Singapore’s data protection regulator, the Personal Data Protection Commission (PDPC), has been cracking down on breaches of the Personal Data Protection Act (PDPA). It has just released a set of Data Protection Enforcement Cases, which includes a list of enforcement actions taken against 11 organisations for breaching the PDPA. This provides an insight into the approach the authorities will take to enforcing what is still a relatively new law.
According to the reported enforcement cases, four organisations were fined, ranging from S$5,000 to S$50,000 (about USD 3,700 to USD 37,000), and seven others were issued warnings or directions. The PDPC looked at various factors when determining severity of breaches, such as to what extent the organisations had data protection policies and processes in place, the time taken to remedy the breach, the number of affected individuals and the type of personal data involved. The highest fine of S$50,000 (about USD 37,000) was imposed on K Box Entertainment Group for failing to have in place adequate security measures to protect its members’ personal data, resulting in details of 317,000 members being leaked online in September 2014. An IT vendor, Finantech Holdings, which was engaged by K Box to develop and manage K Box’s Content Management System, was also found liable and fined S$10,000 (about USD 7,400), as a data intermediary for K Box. As with all published enforcement actions, the reputational implications tend to be at least as significant as any other penalties.
Since the PDPA came into force in July 2014, the PDPC has received 667 complaints in total, of which 92% were resolved by investigation and facilitation between the respective complainants and organisations. Common issue with these complaints involved unauthorised personal data processing and lack of data protection measures in place.
So what does this mean for organisations in Singapore? These enforcement cases confirm that although the PDPA is generally regarded a “business-friendly” regulation which is not intended to stifle data innovation, the PDPA is clearly willing to intervene when organisations fall short of the required standards. Given the reputational and financial implications of these high-profile enforcement actions, organisations will need to look carefully at their processes and policies to ensure they are compliant.