November 22, 2019
Last week, we talked about the GDPR and its implications. If you’re a local SME/business which doesn’t deal with EU citizens at all, you might be heaving a sigh of relief and thinking that you’re safe. But did you know that Singapore has its own version? Here’s another acronym you should probably be very familiar with, even as a regular individual : PDPA, which stands for the Personal Data Protection Act.
Passed by our Parliament in October 2012, it was gradually implemented over 2013 and 2014. The PDPA is meant to govern the use, collection and disclosure of personal data - this could mean anything ranging from fingerprints to an individual’s name and IC or image. It has also allowed for the Do Not Call (DNC) Registry to be set up - upon registering, individuals can opt out of receiving marketing calls, SMSes or faxes from organisations. Fun fact: the PDPA can also protect the personal data of individuals who have been dead for less than 10 years.
There are a select few who do not have to comply with the PDPA:
Any individual acting in a personal or domestic basis
Any public agency
Any employee acting in the course of their employment with the organisation
As a business, there are a few things you should note, especially if the collection of personal data is central to your everyday operations:
Always be clear about the types of data you are collecting and if they are absolutely necessary for your business purposes
On that note- what are your business purposes? You have to be able to answer why exactly you’re collecting the data
Who is in charge of the collection? Have they gone through proper training? Are they authorised to collect data?
Where is the data being stored?
Who are you disclosing the data to? Your business is obliged to provide personal data to the individual who requests it, but you need to be very careful and verify that they are who they claim to be. Always ask for identification before handing over any data, to prevent leaks.
To be safe, it is probably good practice to implement both physical and technical data protection measures. You could keep hardcopies in a filing cabinet, for instance. By installing anti-virus software on all computer systems and creating strong passwords, you can avoid a data breach.
Who better to tell you if you’re PDPA-compliant or not than the Personal Data Protection Commission (PDPC) itself? Use this as a guide: https://apps.pdpc.gov.sg/resources/pato/home, because the implications of not being PDPA-compliant can be very heavy - you could face fines amounting to $1 million. The PDPC could also prevent you from further collecting, using and disclosing data or ask you to destroy existing data.
There is an important, new addition that will come into effect come 1 September 2019 - businesses will not be allowed to make copies of individuals’ NRICs or collect/use/disclose NRIC numbers, unless required by law or needed to verify an individual’s identity to a “high degree of fidelity”.
At Butleric, we ensure that all merchants we work with are aware of the PDPA, due to the large amount of data we need to collect and analyse. We understand the importance of protecting customers’ personal data more than anyone, and will work with you to keep the data secure, so that you can focus on running your business smoothly.