The Personal Data Protection Commission (PDPC) has set out new data breach management guidelines which recommend that organisations notify the regulator in certain cases where they have experienced a personal data breach.
Organisations that fail to follow the guidance face stiffer enforcement action than those that do if they are later found to have breached data protection law, deputy commissioner Yeong Zee Kin has said.
"Organisations can expect that where financial penalties are involved, the organisation’s admission of its role in the incident will be taken as a strong mitigating factor," Yeong said.
The new data breach management guide advises organisations that experience a personal data breach to first take steps to contain the breach, then assess its impact and report the incident to the PDPC and affected individuals if the PDPC's recommended threshold for reporting is met.
"Organisations are to carry out their assessment of the data breach expeditiously within 30 days from when they first become aware of a potential data breach," the PDPC said. "Where a data breach is assessed to be likely to result in significant harm or impact to the individuals whom the personal data relates, organisations should notify the PDPC and the affected individuals. The time frames for notifying affected individuals and the PDPC will thus commence from the time the organisation determines that the breach is eligible for reporting."
The PDPC's guide also encouraged organisations to take steps after data breaches have been dealt with to evaluate those incidents and their response to them.
The PDPC has said that it plans to make it mandatory for organisations to report certain personal data breaches to it under Singapore's Personal Data Protection Act in future.
Technology law expert Bryan Tan of Pinsent Masons MPillay, the Singapore joint law venture between MPillay and Pinsent Masons said: "The guidance encourages firms to do the right thing – report the breach and work against recurrence in the future. It also moves the needle closer to mandatory breach notification in line with moves afoot elsewhere, such as the GDPR."
In a separate development, the PDPC has opened a consultation on the introduction of new data portability and data innovation rights in Singapore law.
"The proposed data portability provision will provide individuals with greater control over their personal data and enable greater access to more data by organisations to facilitate data flows and increase innovation, while the proposed data innovation provision makes it clear that organisations can use data for appropriate business purposes without individuals’ consent," the PDPC said.
The consultation is open until 3 July.
