The article was published on 06 Oct 2022 and was most recently updated on 26 Oct 2023

Recent updates from PDPC include the Personal Data Protection Digest 2022 which offers a comprehensive overview of the latest decisions from the PDPC and a collection of insightful data protection articles. Keep yourself informed by accessing the Digest here.

Read also: Amendments to PDPA Necessarily a Mixed Bag for Personal Data Protection


According to the Personal Data Protection act (PDPA) it is mandatory for many organizations to designate a data protection officer - DPO.

Data Laws In Singapore 2023

Singapore's Personal Data Protection Act (PDPA), established in 2012, sets out comprehensive guidelines for the handling of personal data, regardless of whether it's in electronic or non-electronic forms.

Under the PDPA, organizations must obligate to the following:

1. Ensure Accountability: Take responsibility for safeguarding personal data.

2. Inform Individuals: Notify individuals about the intended purposes of collecting, using, or disclosing their personal data.

3. Obtain Consent: Only use personal data for purposes with the individual's consent.

4. Exercise Prudence: Collect, use, and disclose data for reasonable purposes.

5. Maintain Accuracy: Ensure the accuracy and completeness of collected personal data.

6. Implement Security Measures: Provide reasonable security measures to protect personal data.

7. Dispose Responsibly: Cease data collection and ensure proper disposal when data is no longer needed.

8. Control Data Transfer: Set limitations on data transfer.

9. Offer Access and Editing Rights: Grant users access and editing rights to their data.

10. Report Breaches Promptly: Immediately inform users in the event of a data breach.

11. Ensure Data Portability: Allow data portability for users.

Additionally, the Personal Data Protection (Do Not Call Registry) Regulations 2013 enable individuals to register their Singapore telephone numbers with the DNC Registry to avoid unwanted telemarketing messages.

Non-compliance with certain PDPA provisions is a criminal offense, punishable by fines up to US$7,400 and/or imprisonment for up to three years. For ongoing offenses, an additional fine of up to US$740 per day may apply.

Moreover, the Personal Data Protection (Notification Of Data Breaches) Regulations 2021 require organizations to notify users about data breaches that may affect them.

What is a Data Protection Officer in a nutshell?

A DPO takes responsibility for ensuring that companies comply with PDPA regulations regarding the safe storage and use of personal information.

Furthermore, they work closely with their competent supervisors to ensure a smooth and compli­ant procedure.

A DPO is an employee who has been trained to handle any privacy related issues within their organisation. They provide training to the relevant employees on the proper way to handle personal information in compliance with the PDPA. Additionally, they advise the management on the appropriate course of action if there is a potential violation of the Protection Law.

Data Protection and SMEs

A company that does not properly secure its sensitive data could lose its reputation and face financial penalties. In addition, companies that do not comply with data privacy laws could incur hefty legal fees. These costs can put a small business under financial stress.

Data Protection Officers

Who can be DPO of the company?

The purpose of DPO

What Are Data Protection Rules and Regulations?

These are the data privacy key principles:

• Lawfulness, Fairness, and Transparency
• Purpose Limitation
• Data Minimization
• Accuracy
• Storage Limitation
• Integrity and Confidentiality
• Openness

To ensure that the data is protected, you need to follow the above rules strictly.

What you have to do

When business owners need to hire a DPO, there are clear rules for when they must do so.

• A mandatory requirement for a private authority or organisation

If your company is a private organisation, then an official designated by the authority must appoint a Data Protection Officer. However, courts acting in their judi­cial role are exempt from this requirement.

• Mandatory if the main activity involves collecting large amounts of personal information
  

A core activity is any activity that helps you achieve your key objectives. For example, collecting customer profiles or website visitor statistics would be considered a core activity.

This is distinct from processing data with other non-sensitive uses (e.g., payroll or HR) because they don't involve sensitive data. Hospitals, for instance, wouldn't need an appointed Data Protection Officer. They'd just use the data for its intended purpose.

