Main changes under the Personal Data Protection (Amendment) Act 2020 that affect your business

With the rapid shift into a data-centric society, data has become even more valuable today’s digital economy. The growth of the Internet of Things (IoT), the introduction of 5G and the rise of artificial intelligence has created an exponential increase in the volume of data generated, used, collected and processed all around the world. Singapore’s Personal Data Protection (Amendment) Act 2020 (“PDPA Amendment”) seeks to keep up with these changes and align itself with stricter international standards like the General Data Protection Regulations (GDPR).

Even though you and other SMEs might see an increase in operating costs to comply with these new amendments, it far outweighs the cost of any potential data breach. Not only have the fines for breaches been increased with this Amendment (up to 10% of annual gross turnover in Singapore, or SGD 1 million, whichever is higher), but it will also take more time to restore your company’s reputation and credibility once it has been publicly fined and flagged out.

This article will take you through some of the main changes in the PDPA Amendment.

Mandatory Data Breach Notification Requirement

Before this PDPA Amendment, the Personal Data Protection Commission (PDPC) encouraged organisations to make voluntary notifications on occurrences of data breaches. However, this Amendment has made it an express requirement to do so within 3 calendar days.

The PDPC has prescribed in regulations (the “Regulations”) the personal data that is considered likely to result in significant harm to affected individuals if compromised in a data breach. If a data breach occurs in your organisation which would result in or be likely to result in significant harm to affected individuals, your organisation is required to notify the affected individuals and the PDPC.

If a data breach occurs in your organisation on a significant scale, you would also have to notify the PDPC. Where a data breach involves 500 or more individuals, this amounts to a significant scale and the organization is required to notify the PDPC even if the data breach does not involve any personal data prescribed by the PDPC in Regulations. 

New Data Portability Obligation

In a bid to match up to the requirements of the GDPR, this PDPA Amendment introduces a new data portability obligation to give customers more autonomy over their personal data, enabling them to switch to new service providers with less hassle. It will also support the development of new, innovative and personalised services as organisations will have more access to data. 

Under the data portability obligation, an individual may request (data porting request) an organisation (porting organisation, e.g. Starhub) to transmit applicable data specified in the request to another organisation (receiving organisation, e.g. Singtel). 

However, an organisation’s portability obligation will only apply to:

  • requesting individuals with an ongoing relationship with the organisation;
  • receiving organisations with a presence in Singapore, regardless of the location of stored data; and
  • data (in a machine-readable format) which is provided by the individual or data about the individual created in the course of the individual’s use of the relevant product or service. 

Ban on Dictionary Attacks and Address Harvesting Software

Under the Do Not Call Provisions of the PDPA, the sending of unsolicited messages to telephone numbers using dictionary attacks and address harvesting software will now be prohibited.

If your organisation has been utilising such software, you should start making alternative arrangements.

Expanded Rules on ‘Deemed Consent’

Your organisation may now disclose personal data of an individual to another organisation without expressly obtaining the individual’s consent with regard to two additional areas:

Contractual necessity- when the processing of personal data is reasonably necessary for the performance of a contract; and

Notification and opt-out – where individuals have been reasonably notified and given a reasonable period to opt out. Here your organisation has to conduct assessments on the risks of collecting, using and disclosing personal data and establish reasonable measures to eliminate such risks before actually collecting, using and disclosing such personal data. Individuals still retain the right to withdraw their consent subsequently.

Do take note that these expanded rules on deemed consent do not apply to sending direct marketing messages to individuals. That still requires express consent.


It now a legal requirement in Singapore for businesses to take note of and comply with data protection practices and obligations as part of overall legal compliance. You may wish to read our article of a case study where a cosmetics company was fined for failing to meet its obligations under the PDPA – click here. For the full extent of how the PDPA Amendment affects you and your business or any other aspect of compliance with the PDPA, please get in touch with the helpful team at AT Law Practice LLP – click here.

Copyright © 2020 ATLaw Practice LLP. All Rights Reserved.