Protecting personal data has become a top priority in regulatory frameworks across the globe. Singapore is recognized for its comprehensive Personal Data Protection Act (PDPA), which ensures that organizations maintain the highest standards when handling personal data. One crucial aspect of the PDPA that has gained prominence is Third-Party Risk Management (TPRM). As companies increasingly rely on external entities for business purposes, it becomes essential to understand TPRM within the advisory guidelines of the PDPA.
In this blog, we’ll explore TPRM requirements in Singapore's PDPA, highlighting its significance and best practices to ensure compliance with its standard of protection.
Upgrade your organization’s third-party risk management with UpGuard Vendor Risk >
What is the Personal Data Protection Act?
In 2013, Singapore established the Personal Data Protection Act (PDPA) to govern the collection, use, and disclosure of personal data. It recognizes the right of individuals to protect their data while allowing organizations to collect, use, or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
The PDPA ensures that organizations handle personal data in a responsible and accountable manner. This data protection regulation includes data protection obligations and a Do Not Call (DNC) provision, often called the DNC registry, for Singapore telephone numbers.
Personal Data Obligations
The PDA outlines nine obligations organizations must fulfill when handling personal data. These obligations include:
- Consent Obligation: Organizations must obtain consent before the collection, use, or disclosure of the personal data, except for legal or medical emergencies.
- Purpose Limitation Obligation: Personal information must only be used for reasonable purposes and with the individual's knowledge.
- Notification Obligation: Organizations must inform individuals about collecting, using, and disclosing data.
- Access and Correction Obligation: Organizations must allow individuals to access and correct types of personal data promptly.
- Accuracy Obligation: Organizations must ensure the accuracy and completeness of collected personal data to prevent incorrect decisions or similar risks.
- Protection Obligation: Organizations must take reasonable security arrangements to safeguard sensitive data from unauthorized access, collection, use, disclosure, copying, modification, or disposal.
- Retention Limitation Obligation: Organizations must only retain personal data for necessary purposes and dispose of it securely when no longer needed.
- Transfer Limitation Obligation: Data transfers out of Singapore are allowed only if certain conditions are met, ensuring that the recipient country or organization offers a comparable data protection regime.
- Openness Obligation: Organizations must develop and communicate data protection policies to meet PDPA obligations.
Who Must Comply with the Personal Data Protection Act?
The PDPA applies to “organizations,” which includes a diverse range of entities in Singapore. This definition includes individuals, companies, associations, and more involved in the processing of personal data. Organizations without a physical presence in Singapore but who use the personal data of individuals in Singapore are also subject to PDPA.
Other examples of “organizations” include:
- Private sector businesses and enterprises, regardless of size or industry
- Non-profit organizations
- Professional bodies and associations
Additionally, the PDPA also applies to data intermediaries, who are organizations that process personal data on behalf of other organizations. While data intermediaries are exempt from many of the data protection obligations in the PDPA (because the primary responsibility rests with the organization that owns the data), they still have to comply with the Protection and Retention Limitation Obligations.
There are exclusions to the PDPA, which renders individuals or organizations exempt. Examples of these exclusions include:
- Individuals acting in a personal or domestic capacity
- Employees acting in the course of their employment with an organization
- Public agencies and organizations acting on behalf of public agencies about specific activities
Penalties for Non-Compliance
The Personal Data Protection Commission (PDPC) oversees and enforces the PDPA. They are responsible for ensuring that organizations comply with the PDPA and can take various measures, including financial penalties, against organizations that breach the law. The PDPC also provides data breach notifications and advice on the interpretation and application of the PDPA to help organizations understand their obligations and ensure that they handle personal data responsibly and appropriately. For any issues, the organization might also be required to report to a data protection authority and have a data protection officer.
Organizations not complying with the PDPA can face financial penalties and other measures. Some examples of these penalties for non-compliance include:
- Financial Penalties: Organizations can be fined up to S$1 million if they breach the PDPA. The amount of the financial penalty will vary based on the severity of the breach, the level of harm caused, and other thresholds.
- Directions by the PDPC: The PDPC has the authority to issue directions to ensure compliance. These may include ordering organizations to stop collecting, using, or disclosing personal data, ordering the destruction of illegally collected data, and mandating compliance through specific methods.
