No surprises - data breach reporting becomes mandatory
By Lyn Boxall, Director, Lyn Boxall LLC
On Thursday 14 May 2020, the Ministry of Communications and Information and the Personal Data Protection Commission of Singapore launched an online public consultation of the Personal Data Protection (Amendment) Bill 2020.
It is no surprise that the amendment bill includes mandatory data breach reporting. The Commission conducted consultations on data breach notification two or three years ago. In the interim it has published guides about managing data breaches and has encouraged organisations to notify it about data breaches that may indicate that a systemic issue is the cause of the breach.
The Commission notes in the Public Consultation Paper that data breach notifications are central to organisations' accountability because they encourage organisations to establish risk-based internal monitoring and reporting systems to detect data incidents. The Commission also expressed the view that, when coupled with breach management plans, data breach notifications are integral to organisations' incident response and remediation.
The Commission said that accountable organisations may also couple breach notification and breach mitigation plans in order to apply for a statutory undertaking. Please see the separate paper about voluntary undertakings for more information on them (also referred to as statutory undertakings).