PDPC updates Guide to Managing Data Breaches 2.

0 and
issues new Guide on Active Enforcement

27 June 2019 On 22 May 2019, the Personal Data Protection Commission (“PDPC”)
issued a revised Guide to Managing Data Breaches 2.0 which fleshes out
For further information, please contact:
the existing voluntary breach notification system by providing detailed
guidance on the contents of a data breach management plan and the
steps for responding to data breaches. PDPC also released a new Guide
on Active Enforcement which provides insights into PDPC’s enforcement
policy. PDPC also updated the Guide to Developing a Data Protection
Eugene Ho Management Programme to highlight the role of senior management in
+65 6890 7620 managing data protection risks.
eugene.ho@allenandgledhill.com

Managing data breaches under updated Guide to

Managing Data Breaches 2.0
Organisations are encouraged to adopt the recommendations in the
Dr Stanley Lai, SC
+65 6890 7883 revised Guide to Managing Data Breaches 2.0 as this will allow them to
stanley.lai@allenandgledhill.com respond to data breaches confidently and prepare for PDPC’s planned
introduction of mandatory breach notification. PDPC welcomes feedback
from organisations that have implemented these changes in order to
make further improvements before breach notification becomes
mandatory.
Aaron Lee
+65 6890 7852 The revised guide fleshes out the voluntary breach notification system by
aaron.lee@allenandgledhill.com providing detailed guidance on the contents of a data breach
management plan and the steps for responding to data breaches. This is
encapsulated in a four-step CARE framework as set out briefly below:

 Contain breach to prevent further compromise of personal data:

An assigned individual or individuals should be notified of all
Tham Kok Leong
+65 6890 7526 suspected/confirmed data breaches immediately upon detection.
tham.kokleong@allenandgledhill.com He/she should then activate the data breach management team. An
initial assessment of the data breach should be conducted to
ascertain the severity of the data breach. The details of the data
breach and post-breach response(s) should be recorded in an
Incident Record Log to allow follow-up investigations or reviews.

Alexander Yap
+65 6890 7627
 Assess risks and impact of the breach: Upon containment of the
alexander.yap@allenandgledhill.com data breach, organisations should conduct an in-depth assessment
of the data breach. In assessing the likely impact of the data breach,
organisations should consider the context of the data breach, ease of
identifying individuals from the compromised data and the
circumstances of the data breach.

Legal Bulletin / Financial Services Bulletin | June 2019 1

  Report breach to PDPC and inform affected individuals if
necessary: Organisations are to carry out their assessment of the
data breach expeditiously within 30 days from when they first
become aware of a potential data breach. Organisations should
notify PDPC and/or affected individuals of a data breach that is
(i) likely to result in significant harm or impact to the individuals to
whom the information relates, or (ii) of a significant scale (i.e. data
breach involves personal data of 500 or more individuals). PDPC
should be notified as soon as practicable, no later than 72 hours from
the time the organisation has completed its assessment. Affected
individuals are to be notified as soon as practicable. Where
organisations are uncertain if they should notify affected individuals,
they should report to PDPC and seek clarification.

 Evaluate response to breach and review actions taken to

prevent further data breaches: Where the containment efforts/initial
remedial actions are ineffective and more lapses are found, the
organisation may also implement other remedial actions to further
reduce the harm to the affected individuals. The organisation should
also review and learn from the data breach incident to improve their
personal data handling practices and prevent the reoccurrence of
similar data breaches.

Option to submit undertaking and expedited breach

decision under Guide on Active Enforcement
The Guide on Active Enforcement articulates PDPC’s new approach in
deploying its enforcement powers to act effectively and efficiently on the
increasing number of incidents. Targeting consumers and organisations
that handle personal data, the guide outlines how PDPC handles data
protection complaints, investigates incidents and the types of
enforcement actions that the PDPC may undertake in various
circumstances. PDPC introduced the following two enforcement actions
in the guide to motivate organisations to develop and implement
accountable practices:

