Cybersecurity serves as the essential legal infrastructure for meeting the Protection Obligation (Section 24) of the Personal Data Protection Act (PDPA). “Reasonable security arrangements" are a legal mandate under the PDPA, requiring organizations to prevent unauthorized access and data loss while significantly reducing the risk of heavy financial penalties in the event of a data breach.
The Legal Value of Cybersecurity
Organizations often give their feedback that since cybersecurity isn't 100% effective, it’s a futile effort in PDPA compliance. The idea that cybersecurity is 'all or nothing' is a dangerous myth. In the eyes of the PDPC, there is a massive legal difference between an organization that was breached despite its best efforts and one that was breached because it didn't try at all.
The PDPA doesn't demand an impossible guarantee—it demands accountability. Abandoning controls because they aren't foolproof actually increases your legal liability.
Section 48J(6) of the PDPA provides the legal basis for this principle, explicitly allowing the PDPC to consider an organization's efforts to prevent a breach when determining financial penalties.
Under Section 48J(6) of the Personal Data Protection Act (PDPA), the PDPC has the discretion to consider mitigating factors when deciding on the amount of a financial penalty. A key factor they look at is whether the organization took "appropriate steps" to comply with the Act. In determining whether to impose a financial penalty, and if so, the amount of any such financial penalties, the PDPC will deliberate over the factors listed in section 48J and 48J(6) of the PDPA respectively.
In practice, this means that if you can prove your organization had implemented reasonable, appropriate, and effective cybersecurity arrangements, the PDPC may view this as a significant mitigating factor—even if a breach occurs due to circumstances beyond your control.
By being proactive, you aren't just protecting data; you are building a legal defense. It demonstrates that your organization has acted with accountability in safeguarding personal data.
At the end of the day, robust cybersecurity practices are not just a compliance requirement—they are a good investment in your organization’s resilience and reputation.
Many organizations put off cybersecurity initiatives thinking they aren't worth the effort, but continuing this path leaves you at the edge of a serious risk. Let’s change direction—it’s never too late to secure your future.
Voluntary Undertaking
Understanding the Voluntary Undertaking is critical for organizations in Singapore because it serves as a strategic enforcement alternative that can save significant time, money, and reputation following a potential data breach.
The Personal Data Protection Commission (PDPC) frequently accepts voluntary undertakings from organisations to resolve data breach incidents without a full investigation or heavy financial penalties. These cases usually involve ransomware attacks, phishing, or system vulnerabilities.
Once an undertaking is accepted, the PDPC typically suspends its investigation into the specific incident to give the organization time to complete its remedial actions. The PDPC monitors the organization to ensure it follows through. If the organization fails to comply with the terms, the PDPC can resume the investigation or issue a formal direction to compel compliance.
The PDPC has full discretion but generally considers an undertaking if:
- The organisation has accountable policies and practices already in place
- The organisation provides a clear remediation plan with specific steps and completion dates.
- The request is made early in the investigation process.
Common Remedial Actions
Organisations often commit to specific improvements, such as:
- Implementing Multi-Factor Authentication (MFA/2FA) for administrative accounts.
- Engaging external experts to audit and improve cybersecurity setups.
- Conducting penetration testing and vulnerability assessments.
- Training employees on data protection protocols.
- Formalizing data retention policies and asset inventories
Good cybersecurity practices demonstrate to the Personal Data Protection Commission (PDPC) that your organization is "accountable". This accountability is a core requirement for being granted a voluntary undertaking, which allows you to implement a remediation plan instead of undergoing a full, formal investigation.