security code, access code, response to a security question, biometric data or other data that is used or required to allow access to, or use of, the individual’s account. Notification to the PDPC Upon assessing that the data breach is a “notifi - able data breach”, the organisation must notify the PDPC in the prescribed form and manner as soon as practicable but no later than three

calendar days after assessment. This notifica - tion to the PDPC must contain all the relevant information of the data breach to the best of the knowledge and belief of the organisation. Notification to Affected Individuals Upon notifying the PDPC, the organisation must also notify each individual affected by the data breach, unless an exception applies. An organi - sation does not need to notify affected individu - als in two circumstances: • if, on or after assessing that the data breach is a “notifiable data breach”, the organisation takes any action that renders it unlikely that the data breach will result in significant harm to the affected individual; or • if the organisation had implemented, prior to the occurrence of the data breach, any tech - nological measure that renders it unlikely that the data breach will result in significant harm to the affected individual. Notification to the Primary Organisation Where a data intermediary processing personal data on behalf of another organisation has rea - son to believe a data breach has occurred, it must, without undue delay, notify the primary organisation. 6.2 Cybersecurity and AI Computers or computer systems which support AI solutions may be designated as a CII under the Cybersecurity Act if they are necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Sin - gapore, and the computer or computer system is located wholly or partly in Singapore. For more details on which entities may be designated as CII and the obligations that a CII will have to

241 CHAMBERS.COM

Powered by