What is PDPA?
PDPA is a legislature enacted by the Personal Data Protection Commission (PDPC) to govern the collection, use, disclosure and handling of personal data. At the core of the PDPA, there are nine mandatory obligations imposed to give individuals more control over how their personal data is collected, used and disclosed. At the same time, they enable organisations to better facilitate safe and protected cross-border transfer of information. These obligations include:
- Consent Obligation: Organisations must first acquire an individual’s consent before collecting, using or disclosing his or her personal data. Individuals are allowed to withdraw their consent with reasonable notice.
- Purpose Limitation: Upon consent, organisations can only use the information for a purpose that would be considered appropriate to a reasonable person in the circumstance.
- Notification: When collecting, using or disclosing data, individuals should be notified of their purposes before such collection, use or disclosure.
- Access and Correction: Upon requests, organisations must provide the individual with his or her personal data that they possess and how they have been used or disclosed in the past year. Organisations must also allow an individual to correct an error or omission in his or her personal data, unless upon reasonable grounds.
- Accountability: Organisations must make information about data protection policies, practices and complaints process available on request.
- Protection: Organisations must implement reasonable security arrangements to protect the data they possess or control.
- Accuracy: Organisations are obliged to make a reasonable effort to ensure that the personal data collected by or on behalf of the organisation is reasonably accurate and complete.
- Retention Limitation: Organisations must cease retaining personal data or remove how the data can be associated with particular individuals when it is no longer necessary for any business or legal purposes. These records should also be deleted or anonymised.
- Transfer Limitation: Personal data can only be transferred to another country if the overseas recipient is able to provide a standard of protection that is comparable to the protection under the
Ensuring that Your Organisation Aligns With PDPA Requirements
At CSIntelligence, we not only help organisations review PDPA policies and procedures, but we also assist them in establishing adequate technical controls. Get in touch with our consultants today.