, Singapore
103 views

Data protection penalties in Singapore hits over a million dollars so far in 2019

By Alain Esseiva

Singapore has seen a 47% increase in the number of data investigations since 2017 handing out over one and a half million dollars in fines, affecting companies from almost every industry

A recent notification from the Personal Data Protection Commission (PDPC) of Singapore outlined a number of penalties incurred by six Singaporean companies for breaching the Personal Data Protection Act.

Financial penalties ranged from $5,000 to $1m and were caused by a number of infractions including not having a Data Protection Officer to the unauthorised disclosure of clients’ personal data.

Since 2017, the PDPC has stepped up its investigations of companies thought to be in breach of the PDPA from 19 in 2017 to 28 in 2019 (and the number may still grow within the next months). Whilst some investigations resulted in no breach being found, the majority (52%) resulted in fines totalling $1,526,500, with the remainder resulting in warnings or further direction.

Interestingly, these investigations affected 76 companies and organisations ranging from small firms to major public/private institutions. Industries include services and F&B to transport and insurance. Additionally, the severity of the fines have increased with the first six months of 2019 seeing an average of $73,882 per fine handed out, compared to $9,300 in 2017.

One company did not have an appointed DPO and had no practices in place to comply with the PDPA. Another did not have adequate online firewall security and so suffered a ransomware attack, and another firm’s employee disclosed customer details without authorisation.

Some of the companies could have claimed they were simply unlucky – for example, the firm who suffered the ransomware attached was undergoing a full IT migration and its IT team was waiting for the IT infrastructure to be refreshed before configuring the appropriate firewall settings. Yet all it took was one incident for the PDPC to be alerted, resulting in the exposure of their lack of PDPA compliance and significant fines.

Data breaches can happen to any company no matter what type and infractions can come from a variety of sources, from employees disclosing data to cyber-attacks.

It is imperative that firms in Singapore take data protection seriously. Amongst other requirements, Singapore-based companies should appoint at least one person as a DPO, ensure consent has been granted by individuals before collecting, using or disclosing their data and allow individuals to withdraw that consent and retain data only when needed and destroy it if no longer required. 

Join Singapore Business Review community
Since you're here...

...there are many ways you can work with us to advertise your company and connect to your customers. Our team can help you dight and create an advertising campaign, in print and digital, on this website and in print magazine.

We can also organize a real life or digital event for you and find thought leader speakers as well as industry leaders, who could be your potential partners, to join the event. We also run some awards programmes which give you an opportunity to be recognized for your achievements during the year and you can join this as a participant or a sponsor.

Let us help you drive your business forward with a good partnership!