Singapore pegs breach notification threshold at 500 data subjects – analysis

27 May 2020 - 12:00 am UTC

Singapore’s recent move to finalize its data protection law amendment raised some interesting talking points, including the mandatory notification threshold for data breaches that impact 500 or more individuals. This figure, however, should not be the sole criterion for determining reportable incidents, lawyers told PaRR. 
Meanwhile, unlike the EU’s GDPR which requires entities to notify within 72 hours after “becoming aware of” a breach, it is important to note that the clock does not start until a company determines a breach is reportable … this reassures and gives room for entities to determine if a breach causes significant harm to individuals, or whether it meets the numerical reporting threshold.

PaRR subscribers can read the full article on PaRR here.

Not a subscriber? PaRR delivers global intelligence on competition law. To read this article and more, apply for a free trial below.