In May 2024 alone, Singapore’s data protection regulator, the Personal Data Protection Commission (Commission) has issued three enforcement decisions that imposed a total of SG$102,000 (approximately US$76,000) in regulatory fines for infringements of Singapore’s Personal Data Protection Act (Act).

The Commission also accepted undertakings from six other organisations, each of whom was found to be lacking in its compliance with the Act. By way of background, the Commission is empowered to, in lieu of carrying out a full investigation, accept an undertaking from an organisation that has potentially contravened the Act. Such undertaking must seek to implement remediation plans, and address systemic shortcomings, to ensure compliance on a continual basis.

The recent decisions in May shed light on a number of important issues and offer useful takeaways for a business to note when considering its compliance with the Act.

We outline five such key takeaways.

• There is no “one size fits all” approach to meeting the security obligation.

• In all the above cases, the organisations were found to be “wanting” or “lacklustre” in their cybersecurity and data protection practices.

• The Commission went to great lengths to assess where the standards in each of these instances fell short. It also referenced its various published guides and previous decisions that offered an array of examples of good practices when protecting personal data; including vendor management, encryption, password protocols, pre-launch testing, vulnerability scans, regular security reviews and ongoing monitoring.

• Ultimately, however, it is the organisation that holds responsibility (and retains discretion) to determine how best to operationalise compliance, since any design and implementation of security would need to reflect the nature of the business and types of services offered, as well as the volume and sensitivity of data handled. In other words, the obligation to protect personal data by making “reasonable security arrangements” is contextual.

• Minors’ and national identification details are considered to be more sensitive.

• While not explicitly prescribed in the Act, the enforcement decisions allude to greater weight being given to breaches that involve more sensitive personal data, namely, minors’ data, as well as national identification details including passport numbers.

• A repeated infringement is an aggravating factor.

• The fact that one of the organisations had previously contravened the Act was a relevant consideration in a higher penalty being meted out by the Commission.

• An organisation’s cooperativeness, and owning up to its responsibilities, are mitigating factors.

• In general, organisations that were found to be cooperative throughout the Commission’s inquiry and investigation process, or which voluntarily undertook to improve on their compliance in specific and measurable ways, faced less severe regulatory sanctions.

• The Act imposes an obligation on organisations to protect all personal data in their possession or control – not just of data subjects located within Singapore.

• The Commission also clarified that its jurisdiction to enforce contraventions of the Act is not fettered by other proceedings undertaken by privacy authorities abroad.