• Mandatory if there is a possibility of large scale regular and systematic monitoring

It is not possible to provide an exact figure of people who need to be concerned about large-scale monitoring. However, we can identify some important factors. For example, the size of the population affected, the quantity of data collected, and the geographic scope are three relevant factors.

Regular and systematic monitoring refers to any form of collecting and analyzing information from various sources. For instance, regular and systematic monitoring includes collecting and analyzing user behaviour through web analytics tools.

• Mandatory if any special category of data is used

Personal information that reveals racial or ethnic origins, or medical and health information, is usually considered especially sensitive and therefore receives extra protection as well as requires protection strategy.

• Appointment of a DPO

Companies are legally required to appoint a DPO. By doing this, companies can better protect their customers' personal information. A DPO helps ensure good communication between company employees and supervisors, and shows a willingness to comply with regulations. In addition, it allows companies to demonstrate their commitment to improving privacy practices and protecting customer information.


If the supervisory authority is going to impose a fine, having an independent Data Protection Officer (DPO) could be beneficial. Remember though that by having an independent DPO, you're essentially making sure that the same duties apply to you whether you've been ordered to appoint someone or not.

Make sure that your DPO supports your efforts to the same degree as if he/she was doing so himself/herself.

• Report the DPO to the supervisory authority

Under the Personal Data Protection Act (PDPA), organisations are required to designate at least one individual as the organisation’s DPO, and making the DPO’s business contact information (BCI) publicly available.

Your Data Protection Officer can be kept up-to date with the latest information concerning data protection by subscribing him/her to the PDPC's e-newsletter, DPO connect. 

• Failing to appoint a DPO may lead to fines

If the company doesn't appoint a DPO, they must document their reasons for waiving the requirement or may lead to fines.


Frequently Asked Questions

Is DPO mandatory for company

Yes. DPO is mandatory for any private companies.


Can I Outsource my DPO to a third party firm?

If an organisation has manpower constraints, they might outsource some operational aspects of their DPO functions to a third party for business continuity. But the overall DPO functions remain the management's responsibilities (protection responsibilities).

What is PII?

Personal Identifiable Information (PII) includes any information that identifies an individual person, including

• Email address
• Personal identifiable financial information
• IP address
• Mailing address
• Social Security number
• Phone number
• Login ID
• Social media post

Data breaches happen when organisations don't protect their PII properly. Hack­ers may use the stolen PII for their own benefit.

Inventory Your Data

The first step in protecting your data is to inventory it. This means listing all the types of data you have and where it resides. You can do this using a spreadsheet or online tool like Google Sheets.

Minimize Data Collection

It is important for companies to have a good way of managing their large amounts of unstructured data. Visibility gained from using it allows them to monitor employee use of the data, understands what is required, predicts future needs, and makes the data available and secure, which increases customer confidence in the ability of the company to safeguard its data, promotes business expansion, reduces data costs, and generates revenue.

Be Open with Your Users

The biggest advantage of a data management system is its ability to provide insight into your organization’s data usage. By keeping track of where your data comes from and what it is being stored for, you can better understand how much data you are consuming and whether or not you should invest in additional storage capacity. A data management system also helps you identify unused space within your existing storage infrastructure, allowing you to make efficient use of your resources.

Read also: Comprehensive Guide To Understanding Moneylenders Credit Bureau Report (MLCB)
Read also: Anti-Money Laundering (AML) in Singapore: What are the Compliances and Regulations? [2023 Edition]
Read also: Amendments to PDPA Necessarily a Mixed Bag for Personal Data Protection

-------------------------------------------------------------------------------------------------------

Got a Question?

WhatsApp Us, Our Friendly Team will get back to you asap :)

Share with us your thoughts by leaving a comment below!

Stay updated with the latest business news and help one another become Smarter Towkays. Subscribe to our Newsletter now!