PDPA Compliance Assessment

Assessor Information

Please provide your details as the individual completing this assessment. This information is essential for us to understand the context of your responses and to facilitate any necessary follow-up communications.

All information is kept confidential and processed in accordance with PDPA regulations.

First Name

Last Name

Company Name

What type of business model does your company operate under?

B2C

B2B (Agency)

B2B (Supply Chain)

B2C (Business-to-Consumer): B2C companies, dealing directly with individuals, are heavily impacted by PDPA obligations, especially regarding consent, notification, and data breach requirements. They must ensure robust privacy practices, as they collect, use, and potentially disclose significant volumes of personal data from customers. Compliance fosters consumer trust, which is vital for brand loyalty and reputation.

B2B (Agency): B2B agencies, such as marketing or recruitment firms, act as data intermediaries managing clients' and individuals' data, requiring careful handling of data transfer and accountability obligations. Since they often process data on behalf of clients, agencies must have strict data protection contracts and procedures to comply with PDPA and protect client interests, maintaining trust and legal compliance.

B2B (Supply Chain): In supply chains, personal data processing may be minimal and limited to business contacts or partners, but PDPA still requires due diligence. Supply chain businesses must ensure third-party vendors or partners comply with PDPA standards, especially for data transferred across borders. This obligation strengthens accountability throughout the chain, reducing risks and ensuring data protection standards are upheld at each stage.

What type of Data Subject (Individual) does your company handle in relation to personal data?

Employee

Independent Contractor

Direct Customer (Consumer)

Indirect Customer (of the Client)

Accountability Obligation

The Accountability Obligation under the PDPA requires organizations to be responsible for managing personal data in compliance with data protection laws. This obligation ensures that organizations implement policies and practices to safeguard personal data, appoint a Data Protection Officer (DPO), and are prepared to demonstrate accountability in their data protection measures. By fulfilling this obligation, organizations build trust and transparency with customers and stakeholders.

Q1. Has your organization appointed a Data Protection Officer (DPO) or assigned someone the responsibility for data protection matters?

Yes

Q1a. Is the appointed DPO trained and has clearly defined responsibilities

Yes

Q1b. DPO Contact is made available and easily accessible by the Public

Yes

Q2. There are appropriate policies and practices in place for managing personal data (including employee data) by the organization, encompassing collection, use, disclosure, and purposes, including sensitive personal data.

Q3. There is a defined process for regularly reviewing and updating data management policies and practices, which includes obtaining management endorsement for changes and ensuring compliance with relevant laws and guidelines.

Q4. Organisation provides relevant training to all relevant internal stakeholders to increase awareness of and compliance with data protection policies and practices.

Q5. There are processes in place to receive and respond to queries or complaints regarding the organization’s collection, use, or disclosure of personal data, ensuring timely responses that include explanations of remedial actions for complaints and documentation retention for a reasonable period.

Q6. There are appropriate policies and practices in place for conducting risk and impact assessments, including Data Protection Impact Assessments (DPIAs), to identify, assess, and address data protection risks, ensuring alignment with the organization’s operational functions and compliance with the PDPA. Management develops, approves, and implements recommended action plans to mitigate identified risks in a timely manner.

Purpose Limitation Obligation

The Purpose Limitation Obligation requires organizations to collect, use, or disclose personal data only for purposes that a reasonable person would consider appropriate under given circumstances and that have been clearly communicated to the individual. This obligation ensures that data is handled responsibly, preventing misuse or unauthorized applications beyond the original purpose, and fostering transparency and trust with individuals.

Q7. The organisation has processes to ensure that only personal data necessary for specified purposes, including sensitive data, is collected and used. These purposes must be appropriate and consistent with PDPA requirements.

Q8. Regular reviews are conducted to confirm that the purposes for collecting personal data are still necessary, appropriate, and consistent with PDPA standards.

Q9. The organisation ensures that personal data is used and disclosed only for purposes for which consent has been given. Where consent is not obtained, data use or disclosure aligns with a PDPA exception or legal requirement.

Consent Obligation

The Consent Obligation mandates that organizations must obtain clear and informed consent from individuals before collecting, using, or disclosing their personal data. Consent must be voluntary, and individuals should be informed of the specific purpose for data usage. This obligation ensures respect for individual privacy and reinforces trust by giving individuals control over their personal information.

Q10. The organisation ensures valid consent is obtained from individuals for the collection, use, or disclosure of their personal data, including express and deemed consent (by conduct, contractual necessity, or notification).

Q11. If the organisation intends to use or disclose personal data for purposes different from the original intent, processes are in place to notify individuals and obtain consent for these new purposes.

Q12. The organisation has mechanisms to verify that any individual providing consent on behalf of another is validly authorized to act on that individual’s behalf.

Q13. Where consent cannot be obtained, the organisation collects personal data only under PDPA-defined exceptions or as authorized by other written laws.

Q14. The organisation provides clear, accessible information on how individuals can withdraw consent for specific purposes. This information is made available in an easily accessible and understandable format, such as through a data protection policy on the corporate website or terms and conditions on forms that collect consent.

