Manage Data Protection Compliance with Ease

Firms are under increasing pressure to minimise their potential exposure to hefty penalties resulting from non-compliance with data protection regulations as they manage vast amounts of personal information. Local businesses face this risk on multiple fronts, particularly with regard to Singapore’s Personal Data Protection Act (PDPA) and the European Union’s General Data Protection Regulation (GDPR) that took effect on 25 May 2018. Such laws require companies to comply with relevant privacy regulations relating to areas such as employee data, customer information and shareholder information. Apart from compliance, personal data protection is also crucial because it increases customers’ trust in the company.


What is the Personal Data Protection Act (PDPA)?

Singapore’s PDPA consists of the Data Protection Provisions and Do Not Call Provisions. Personal data includes a person’s full name, NRIC number and mobile phone number, among others. Organisations are required to comply with the PDPA if they undertake activities relating to the collection, use or disclosure of personal data. Businesses need to manage the following obligations under the PDPA.



Organisations must obtain the consent of individuals before collecting, using or disclosing personal data for a purpose.

Purpose Limitation

Organisations can only collect, use and disclose personal data if deemed reasonable and appropriate in the circumstance.


Organisations must notify the individual of the purpose for which it is collecting, using, and disclosing the personal data.

Access and Correction

Individuals have the right to request the organisation to reveal its methods of using and disclosing the personal data, or to correct an error or omission relating to personal data collected by the organisation.


Organisations have to ensure that the personal data collected is accurate and complete.


Organisations have to implement adequate internal security controls to prevent unauthorised access, collection, use, and disclosure of personal data collected by the organisation.

Retention Limitation

Organisations must not retain documents containing personal data or destroy personal data that can be associated with individuals once the purpose of the personal data is no longer valid or if there is no legal or business purpose.

Transfer Limitation

Organisations are prohibited from transferring personal data outside Singapore except in accordance with PDPA requirements.


Organisations must implement the necessary policies and procedures in order to meet their obligations under the PDPA.


What is the General Data Protection Regulation?

The European Union’s GDPR regulates the processing of personal data relating to individuals in the EU by an individual or an organisation. It also applies to companies that have controllers or processors of personal data based in the EU. Organisations should note the following under the GDPR:

  • A wider coverage over what is considered personal data, including IP addresses of individuals
  • Requirement to delete all personal data relating to the individual upon withdrawal of consent unless there is a legal basis for not doing so
  • Individuals have the right to expect their personal data to be “forgotten”. This requires organisations to delete all personal data relating to the individual when it is no longer necessary for the purpose of its collection.


Our "Privacy by Design" Solution

We help organisations to establish a data privacy programme that is based on a “Privacy by Design” approach. This means embedding privacy in all aspects within the organisation, from information-processing systems and technologies to policies and procedures that govern data management as well as employee conduct. This also means adopting a strategy that manages and protects personal information throughout its entire life cycle from collection to destruction.

Governance & ComplianceData Management & Analysis         Policies & Implementation
  • Data security governance review
  • Technology and organisation security review
  • Privacy impact assessment
  • Review of IT development and purchase procedure
  • Compliance management framework development
  • Data flow and inventory mapping  information audit
  • Data collection audit
  • IT security controls review
  • Outsourcing risks management
  • Formalise/update policies
  • Incident response framework/breech notification procedure
  • IT development and procurement procedures
  • Staff awareness training
  • Data Protection Officer (DPO) training


View our full range of cybersecurity advisory and incident response services or learn how our Technology Services & Advisory team can assist you.

Find out more about the PDPA at
For more information on the GDPR, visit

Our specialist

Contact us

Complete this form and an RSM representative will be in touch.