- Criminal Liabilities: Organizations that obstruct or hinder PDPC officers, make false statements to the PDPC, or fail to comply with PDPC’s directions may face criminal penalties, including fines, imprisonment, or both.
- Civil Actions: According to PDPA amendments, individuals can initiate legal action against organizations if their data is breached due to security breaches, meaning organizations may also face civil lawsuits from affected individuals.
Third-Party Risk Management and the Personal Data Protection Act
The Singapore Personal Data Protection Act is focused on the protection of personal data but also intersects with third-party risk management strategies and data protection risks. This occurs primarily around organizations' obligations when using third-party entities to process, handle, or store personal data. Privacy impact assessment is also important in these scenarios.
Third-party risk management is how organizations assess, monitor, and mitigate the privacy risks associated with these third-party engagements to ensure they comply with the same data protection standards mandated by the PDPA. Below are some common situations where organizations must consider third-party risk management to comply with the PDPA.
Learn about the top Third-Party Risk Management solutions on the market >
Protection Obligation & Outsourcing
The Protection Obligation under the Personal Data Protection Act (PDPA) requires organizations to implement reasonable security measures to prevent unauthorized access, collection, and use of data. This obligation remains regardless of whether data processing is outsourced to third parties, meaning organizations must ensure third parties have comparable data protection standards in place.
To achieve this, organizations can send out security questionnaires and continuously monitor a third party’s security standards through a tool like security ratings.
Transfer Limitation Obligation
According to the PDPA, personal data that is transferred out of Singapore must receive an equivalent level of protection. Data can be highly vulnerable during transfer processes and continues when that data arrives at its final destination. To prioritize the care of personal data, organizations must consider the level of security any outsourced company has and whether it meets the standards of the PDPA.
Organizations can use TPRM to monitor third-party compliance, particularly those based overseas or using overseas data centers to ensure this requirement is met.
Accountability & Oversight
Although third-party entities may handle the data, the primary organization is ultimately responsible for any lapses in data protection under the PDPA. The implementation of TPRM practices assists organizations in monitoring and supervising third-party activities, guaranteeing that they adhere to PDPA compliance.
These practices can include continuous monitoring of third parties, privacy laws, remediation and mitigation processes, security questionnaires, access control for third parties, and more.
Contractual Clauses & Agreements
A key aspect of TPRM is establishing clear contractual terms with third-party vendors that define roles, responsibilities, and obligations related to data protection. This aligns with the PDPA's requirements, ensuring third parties adhere to the Act's provisions.
When entering new contracts with third parties, include specific data privacy and protection correlations. These can include requiring a third party to implement specific security standards, having a comprehensive incident response plan in the event of a data breach, and regular audits to evaluate the effectiveness of security measures.
Incident Management & Breach Notification
In the event of a data breach, the PDPA mandates specific notification and action requirements. Data breaches can put personal data at risk and should be contained promptly.
Organizations must ensure that any third party working with personal data must implement systems and procedures to detect data breaches quickly. It also involves coordinating responses to adhere to the PDPA's requirements.
Upgrade Your Organization’s TPRM with UpGuard
Third-party risk is inherent if your organization works with outside vendors or suppliers. If you’re looking for an all-in-one third-party risk management platform, consider UpGuard Vendor Risk.
Vendor Risk is our all-in-one TPRM platform that allows you to control your organization’s Vendor Risk Management processes. Vendor Risk allows you to automate your third-party risk assessment workflows and get real-time notifications about your vendors’ security in one centralized dashboard. Additional Vendor Risk features include:
- Security Questionnaires: Automate security questionnaires with workflows to get deeper insights into your vendors’ security and utilize templates and custom questionnaires for your specific needs
- Security Ratings: Instantly understand your vendors' security posture with our data-driven, objective, and dynamic security ratings
- Risk Assessments: Let us guide you each step of the way, from gathering evidence, assessing risks, and requesting remediation
- Monitoring Vendor Risk: Monitor your vendors daily and view the details to understand what risks are impacting a vendor’s security posture
- Reporting and Insights: UpGuard’s Reports Library makes it easier and faster for you to access tailor-made reports for different stakeholders
- Managed Third-Party Risks: Let our expert analysts manage your third-party risk management program and allocate your security resources