Notification Obligation

The Notification Obligation requires organizations to inform individuals of the purpose and scope of personal data collection, use, or disclosure before or at the point of collection. By clearly communicating these intentions, organizations enhance transparency and ensure individuals understand how their data will be handled, fostering informed consent and trust.

Q15. The organisation has processes in place to provide clear and concise notifications to individuals regarding the purpose(s) of collecting, using, or disclosing their personal data on or before the point of collection.

Accuracy Obligation

The Accuracy Obligation requires organizations to make reasonable efforts to ensure that personal data collected, used, or disclosed is accurate and complete. This obligation helps prevent errors that could negatively impact individuals and ensures that decisions made using personal data are based on correct and up-to-date information.

Q16. The organisation has processes in place and makes reasonable efforts to verify that personal data under its control is accurate, complete, and relevant for the purposes of making decisions affecting the individuals to whom the data relates.

Q17. The organisation ensures that any personal data disclosed to another organisation is reasonably accurate, complete, and suitable for the intended purposes.

Protection Obligation

The Protection Obligation requires organizations to implement reasonable security measures to safeguard personal data from unauthorized access, collection, use, disclosure, copying, modification, or disposal. This obligation is essential for preventing data breaches, protecting individuals' privacy, and maintaining trust in the organization's commitment to data security.

Q18. The organisation has established security policies, practices, and measures, covering physical, technical, and administrative safeguards to protect personal data from unauthorized access, collection, use, disclosure, modification, or loss.

Q19. The organisation implements technical, physical, and administrative security measures, informed by regular risk assessments, to protect personal data effectively.

Q20. The organisation regularly conducts risk assessments to identify necessary security measures and reviews them to ensure alignment with relevant legal requirements.

Q21. Security policies, practices, and measures are regularly monitored, reviewed, updated, and endorsed by management, ensuring continuous improvement and communication to relevant internal and external stakeholders

Q22. The organisation has measures in place to prevent accidental disclosure of personal data.

Q23. The organisation ensures that any ready-made software in use provides adequate security to protect personal data effectively.

Retention Limitation Obligation

The Retention Limitation Obligation requires organizations to retain personal data only for as long as it is necessary to fulfill the purpose for which it was collected. Once the data is no longer needed, it should be securely disposed of to prevent unauthorized access. This obligation ensures responsible data management and reduces the risk of unnecessary data exposure.

Q24. The organisation has implemented a data retention policy that defines retention periods and specific mechanisms for managing various types of personal data in its possession or control. This policy ensures that data is retained only as long as necessary for its original purpose or if there is a legal or business justification.

Q25. The organisation conducts both regular and ad-hoc reviews of its data retention policies and periods to ensure data is only retained as long as necessary for business or legal purposes. Ad-hoc reviews are prompted by significant changes in business operations, products, or services.

Q26. The organisation has established procedures to either cease retention of, destroy, or anonymise personal data when (a) the purpose of data collection is no longer valid, and (b) there is no business or legal need to retain it. The disposal process is designed to prevent data recovery, and anonymisation measures ensure individuals cannot be re-identified.

Transfer Limitation Obligation

The Transfer Limitation Obligation requires organizations to ensure that personal data transferred outside Singapore is protected to a comparable standard under the PDPA. This includes verifying that overseas recipients implement adequate safeguards, ensuring continued data protection even across borders, and maintaining individuals' privacy rights.

Q27. The organization keeps track of personal data transferred overseas, including the recipient(s), and has processes in place to ensure such transfers use data transfer mechanisms permitted under the Personal Data Protection Regulations.

Access and Correction Obligation

The Access and Correction Obligation grants individuals the right to access their personal data held by an organization and to request corrections if the data is inaccurate or incomplete. This obligation promotes transparency, giving individuals control over their data and ensuring that organizations maintain accurate and relevant information.

Q28. There is information readily available on how individuals may request access to and correction of their personal data held by the organization. This information is easily accessible, clearly worded, and easy to understand for all recipients.

Q29. The organization responds to requests by individuals to access their personal data and correct their personal data as soon as reasonably possible, making corrections as soon as practicable unless there are reasonable grounds not to do so.

Q30. The organization informs individuals of the expected time needed to respond to their access or correction requests, and, if applicable, any fees associated with processing an access request.

Q31. There are processes in place to preserve a complete and accurate copy of personal data for at least 30 calendar days following a rejected access request.

Data Breach Notification Obligation

The Data Breach Notification Obligation requires organizations to promptly assess and notify affected individuals and the Personal Data Protection Commission (PDPC) of data breaches that may cause significant harm. This obligation ensures that individuals are informed of potential risks to their personal data, allowing them to take protective actions, and promotes accountability in the organization’s response to data breaches.

Q32. Does your organization have a plan or procedures in place for handling data breach incidents?

Yes

Q32a. Your organisation has a formal data breach management plan and process in place to meet mandatory data breach notification requirements.

Q32b. Your organisation manages and handles breach incidents according to its established data breach management plan and process.

Q32c. Your organisation has effectively communicated roles and responsibilities to all relevant internal and external stakeholders involved in the data breach management plan.

Q32d. Your organisation has implemented measures to monitor for potential data breaches in a timely manner.

YOUR PDPA COMPLIANCE GAPS IN MINUTES