The DPEX has published a fascinating report which summarise something which should be obvious to anyone who has been paying attention to this space: PDPA Enforcement has gone up. The Data Protection Excellence Centre (DPEX) is an “facility in the region whose aim is to provide leadership, best practices, training, research and support for all things surrounding data privacy from an operational perspective” It is linked to Straits Interactive, which among other things, provide training and certification in all things data protection in Singapore and the region.
Obviously they have a vested interest in the claim, but research is useful anyhow. Mainly because I don’t have to do it. 😁
Some Highlights of the DPEX Report#
Check out this awesome graph from the report:
Holy smokes!! What have we been doing this year? As the report states, the accumulated fines from the previous three years “dwarfs” the previous amount recorded up to August this year. (Fun fact: there were three more cases in September)
Of course, the SingHealth data breach incident this year record $1 million fine. However, as the report points out, even after taking out this high profile outlier, we are still faced with a very active eight months which is still higher than the previous 12 months.
The report also helpfully counts the number of sections of the PDPA or obligations breached.
Not surprisingly, the Protection Obligation features the most, and it accounts for 80% of breaches. The Protection Obligation mainly deals with unauthorised disclosures of personal data through data breaches.
Sadly, the Report does not analyse breaches based on trends. The report does not really validate my theory that the PDPC is starting to focus on policies, or that there is a $5,000 going rate for not appointing a DPO.
I did not notice that Consent obligation is the second most cited breach though. Perhaps I should look through my data again.
My Hot Take#
Why do this report? The authors conclude:
… organisations are advised to beef up their governance and data protection practices to proactively address common breach scenarios and demonstrate accountability, or they risk enforcement action
Kevin Shepherdson, Head, DPEX Centre and CEO,Straits Interactive, DPEX MEDIA RELEASE, “NUMBER OF ORGANISATIONS BREACHING THE PERSONAL DATA PROTECTION ACT RISE SIGNIFICANTLY IN SINGAPORE” (17 SEPTEMBER 2019)
If you have been paying attention (or following this blog), none of this is news. PDPA Enforcement has become more active. The groundwork of the PDPC, from the jurisprudence, the Active Enforcement Framework and to the Data Protection Trustmark, provides a pretty solid basis for the PDPC to do this.
That said, I am not very confident about the statistical claims made in the report. There is nothing being said about where they got this information — I assume it is from the PDPC’s website. There isn’t a need for the PDPC to write a decision for every enforcement action they carry out. This is why even though it looks more active from the way the PDPC has carried out its work, I don’t really dare to say the numbers have gone up or anything.
Furthermore, mandatory breach notification is not a requirement in Singapore. There could be several data breaches, but they never see the light of day.
Numbers however, are important in encouraging management to care. The report puts a dollar sign and a number to the work that the PDPC is doing (my other posts also have the same aim), and gives Data Protection Officers something to show their management. I do hope the PDPC continues their work, and hopefully this reminds them too to be more open about their work.
What other evidence is there to show how PDPA enforcement is in Singapore? Please feel free to share!