Singapore’s PDPA: Time to Act

Do you receive anonymous calls or mailers for things you don’t sign up for? Annoying, right? But are you sure your company is not doing the same to other people?

By Philip Chong, Executive Director, Enterprise Risk Services, Deloitte

The first tenets of Singapore’s Personal Data Protection Act (PDPA) came into force from January 2013 and gave organisations 18 months to comply; now, during 2014, the Do-Not-Call (DNC) provisions (already enforced from January 02) and related rights for individuals will be enforced and companies need to familiarise themselves with what this involves.
Personal data is defined as data – whether true or not – about an individual (living or deceased) who can be identified from that data alone or from that data and other information to which the organisation has or is likely to have access. This can include electronic and non-electronic data, including email addresses and phone numbers. It is not restricted to information on customers and targets – it also applies to employee personal data held within your business.
However, business contact information is excluded from the data protection requirements of the PDPA, except for the requirements of the DNC registry.
This includes the individual’s name, position, business telephone number, business address and business email address. Essentially, these are not considered personal data – as long as the details were given for business purposes rather than personal.
This doesn’t mean that any data you have has to be erased or approval received from every recipient: for example, if you have personal data collected prior to the effective date of the data protection rules, you can continue to use this for the reasonable purposes for which it was collected – but you cannot for instance use it for direct marketing if it was collected originally for a different purpose.
Everyone in Singapore is affected by the regulations: in particular, listed and private companies, partnerships, and charities must adhere. The consequences for non-compliance include financial penalties up to $1mn, criminal prosecution and potentially lawsuits. Companies using cloud services should be aware that it is they who are responsible for compliance, not the cloud service provider.

What can you do to protect your organisation?

Firstly, perform an impact assessment. Assess which parts of your business have access to data and how they use it and determine which internal processes need to be reviewed and which marketing approaches need to be remodelled.
Once you have evaluated the actions required, you can develop a data privacy and protection framework/programme, which you can implement relatively quickly. The framework should include an incident response plan to address DNC-related complaints, a process for conducting DNC registry checks (including setting up a DNC account) and an overall governance framework. If your organisation does not have one already, you may consider appointing a Data Protection Officer.
To protect yourselves going forward, companies may arrange training and awareness programs for staff to ensure that they follow the regulations and understand what they can and cannot do, and to set up regular monitoring and periodic reviews to ensure ongoing compliance.
By the end of this process, you should be able to confirm compliance with key obligations of the PDPA, including:
• Designation of one or more individual responsible for compliance with PDPA;
• Implementation of policies and practices to meet obligations under PDPA;
• Implementation of data protection processes; and
• Communication to inform staff about the organisation’s policies and practices.
For many organisations, compliance with the PDPA will represent a significant challenge for which they may not have sufficient resources. Given the significant penalties and potential brand damage caused by violations, it may be best to get an expert opinion and ensure that your company complies from day one.

The Nine PDPA obligations:

  • Consent: Only collect/use/ disclose personal data with individual’s consent
  • Purpose limitation: Only collect/use/disclose for the purpose for which consent was given
  • Notification: Notify the individual of those purposes
  • Access & Correction: On request, give the individual the data and information on how it has been used
  • Accuracy: Ensure data is accurate and complete
  • Protection: Make reasonable security arrangements to protect data
  • Retention limitation: Cease retention of data once it no longer serves business/legal purposes
  • Transfer limitation: Only transfer data to another country in compliance with both nations’ regulations or ensure comparable standards of protection overseas before transferring
  • Openness: On request, provide information on your data protection policies, practices and complaints process