The Personal Data Protection Act (PDPA) is a Singapore law that governs the collection, use and disclosure of an individual’s personal data. This post reviews the important third-party considerations in the PDPA and identifies critical capabilities to address the requirements.
First enacted in 2012 and revised in 2020, the PDPA recognizes both the right of individuals to protect their personal data and the need of organizations to collect, use and disclose that data for reasonable purposes. That means organizations must work with their third-party data handlers to ensure they have sound data protection practices in place. Failing to comply with PDPA provisions could result in a financial penalty of 10% of the organization’s annual turnover or up to S$1 million, whichever is higher.
To provide guidelines for organizations with customers in Singapore, the PDPA includes “Data Protection Provisions” that address:
The PDPA includes ten obligations, with one – the Protection Obligation (Section 24) – applying most directly to third-party data processor outsourcing. However, the PDPA does not mandate specific processes or technologies to address third-party data protection. Instead, it published Advisory Guidelines on Key Concepts in the PDPA (Revised 17 May 2022) that allow organizations flexibility in implementing appropriate data protection controls.
The PDPA Third-Party Compliance Checklist
Download the PDPA Third-Party Compliance Checklist to reveal third-party considerations in the law and identify key third-party risk management capabilities that can help you address its requirements.
it is critical to ensure that third parties use the strongest security controls when storing, managing or maintaining your organization's customer data. This section maps best practices to select articles in the PDPA to help your data privacy teams ensure that third parties are meeting data protection obligations.
NOTE: This is a summary of the most relevant articles only, and it should not be considered comprehensive, definitive guidance. For a complete list of articles, please review the complete document in detail and consult your auditor.
The PDPA requires organizations to “Implement robust policies and procedures for ensuring appropriate levels of security for personal data of varying levels of sensitivity.”
To address these requirements, organizations should consider defining the following criteria as part of their third-party risk management program:
Many organizations choose to align with an accepted risk management framework, such as ISO, to accomplish this. If you are looking to automate the process of measuring your TPRM program against an industry framework, be sure to select an assessment platform that provides several pre-built questionnaire options that align with multiple frameworks.
The PDPA requires organizations to “Be prepared and able to respond to information security breaches promptly and effectively.”
Rapidly identifying, responding to, reporting on, and mitigating the impact of third-party vendor incidents is impossible to achieve manually or without a solid incident management foundation. Key capabilities to examine as part of your incident response program include:
PDPA suggests that organisations undertake a risk assessment exercise to ascertain whether their information security arrangements are adequate. In so doing, the following factors may be considered:
a) the size of the organisation and the amount and type of personal data it holds;
b) who within the organisation has access to the personal data; and
c) whether the personal data is or will be held or used by a third party on behalf of the organisation.
To address these suggestions, consider the following capabilities:
Conduct an internal Privacy Impact Assessment (PIA) targeting the most sensitive privacy-related data and business processes with the highest risk. The PIA evaluates the origin, nature, and severity of the potential risk. It also provides recommendations to mitigate identified risks, ensuring future compliance with privacy regulations.
Assessments and passive scanning can enable relationship mapping to trace data transfers between business relationships, identify where data exists, where it flows, and who it is shared with outside the organization.
Examine third party data privacy controls against PDPA using a common framework such as ISO. Specific questionnaire content helps to identify risks and map them to controls for a clear view of potential hot spots. As part of this process, continuously monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.
Establish thresholds and automate risk identification based on them. Leverage workflow rules that escalate identified risks to the proper stakeholder for immediate review and disposition. Offer third parties prescriptive remediation recommendations to hold them to account.
Structure compliance reporting against PDPA requirements using a common industry framework such as ISO. That will enable you to automatically map risks and responses to controls, provides a percent-compliant rating, and delivers stakeholder-specific reporting to provide visibility into data security.
Stay on top of potential risks to data by monitoring data breach databases. They will provide insight into types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.
Organizations that must comply with PDPA should ensure that third parties with whom they share personal information have controls in place to protect that information. Prevalent offers organizations with a scalable third-party risk management platform that addresses data protection risks. The Prevalent Platform:
With Prevalent, vendor, security and privacy teams have a single, collaborative platform for conducting privacy assessments and mitigating both third-party and internal privacy risks.