PDPA and Your IT Infrastructure: What Singapore Businesses Must Have in Place
Most Singapore businesses approach PDPA as a policy exercise. But the Personal Data Protection Act imposes specific technical obligations that can only be met through IT architecture decisions — access controls, encryption, logging, and breach detection. This guide covers what those obligations require and how to implement them practically.
PDPA Is Not Just a Legal Problem — It Is an IT Architecture Problem
Updating your privacy notice and appointing a DPO are necessary PDPA steps. They are also insufficient. The Personal Data Protection Act 2012 (amended 2021) imposes technical obligations that require specific IT controls to be in place. The PDPC has penalised organisations for technical failures — not just policy gaps — in multiple enforcement decisions.
Key Technical Obligations Under PDPA
Protection Obligation (Section 24)
Organisations must make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, or disposal of personal data. PDPC enforcement decisions have interpreted "reasonable" to require:
- Encryption of personal data at rest and in transit
- Multi-factor authentication for systems holding personal data
- Role-based access controls with least-privilege principles
- Regular vulnerability assessments of systems storing personal data
- Patch management within 30 days for critical vulnerabilities (PDPC guidance)
Retention Limitation Obligation
Personal data must not be retained beyond the purpose for which it was collected. IT systems must support automated retention policies, the ability to delete specific records, and audit trails proving deletion occurred.
Breach Notification Obligation (2021 Amendment)
Organisations must notify PDPC within 3 business days of determining a breach is notifiable. This requires incident response capability, sufficient logging to determine breach scope, and a clear escalation path from IT to the DPO.
Data Mapping: The Prerequisite for Everything Else
You cannot protect what you cannot find. A data inventory must map every system, database, and file share containing personal data. For most Singapore SMEs, personal data is held in:
- CRM systems (customer contact details, transaction history)
- HR systems (employee NRIC, salary, medical records)
- Email servers and archives
- Cloud storage (OneDrive, Google Drive, Dropbox shared files)
- POS systems (customer purchase records, loyalty data)
- Hotel PMS (guest passport data, stay history, payment details)
- CCTV systems (biometric data under the 2021 amendment scope)
Access Controls: Restricting Who Can Touch Personal Data
The most common PDPC enforcement pattern involves excessive access — employees with no business need accessing personal data because access was never restricted. Key controls:
- Implement role-based access control (RBAC) on all systems holding personal data
- Require MFA for remote access to these systems
- Disable accounts within 24 hours of employee termination
- Log all access to personal data records and retain logs for 12 months minimum
- Conduct quarterly access reviews for privileged roles
Encryption Requirements
PDPC has penalised organisations storing personal data in plaintext when encryption was readily available. Practical implementation:
- At rest: Enable encryption on all storage containing personal data (BitLocker for Windows, FileVault for Mac, AES-256 for databases and NAS)
- In transit: Enforce TLS 1.2+ for all web applications and APIs; disable legacy SSL/TLS
- Email: Use TLS transport encryption when sending personal data externally
- Removable media: Restrict or block USB on endpoints handling personal data
Breach Detection Capability
The 3-business-day notification clock starts when you determine a breach is notifiable — but you cannot determine what you cannot detect. Your infrastructure must support:
- Centralised logging across all systems holding personal data
- Alerting on anomalous data access patterns (mass downloads, off-hours access)
- Network monitoring for unusual outbound data transfers
- An escalation procedure routing security alerts to the DPO within hours
Cloud Services and Third-Party Vendors
PDPA applies to data processors acting on your behalf. If you use cloud SaaS or a managed IT provider that handles personal data, a Data Processing Agreement (DPA) must be in place. Ask vendors for ISO 27001 certification or SOC 2 Type II reports as assurance evidence.
Practical First Steps
- Complete a data inventory — identify all systems holding personal data
- Review access rights and remove excessive permissions
- Enable encryption at rest on file servers, NAS, and critical databases
- Implement MFA for all remote and admin access
- Set up centralised logging with a 12-month retention policy
- Document your incident response procedure for data breaches
- Review and sign DPAs with all IT vendors and cloud providers
If your IT infrastructure does not yet have these controls in place, AGR Networks can assist with a security assessment and remediation roadmap. Contact us to discuss.