Personal Data Protection Acts across ASEAN — most notably Singapore's PDPA (2012, significantly amended 2020) and Thailand's PDPA (2019, effective 2022) — govern the collection, use, and disclosure of personal data for individuals in those jurisdictions. For Indian IT outsourcing firms and BPOs serving Singapore and Thailand-based clients (a significant and growing segment), these laws create direct compliance obligations equivalent in scope to GDPR and the DPDP Act.

Singapore's PDPA is enforced by the Personal Data Protection Commission (PDPC) with fines up to S$1 million or 10% of annual Singapore turnover. The 2020 amendments introduced mandatory data breach notification (within 3 days), enhanced consent obligations, and a Data Portability Obligation. Thailand's PDPA closely mirrors GDPR — with Data Controller/Processor distinctions, lawful bases, and data subject rights.

🏞 ASEAN Market: Singapore is the gateway for Indian IT firms into Southeast Asia. PDPA compliance, combined with ISO 27001 and SOC 2, is often a prerequisite for winning Singapore government GovTech projects and financial sector contracts.