Data Protection, Privacy and Cybersecurity

Our experience in data protection, privacy and cybersecurity predates, and also extends beyond, Singapore's Personal Data Protection Act 2012 (PDPA) and Cybersecurity Act 2018. We have advised numerous clients in many industries on the requirements of general data protection and cybersecurity law, as well as sectoral laws and frameworks, in particular, in the Telecommunications, Media and Technology (TMT), Banking and Finance, and Healthcare and Life Sciences sectors. Several members of our team have also worked in industry in data protection or similar roles and have the necessary “in-house” perspective to translate legal advice into practical, implementable and cost-effective governance and compliance solutions.

Our clients, several of which are household names, include companies operating globally or regionally (such as the world’s leading social networking site, a major platform service provider, telco and Internet service providers, airlines, mobile device manufacturers and software developers) as well as large local companies in various industries (such as banking and finance, technology infrastructure, manufacturing, entertainment, and sports). We have also assisted a number of SMEs, non-profit entities and other organisations to meet their compliance obligations.

Some of the matters we have worked on include the following: 

• Development / adaptation of local, regional or global (group-wide) data protection policies, frameworks and compliance programmes; 
• Implementation of cross-border data protection requirements including in relation to cloud-based services and cross-border transfers of personal data (into or from Singapore);
• Response to data breaches and cybersecurity incidents, including the reporting and disclosure obligations and remediation requirements to comply with applicable laws and obligations (see below for more information); 
• Data protection / cybersecurity audits for compliance with applicable laws and frameworks such as APEC Cross-Border Privacy Rules System (CBPRs), and Singapore’s Data Protection Trust Mark (DPTM);
• Advising on specific data protection issues, such as use of device IDs and cookies in relation to the collection of data, data retention and use for business purposes, legal issues relating to digital certification services, electronic signatures and encryption keys, and assisting on responses to information requests made pursuant to investigations by law enforcement and regulatory authorities (locally and from other jurisdictions).

Knowing that our clients’ needs in this area may stretch into other domains, we have established the Drew Data Protection & Cybersecurity Academy to provide training and assist clients in developing and implementing organisational strategies, structures, policies and processes to meet their obligations as they seek to leverage their data assets and take advantage of (or develop) new technologies and insights into their business.

Developments in technology and business in recent years present both opportunities and challenges to companies in relation to their data processing activities. Some new technologies enable companies to derive greater insights and value from their data and provide better protection to personal data. However, the cyber threat landscape has also grown significantly as cyber-criminals and other threat actors develop and deploy cyberattacks of increasing scale and sophistication. Companies face increasing regulatory scrutiny in relation to their collection, use and protection of personal data, and the “cost” of a data breach may extend far beyond rectifying gaps in security, especially if a company loses the trust of its customers, business partners and other stakeholders.

Our team includes professionals with deep technical expertise and a solid understanding of business needs in relation to data protection and cybersecurity. To anchor and strengthen the technical knowledge our legal professionals have gained over many years advising clients in the TMT sector, our team includes a senior cybersecurity engineer who is experienced in addressing the technology-related aspects of data protection.

To date, we have advised several clients on Data Breach Management, Response and Notification, including development of data breach management plans. To ensure that our clients can quickly and effectively respond to a data breach, particularly during the initial, critical phase, we have developed a Data Breach First Responder service.

We have been at the forefront of the development and implementation of data protection law in Singapore, given our extensive experience assisting Singapore's national data protection authority, the Personal Data Protection Commission (PDPC), in setting up and implementing the PDPA. We have also acted for the PDPC in a number of significant enforcement cases and appeals under the PDPA, including cases with a significant cybersecurity element. Furthermore, our team includes former PDPC staff with significant legal and technical backgrounds and a number of our team’s lawyers have previously been seconded to the PDPC. As such, we have developed an unparalleled understanding and appreciation of the PDPC’s regulatory frameworks and policy thinking. We continue to represent the PDPC (and its parent statutory board, the Info-communications Media Development Authority), in policy and enforcement matters.

More recently, we have also advised other regulators in ASEAN on the development and implementation of data protection laws in their respective jurisdictions (including related areas such as capability development and public outreach).

As more countries enact data protection and cybersecurity laws (particularly within the last decade), companies operating regionally or globally require compliance solutions that can address their legal risks across multiple jurisdictions and as data moves across borders.

Our practice has a strong focus on the ASEAN region and Asia generally, and we have advised several clients with businesses and operations in these regions. Where necessary, we partner with law firms in other jurisdictions to ensure that our clients legal and compliance needs are fully addressed. Knowing how laws and developments in one jurisdiction may affect those in another, our team also actively monitors developments in ASEAN and Global Data Protection Law so that our clients can better anticipate changes in the legal and regulatory landscape which may affect their business.

GDR 100

Listed as one of the world’s top 100 data law firms by Global Data Review for 3 consecutive years

The practice “accurately identifies our needs without much prompting” and is able to “tailor a comprehensive scope of services which met our objectives, timeline and budget”. The client also praises the team’s extensive network, which is “able to connect us with reputable law firms in other countries to assist us on the personal data protection project, so while we communicated with Drew & Napier only, the team smoothly coordinated the project with foreign law firms”.

One client notes Chong Kin’s “impressive” knowledge of personal data protection law and appreciates ability to provide advice on a “regulator’s stance and rationale for the law”.

Another client praises David Alfred for his ability to “quickly analyse complex issues and provide robust analysis on compliance processes”.

“The firm provides a seamless and personalised service that gives you surety that the lawyers in charge are considering your matters after putting down the phone. It doesn’t attempt to bill for every bit of advice, and doesn’t give constant disclaimers to fend off liability, which is a sign of confidence. In urgent situations, its lawyers are prepared to give advice directly, without insisting upon written instructions. The firm has a wide global network which gives easy access to reputable and reliable lawyers in other jurisdictions – it has relationships with these and so isn’t just name dropping.”

“Whether you have a fat or lean legal budget, Chong Kin remains consistent as a true partner and far-sighted adviser. His knowledge of data protection law is impressive but, best of all, he is able to advise about the regulator’s stance and the rationale behind the law. He is also incredibly responsive and gives matters his personal attention.”

Chambers Asia Pacific

TMT 2023 - Band 1 for 16 consecutive years

Leading Individual:
Lim Chong Kin

"The firm is extremely knowledgeable in the areas we have discussed. Everyone we interacted with understands the issues from a commercial point of view."

"It was awesome - they are so fast and very hands-on."

“Areas of strength include telecoms and media regulations, as well as data protection issues.”

The Asia Pacific Legal 500

TMT 2023 – Tier 2 for 4 consecutive years; Tier 1 for 11 consecutive years (2009 - 2019)

Hall of Fame:
Lim Chong Kin (4 consecutive years)

Leading Individual:
Lim Chong Kin (9 consecutive years; 2010 - 2019)

Recommended Lawyer:
David Alfred (3 consecutive years)

‘provides a truly excellent service in terms of responsiveness, business acumen and practical knowledge’

‘fantastic’ and ‘deserve strong recognition for their client focus’

"excellent legal knowledge and in-depth understanding of the regulator"

Who’s Who Legal

Lim Chong Kin
Global Guide: Data – Information Technology 2022 – Recommended Lawyer for 4 consecutive years
Global Guide: Data – Data Privacy & Protection 2022 – Recommended Lawyer
Global Guide: Telecoms & Media 2022 – Recommended Lawyer for 4 consecutive years
National Guide: Southeast Asia – Data 2022 – Recommended Lawyer for 2 consecutive years

asialaw Profiles
“Proactive, responsive, timely and solutions-oriented.”