Personal data in Singapore is protected under the Personal Data Protection Act 2012.

The Personal Data Protection Act in Singapore (PDPA)

Personal data in Singapore is protected under the Personal Data Protection Act 2012 (PDPA).

Balancing both the protection of individuals and the needs of organizations, it draws largely on existing best practices in the EU, UK, Canada, Hong Kong, Australia and New Zealand, as well as the OECD Guidelines on the Protection of Privacy and Transborder Flow of Personal Data, and the APEC Privacy Framework. As such, it is broadly parallel with legislation such as the EU’s General Data Protection Regulation, GDPR.

Key considerations for PDPA
There are some key differences that foreign firms need to consider to ensure compliance:

  • While there is no ‘right to erasure’, there is provision for Access and Correction, which imputes similar obligations to the right to erasure/be forgotten.
  • A critical additional obligation relates to the transfer of data outside of Singapore – applying also to third-party vendors – including to the cloud, when that cloud resides outside Singapore.
  • Singaporean requirements also include the need to establish a Do Not Call (DNC) register and, as of 1 September 2019, there are limitations on the collection of National Registration Identification Card (NRIC) and similar identification data including, but not limited to, date of birth, FIN and passport numbers.

Solidatus helps to build a digital dashboard which shows managers how personal data is being used and where it is stored. This provides a demonstrable compliance with cloud storage regulations, the Right to Access and Correction, in addition to both DNC and NRIC legislation by understanding the flow and location of data.

Becoming compliant
To become compliant firms need to:

  • understand where contact information is held to avoid breaching DNC regulations, and
  • review and delete personal data collected prior to the new NRIC guidelines.

Schedule your live demo

“Game changing”, Gartner review

Solidatus for PDPA

Organizations need a tool to help them identify required consent and ensure that the use of personal data within their firm is purposeful, appropriate and reasonable. Solidatus provides these essential elements to comply with PDPA.

Solidatus plays a vital role in PDPA by:

  • mapping the flow of data within an organization,
  • allowing for full transparency on how it is used, and
  • laying the groundwork should regulators ever ask a business to prove their compliance.

By using Solidatus, an organization gains invaluable insight into its data landscape. The tool enables users to visualize and analyze lineage showing what type of data they have and how it moves through their systems. It is impossible for senior management to be completely confident that the organization is not inadvertently contravening some aspect of PDPA without this, leaving them open to enforcement and reputational risks.

Company-wide collaboration

Through its collaborative and crowdsourcing model, Solidatus allows for quick and effective enterprise wide identification of where personal information is held. Working with all teams across the organization, a clear understanding can be made of exactly where data is and how it’s being used in business and IT processes.

Visualize and map metadata

Data flow can be clearly mapped out to visualize each contact point and ownership can then be assigned. Once an organization possesses this knowledge they can quickly and confidently ensure compliance with Access and Correction, ensuring DNC data is managed properly and that legacy NRIC data is deleted.

Proactive approach to compliance

Solidatus enables companies to prove to the regulator that they are taking a proactive approach to PDPA by clearly documenting and auditing their data landscape and creating their Data Privacy Impact Assessment (DPIA) in terms of both location of data and the modeling of the processes deployed to achieve compliance. Solidatus can quickly discover, document and share models, simplifying the process of being compliant.

Demonstrate PIA risk

While implementing a DPIA alone does not ensure compliance, Solidatus can demonstrate to the regulator how and when a DPIA was conducted and prove how information is collected, stored, used, deleted and who has access to it. It also clearly shows that data privacy is a key consideration for future change.

Additional benefits

  • Build an operational data blueprint that can be further leveraged, turning an obligation into an asset.
  • Achieve a competitive advantage around areas such as data analytics, and generate efficiencies to broader system transformation by identifying lineage, modeling data quality and managing user access rights and data retention.
  • Identify data redundancy and duplication, allowing efficiencies and cost savings over the entire data lifecycle from data capture, through storage, retention, and timely managed destruction.
  • Create a transparency environment which allows data vendor and license costs to be rationalized and optimized for economy and efficiency.

You may also be interested in

Accelerate your PDPA compliance


Solidatus unlocks the true business value behind data. A lineage-first approach enables organizations to connect and visualize data relationships across the enterprise, simplifying how they identify, access and understand them. With a reimagined, sustainable data foundation in place, organizations can mine actionable intelligence and solve complex problems to deliver transformational business results.

Solidatus is a member of the EDM Council.

© 2022. Threadneedle Software Holdings Limited trading as Solidatus.  Privacy Policy | Modern Slavery Statement