Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

Hero compliance pdpa

Singapore Personal Data Protection Act (PDPA) Compliance

PDPA and Third-Party Risk Management

The Singapore Personal Data Protection Act (PDPA) is a law that governs the collection, use and disclosure of an individual’s personal data. First enacted in 2012 and revised in 2020, the PDPA recognizes both the right of individuals to protect their personal data and the need of organizations to collect, use and disclose that data for reasonable purposes.

The PDPA includes ten obligations, with one – the Protection Obligation (Section 24) – applying most directly to third-party data processor outsourcing. Therefore, it is critical to ensure that third parties use the strongest security controls when storing, managing or maintaining your organization's customer data.

Relevant Requirements

  • Have reasonable purposes, for notifying and obtaining consent for the collection, use or disclosure of personal data

  • Allow individuals to access and correct their personal data

  • Take care of personal data (which relates to ensuring accuracy), protect personal data (including protection in the case of international transfers), and do not retain personal data if no longer needed

  • Notify the Singapore Data Protection Commission and affected individuals of data breaches

  • Have policies and practices to comply with the PDPA

The PDPA Third-Party Compliance Checklist

Download the PDPA Third-Party Compliance Checklist to reveal third-party considerations in the law and identify key third-party risk management capabilities that can help you address its requirements.

Read Now
Featured resource pdpa checklist

Meeting PDPA TPRM Requirements for Data Protection

The summary table below maps capabilities in the Prevalent Third-Party Risk Management Platform to select articles in the PDPA, Section 24 - the Protection Obligation.

NOTE: This is a summary of the most relevant articles only, and it should not be considered comprehensive, definitive guidance. For a complete list of articles, please review the complete document in detail and consult your auditor.

PDPA Section How We Help

Protection of Personal Data, Section 24:

“An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent —
(a) unauthorized access, collection, use, disclosure, copying, modification or disposal, or similar risks; and
(b) the loss of any storage medium or device on which personal data is stored.”

Advisory Guidelines on Key Concepts in the PDPA

The Data Protection Obligation, 17.3 c)

“Implement robust policies and procedures for ensuring appropriate levels of security for personal data of varying levels of sensitivity”

Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program in line with your broader information security and governance, data protection, risk and compliance programs based on proven best practices and extensive real-world experience.

Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding – according to your organization’s risk appetite.

Prevalent enables organizations to assess and monitor their third parties based on extent of the threats to their information assets by capturing, tracking and quantifying inherent risks for all third parties. The outcome is a tiered and categorized list of vendors with an inherent risk score to inform further due diligence.

Advisory Guidelines on Key Concepts in the PDPA

The Data Protection Obligation, 17.3 d)

“Be prepared and able to respond to information security breaches promptly and effectively”

Prevalent enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor incidents by centrally managing vendors, conducting event assessments, scoring identified risks, correlating against continuous cyber monitoring, and accessing remediation guidance. Key capabilities include:

  • Continuously updated and customizable event and incident management questionnaires
  • Real-time questionnaire completion progress tracking
  • Defined risk owners with automated chasing reminders to keep surveys on schedule
  • Proactive vendor reporting
  • Consolidated views of risk ratings, counts, scores and flagged responses for each vendor
  • Workflow rules to trigger automated playbooks to act on risks according to their potential impact to the business
  • Guidance from built-in remediation recommendations to reduce risk
  • Built-in report templates
  • Data and relationship mapping to identify relationships between your organization and third, 4th or Nth parties to visualize information paths and determine at-risk data

Advisory Guidelines on Key Concepts in the PDPA

The Data Protection Obligation, 17.4

In addition, it might be useful for organisations to undertake a risk assessment exercise to ascertain whether their information security arrangements are adequate.

In so doing, the following factors may be considered:

a) the size of the organisation and the amount and type of personal data it holds;
b) who within the organisation has access to the personal data; and
c) whether the personal data is or will be held or used by a third party on behalf of the organisation.

Prevalent delivers a comprehensive third-party data protection risk assessment program that includes the following capabilities:

Discovery and Third-, Fourth- and Nth-Party Data Mapping
Prevalent offers scheduled assessments and a unique relationship mapping capability to trace data transfers between business relationships, identifying where data exists, where it flows, and who it is shared with outside the organization. The results automatically generate a risk register that highlights key areas of risk.

Self-Assessments
With Prevalent, organizations can conduct an internal Privacy Impact Assessment (PIA) targeting the most sensitive privacy-related data and business processes with the highest risk. The PIA evaluates the origin, nature, and severity of the potential risk. It also provides recommendations to mitigate identified risks, ensuring future compliance with privacy regulations.

Vendor Risk Assessments
Prevalent assesses vendor data privacy controls against PDPA using the Prevalent Compliance Framework (PCF) and a dedicated PDPA survey. Specific questionnaire content helps to identify risks and map them to controls for a clear view of potential hot spots.

Risk Response
Prevalent automates risk identification based on thresholds set in the platform. This capability accelerates response with pre-built workflow rules that escalate identified risks to the proper stakeholder for immediate review and disposition.

Compliance Tracking and Reporting
Prevalent reports against PDPA using the Prevalent Compliance Framework (PCF). The PCF automatically maps risks and responses to controls, provides a percent-compliant rating, and delivers stakeholder-specific reporting to provide visibility into data security.

Continuous Breach Event Notification Monitoring
Prevalent provides access a database containing 10+ years of data breach history for thousands of companies around the world. It includes types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.

Align Your TPRM Program with CCPA, GDPR, HIPAA and More

Download this guide to review specific requirements from 5 data privacy authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.

Read Now
Featured resource compliance handbook privacy
  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo