Pricing

The specific enforcement action(s) taken by the PDPC for an organisation’s failure to appoint a DPO will depend on the circumstances of the data breach incident, the organisation’s non-compliance with the PDPA and its response to rectify the situation. Enforcement outcomes could comprise Warnings, Directions or Financial Penalty. Therefore, it is crucial for organisations to comply with the requirement to appoint a DPO, as mandated by the PDPA, and ensure proper data protection governance.

Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access.

In determining personal data, organisations should consider (i) whether the purpose of the information about or relates to an individual (e.g., information about an individual’s health, educational, employment background, activities); and (ii) whether the individual is identifiable from that data. In general, there should be at least two data elements in the dataset before individuals can be identified. The nature of data will also affect identifiability. 

The PDPC has the power to issue directions to secure an organisation’s compliance with the Data Protection Provisions as set out in the PDPA. The directions may instruct the organisation as follows:

a)    To stop collecting, using or disclosing personal data in contravention of the PDPA;

b)    To destroy personal data collected in contravention of the PDPA;

c)    Comply with any direction of the PDPC concerning access and correction under the PDPA; and

d)     To pay a financial penalty of such amount not exceeding $1 million as the PDPC thinks fit.