SINGAPORE: Quicker enforcement action could be taken against some companies that breach the Personal Data Protection Act (PDPA), Singapore’s data privacy watchdog announced on Wednesday (May 22).
The Personal Data Protection Commission (PDPC) said in a press release it is introducing a new expedited decision process to bring investigations on clear-cut data breaches to conclusion quickly. This process was based on feedback from stakeholders and data breach cases in the last four years, it said.
Those eligible for the new fast-track system must meet certain conditions:
- The nature of the data breach is similar to cases with precedent and with similar categories of facts
- There is an upfront admission of liability for breaching the PDPA by the organisation
A PDPC spokesperson told CNA that it is difficult to estimate how fast these decisions will now take, as it varies from case to case, but it could possibly take half the time of what it currently is. It takes about a year or longer for a case to be decided on today.
The press release said the organisation’s admission of its role in the breach would be a “strong mitigating factor” in cases where financial penalties are involved.
It added that examples of cases eligible for the process include common forms of data breaches such as URL manipulation, poor password management or printing errors resulting in incorrect recipients.
That said, the PDPC said that it is aware that even companies that are prepared may not eliminate all risk of data breaches.
So, for organisations that can show they have proper accountability practices, monitoring and remediation plans in place, such as those with the Data Protection Trustmark certification, they can request for an undertaking option should a data breach happen to them.
The undertaking is a written promise by the organisation that it is ready to execute a fully developed and prepared contingency plan to resolve a data breach when it has occurred, the PDPC said.
It could also be granted if the privacy watchdog assesses that an undertaking would achieve a similar or better enforcement outcome as opposed to a full investigation, it added.
UPDATES TO BREACH NOTIFICATION
The PDPC also updated the existing guide to help organisations manage data breaches effectively, including that related to breach notification.
It said that the thresholds for notifying the PDPC and individuals of a data breach have been expanded to consider large numbers to be where 500 or more individuals are affected, or where significant harm or impact to the individuals is likely due to the breach.
The agency also recommended that organisations conducting internal investigations and assessments of a potential data breach take no more than 30 days from when they are aware of a potential breach. If data breach notification thresholds are met, they should notify PDPC no later than 72 hours from the time they complete their assessments, it added.
PDPC has urged businesses to consider taking up this approach ahead of the agency’s planned introduction of a mandatory breach notification in its upcoming PDPA amendments.
Additionally, PDPC on Wednesday launched its third public consultation under the ongoing review of Singapore’s data privacy laws as it seeks views on the proposed introduction of data portability and data innovation provisions.
Minister for Communications and Information S Iswaran had presented the discussion paper looking at data portability during February’s Mobile World Congress.