What are the 11 Obligations of PDPA and How DPaaS Help You Comply?


If you are an organisation handling personal data, it is considered your duty under Singapore’s Personal Data Protection Act (PDPA) to fulfil certain obligations. If you have been entrusted by employees and customers with valuable personal data, there are eleven obligations you need to follow.

  1. Purpose limitation obligation: You need to collect, disclose, or use personal data only for reasonable purposes. For instance, you can use it to provide your product or service or for whatever reason you have been granted consent.
  2. Consent obligation: You need to obtain consent for a certain purpose before you can disclose, use, or collect personal data. You need to also allow individuals to withdraw their consent should they wish to.
  3. Accountability obligation: You are considered responsible for the personal data that has been entrusted to you. That said, you need to exhibit responsibility by ensuring you comply with the eleven obligations. In line with this, it would be a great idea to invest in data protection services. You also need to appoint a data protection officer (DPO) who can implement data protection policies and other data protection services best practices.
  4. Notification obligation: Your employees or customers must always be notified or informed of your purpose for using, collecting, or disclosing personal data.
  5. Transfer limitation obligation: You need to ensure that in the event of a cross-border transfer of personal data, it is done in a responsible and secure manner. The cross-border transfer should also follow the guidelines set by the regulating bodies.
  6. Retention limitation obligation: You need to keep or retain any personal data that is no longer required to fulfil any business purpose. You also need to make sure that data is disposed accordingly.
  7. Accuracy obligation: You need to make sure that data that is in your care is complete and accurate. This is especially important when data is used to make decisions about an individual.
  8. Protection obligation: Protection obligation is the obligation that is most commonly violated. You need to follow measures that will actively secure that personal data that is in your care from unauthorised disclosure, collection, use, or access.
  9. Access and correction obligation: You need to allow individuals access to their personal data upon their request, including records of how their data was disclosed or used. You need to also fix any errors in the personal data records and relay the corrections to other organisations to whom data has been previously disclosed or shared.
  10. Data protection notification obligation: You need to notify both the PDPC and the individuals affected when a data breach occurs. This is especially needed when the breach can cause harm or if a huge number of individuals are affected.
  11. Data portability obligation: When individuals request for transfer of their data, you need to transfer it in a machine-readable format. 

If you need help with your PDPA compliance, investing in Data Protection-as-a-Service (DPaaS) is a good idea. Fortunately, the basic DPaaS training provided by Straits Interactive already include the following:

  • Data protection training: DPO-hands on course to train a compliance officer or a data protection officer (DPO) professionally.
  • DPOinBOX privacy management software: You will get three months access to the classroom edition of the privacy management platform to help you manage operational compliance.
  • Legal guidance: In partnership with selected law firms, you will get a one-hour consultation session if you need legal advice.
  • Data protection management: You can set up a data management system to help manage risks and document data flow.
  • Data breach management: You will get help creating a data breach response plan and procedures through a mock investigation exercise.