 Option to submit an undertaking: PDPC and/or the organisation

may initiate an undertaking process when (i) the organisation is able to
demonstrate it has in place accountable practices, for example a Data
Protection Trustmark certified organisation, and is ready to implement
its remediation plan, or (ii) PDPC is of the view that an undertaking
achieves a similar or better enforcement outcome more effectively and
efficiently than a full investigation. The organisation must request to
invoke the undertaking process very soon after the incident is known,
i.e. either upon commencement of investigations and/or in the early
stages of investigations, and the organisation will not be given

Legal Bulletin / Financial Services Bulletin | June 2019 2

 additional time to produce the remediation plan. The acceptance of an
undertaking is solely within PDPC’s discretion. The undertaking
process includes a written agreement between the organisation(s)
involved and PDPC in which the organisation(s) voluntarily commits to
remedy the breaches and take steps to prevent recurrence.

 Expedited breach decision: There is a new expedited decision

process which brings investigations on clear-cut data breaches to a
conclusion quickly. An expedited decision may be considered by
PDPC at its discretion in certain circumstances and there is an
upfront admission of liability for breaching relevant obligation(s)
under the Personal Data Protection Act 2012 (“PDPA”) by the
organisation(s) involved on its/their role in the cause of breach. The
process draws on data breach cases in the last four years and
feedback from stakeholders. Where financial penalties are involved,
the organisation’s admission of its role in the incident will be taken
into consideration as a strong mitigating factor. However, admissions
might not be considered as a mitigating factor for repeated data
breaches. In general, PDPC will consider an expedited decision
when the only breach of the PDPA by the organisation(s) involved is
that it has no Data Protection Officer or equivalent and/or no privacy
policy, or when the nature of the data breach is similar to precedent
cases with similar categories of facts.

Reference materials
The following materials are available on the PDPC website
www.pdpc.gov.sg:

 PDPC media release

 Guide to Managing Data Breaches 2.0

 Guide on Active Enforcement

 Guide to Developing a Data Protection Management Programme

 Keynote Speech by Deputy Commissioner, Mr Yeong Zee Kin, at

Know Ahead to Stay Ahead – Leadership’s Engagement in Data
Protection at Infocom Media Development Authority on Wednesday,
22 May 2019

Legal Bulletin / Financial Services Bulletin | June 2019 3

The Allen & Gledhill Network

Allen & Gledhill Rahmat Lim & Partners Soemadipradja & Taher

Singapore Malaysia Indonesia

One Marina Boulevard #28-00 Suite 33.01, Level 33 Wisma GKBI, Level 9
Singapore 018989 The Gardens North Tower Jl. Jenderal Sudirman No. 28
Mid Valley City Jakarta 10210
Tel: +65 6890 7188 Lingkaran Syed Putra Indonesia
Fax: +65 6327 3800 59200 Kuala Lumpur
Malaysia Oene Marseille
Myanmar Tel: +62 812 892 5102
Tel: +603 2299 3888 +62 21 574 0088
Junction City Tower, #18-01 Fax: +603 2287 1278
Bogyoke Aung San Road oene_marseille@soemath.com
Pabedan Township enquiries@rahmatlim.com soemath.com
Yangon, Myanmar rahmatlim.com

Tel: +95 1 925 3717 / 3718

Fax: +95 1 925 3716

enquiries@allenandgledhill.com
allenandgledhill.com

Allen & Gledhill LLP (Registration No. LL0700925W) is registered in Singapore under the Limited Liability Partnerships Act 2005 with limited
liability and was converted from a firm (with the name “Allen & Gledhill”) to a limited liability partnership on and as from 1 July 2007. A list of the
partners and their professional qualifications may be inspected at One Marina Boulevard, #28-00, Singapore 018989.

This article does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. The contents of this article
are intended to provide general information only and do not contain or convey any legal or other advice. Although we endeavour to ensure that the
information contained herein is accurate, we do not warrant its accuracy or completeness or accept any liability for any loss or damage arising
from any reliance thereon. If you would like to discuss the implications of these legal developments on your business or obtain advice, please do
not hesitate to approach your usual contact at Allen & Gledhill or you may direct the inquiry to enquiries@allenandgledhill.com

Legal Bulletin / Financial Services Bulletin | June 2019 4