Singapore’s Enhanced Personal Data Protection Act 2020: What’s New?
|The Personal Data Protection (Amendment) Act 2020, also known as the Enhanced PDPA, seeks to strengthen organisational accountability and consumer protection while encouraging companies to optimise the use of personal data for innovation.
The Enhanced PDPA took effect from 1 February 2021 with the following three key amendments:
1. Mandatory Data Breach Notification
What constitutes a notifiable data breach?
A notifiable data breach is one that results in or is likely to result in significant harm to an affected individual involving prescribed personal data; OR is likely to be of a significant scale (usually involving 500 or more individuals).
Who must be notified?
The Personal Data Protection Commission (PDPC) must be notified as soon as is practicable, and in any event within three calendar days of the organisation’s assessment; AND affected individuals must also be notified if the data breach is likely to cause them significant harm.
2. Introducing Criminal Offences
What are the offences?
Knowingly or recklessly committing any unauthorised disclosure of personal data, use of personal data for wrongful gain or causing a wrongful loss to any person, or re-identification of anonymised data.
What are the penalties?
Maximum fine of SGD5,000 or maximum 2 years imprisonment, or both.
3. Expansion of Consent Framework
New ways that consent can be deemed as given:
New exceptions that remove the need for consent: