Data Protection, Privacy and Cybersecurity

Drew & Napier’s work in data protection, privacy and cybersecurity precedes the advent of Singapore's Personal Data Protection Act 2012 (“PDPA”) and Cybersecurity Act 2018. Our expertise extends beyond general data protection law to sectoral frameworks, in particular, in the Telecommunications, Media and Technology (“TMT”), financial and healthcare sectors. Over the last decade, Drew & Napier has been one of the leading practices in this field, having worked on a number of important matters for our clients.
We have been at the forefront of the development of data protection laws in Singapore, given our extensive experience assisting Singapore's data protection authority, the Personal Data Protection Commission (“PDPC”), in setting up the implementing data protection laws in Singapore. We continue to represent the PDPC (and its parent statutory board, the Info-communications Media Development Authority (“IMDA”)) in advisory, enforcement and policy work.
Since 2013, we have acted for the PDPC as its external legal counsel and regulatory advisors, and have worked on many of the most significant developments in the Singapore data protection scene. These include assisting the PDPC to formulate implementing regulations and guidelines under the PDPA and developing the enforcement framework under the PDPA. We have also acted for the PDPC in a number of significant enforcement cases and appeals under the PDPA, including cases with a significant cybersecurity element. Furthermore, our team includes former PDPC staff with significant legal and technical backgrounds and a number of our team’s lawyers have previously been seconded to the PDPC. As such, we have developed an unparalleled understanding and appreciation of the PDPC’s regulatory frameworks and policy thinking.

In addition, Drew & Napier also acts for a wide range of clients on a variety of data protection, privacy and cybersecurity matters. These matters run the full gamut, including the implementation of group-wide data protection compliance programmes, the localisation of global data privacy policies, data protection training programmes, the requirements of Singapore's Cybersecurity Act 2018, developing a data breach management plan, dealing with data breaches and cybersecurity incidents (whether involving hacking, malware or accidental disclosure), data breach reporting obligations under Singapore law, conducting regulatory risk audits and addressing ad hoc queries.
Our clients, which include several household names, include MNC telcos and Internet companies (ranging from the world’s leading social networking site to mobile device manufacturers to software developers) as well as local clients across various industries (including airlines, manufacturing, entertainment, and fast-moving consumer goods).

Some of the matters we have worked on include the following: 

  1. assisting the PDPC to administer Singapore’s personal data protection law, from the earliest days of formulating its implementing frameworks, to routinely advising the PDPC in enforcement matters and new policy initiatives; 

  2. providing wide-ranging advice on the Singapore data protection regime, including in respect of novel and challenging legal issues; and 

  3. advising on Singapore's cybersecurity laws and queries relating to potential or actual data breaches and the necessary disclosure requirements and remedial actions in Singapore.

Building on our experience in this field, Drew & Napier has established the Drew Data Protection and Cybersecurity Academy to provide training and other services relating to data protection and cybersecurity.

Practice Areas/Capabilities

  • Adapting global policies, or developing new policies, for data protection, privacy, cybersecurity and consumer protection in relation to clients’ business, operations and offices in Singapore; 
  • Advising on cross-border data protection issues including issues relating to cloud-based servies, application of Singapore law to oversee breach reporting obligations and cross-border transfers of personal data (into or out from Singapore);
  • Advising on potential or actual data breaches and cybersecurity incidents, including the necessary reporting and disclosure obligations and remedial actions in Singapore; 
  • International standards and frameworks relating to data protection and cybersecurity including the APEC Cross-Border Privacy Rules (CBPR), and their implementation under Singapore law;
  • Advising on data protection concerns relating to the introduction of novel telecommunication and information technology services in the Singapore market; 
  • Advising on key issues, queries and requests on personal data protection, such as data retention and systems migration projects, access requests, and assisting on responses to information requests made pursuant to investigations; 
  • Advising on legal issues arising from the provision of cybersecurity services and related activities; 
  • Advising on legal issues relating to digital certification services, electronic signatures and encryption keys. 


GDR 100
Listed as one of the world’s top 100 data law firms in Global Data Review’s inaugural GDR 100 2021

“The firm provides a seamless and personalised service that gives you surety that the lawyers in charge are considering your matters after putting down the phone. It doesn’t attempt to bill for every bit of advice, and doesn’t give constant disclaimers to fend off liability, which is a sign of confidence. In urgent situations, its lawyers are prepared to give advice directly, without insisting upon written instructions. The firm has a wide global network which gives easy access to reputable and reliable lawyers in other jurisdictions – it has relationships with these and so isn’t just name dropping.”

“Whether you have a fat or lean legal budget, Chong Kin remains consistent as a true partner and far-sighted adviser. His knowledge of data protection law is impressive but, best of all, he is able to advise about the regulator’s stance and the rationale behind the law. He is also incredibly responsive and gives matters his personal attention.”

Chambers Asia Pacific
TMT 2020 - Band 1 for 13 consecutive years

Leading Individual:
Lim Chong Kin

“Areas of strength include telecoms and media regulations, as well as data protection issues.”

The Asia Pacific Legal 500
TMT 2020 – Tier 2; Tier 1 for 11 consecutive years (2009 - 2019)

Leading Individual:
Lim Chong Kin

‘provides a truly excellent service in terms of responsiveness, business acumen and practical knowledge’

‘fantastic’ and ‘deserve strong recognition for their client focus’

"excellent legal knowledge and in-depth understanding of the regulator"

Who’s Who Legal
Leading Lawyer:
Data - (IT, Telecoms & Media) 2019/20 - Lim Chong Kin

Get in touch