Data Strategy Briefing — April 15, 2025
Singapore is expected to commence the Personal Data Protection Act's data portability provisions in April 2025, pushing organisations to stand up export APIs, verification workflows, and third-party recipient governance.
Executive briefing: The Personal Data Protection Commission (PDPC) has signalled that the long-delayed data portability provisions under Part VIB of the PDPA will commence in April 2025 following the Model AI Governance Framework 3.0 rollout. Organisations must prepare to honour individual requests to transmit user-provided and user-activity data to designated recipients, subject to sectoral exceptions and prescribed formats.
Key governance checkpoints
- Data mapping. Identify datasets qualifying as user-provided and user-activity data, annotating sensitivity levels, retention, and transfer restrictions.
- Identity verification. Establish robust authentication and authorisation workflows to confirm requestors and third-party recipients before data export.
- Exception handling. Document reliance on refusal grounds (e.g., proprietary derived data) and define escalation paths for regulator review.
Operational priorities
- API delivery. Build secure export interfaces capable of delivering machine-readable data within the prescribed turnaround times.
- Third-party governance. Vet recipient organisations and capture attestations on security, onward transfer controls, and deletion commitments.
- Customer communications. Update notices and FAQs explaining eligibility, processing timelines, and limitations.
Enablement moves
- Pilot portability processes with strategic partners to validate infrastructure, legal agreements, and support scripts.
- Integrate portability metrics into privacy dashboards for board oversight and PDPC reporting.
Sources
Zeph Tech operationalises Singapore data portability with export API blueprints, exception handling guides, and PDPC-ready reporting packs.