What is PDPA and How You Can Manage Risks of Non-Compliance
The Personal Data Protection Act (PDPA) introduced in year 2013 changes how businesses can market their business to their customers. You can no longer cold call your potential customers randomly, hoping to land sales. It is a severe blow to the telemarketing industry.
But, what is PDPA all about, and how can you ensure your organization complies with the PDPA requirements?
This article will help you answer these questions.
What is PDPA all about?
According to Personal Data Protection Commission Singapore:
“The PDPA establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. It recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.”
Every day, organizations collected personal data to process transactions. So, there is a growing concern on how these personal data is being used. The goal of PDPA is to regulate the collection and use of these personal data.
What is Personal Data?
Before discussing further, it is important to know what is personal data. According to Personal Data Protection Act:
“Personal data means data, whether true or not, about an individual who can be identified from that data or from that data and other information to which the organisation has or is likely to have access.”
Therefore, the following data are considered to be personal data:
Personal Mobile Number
Personal Email Address
It is interesting to point out that personal data do not include Name (used in business context), position, business telephone number, business address and business email address.
Complying with PDPA
There are 9 main data protection obligations organizations have to comply with in PDPA:
1. Consent Obligation
You should always obtain consent before you collect, use or disclose individual’s personal data. Consent can be express or deemed. Express consent is usually in writing. Deemed consent is implied. For example, if an individual sends his resume to you for jobs, it is deemed that he has given you the consent to collect his personal data.
For the consent to be valid, you must notify the individuals that personal data is for which specific purpose, and it must be reasonable, i.e. only ask the data you need. Lastly, you must not use false or deceptive methods to collect the data.
2. Purpose Limitation Obligation
You may only use the data for the purpose you have informed the individuals at the point of collection.
3. Notification Obligation
You must inform or notify the individual the purpose of personal data collection when you are collecting the data to obtain the individual’s consent.
4. Access and Correct Obligation
Individuals have the rights to access their personal data that you keep. If you received a request, you should respond within 30 days unless it is not possible. You may deny the request if it is unreasonable or it contains personal data of another individual.
Individuals also have the rights to correct their personal data with you. You should also amend the data to those whom you have disclosed to.
5. Accuracy Obligation
You must ensure that the personal data is accurate when you are using the data to make a decision that will affect the individuals, or you are disclosing the data to another individual.
6. Protection Obligation
You should take reasonable measures to ensure that the personal data collected are secured. There should not be unauthorised access, collection, or amendments made.
If you are unsure, please refer to our article on cyber risk for more information.
7. Retention Limitation Obligation
You are not allowed to keep the personal data indefinitely. While there is no fixed guideline, the retention period is determined by:
Whether is the purpose of obtaining the data still valid;
Whether do you still need to retain the data in future, e.g. when an ex-customer complains about your product.
8. Transfer Limitation Obligation
You should not transfer personal data collected outside of Singapore unless the country provides the similar protection as PDPA. To ensure compliance, you should include PDPA protection as part of a contract or impose inter-corporate rules such as code of conduct.
9. Openness Obligation
You should provide your data protection policies, access/correction process, complaints to the public upon request.
Besides these 9 obligations, you also need to comply with the Do Not Call (DNC) Registry. You are not allowed to call, sending a text message, or fax numbers that are on the DNC registry. Individuals who registered their number with DNC Registry has explicitly voiced out that they do not want to receive the unsolicited marketing message.
This means before you make any cold calls to individuals, always check the DNC registry unless that individual has given “clear and unambiguous consent.”
Consequences of Breaching PDPA
If you are guilty of an offence under PDPA, you are subjected to a fine not exceeding S$10,000 or imprisonment not exceeding three years, or both. There can be a further fine of up to $1,000 per day for continuing offence.
Investigation of non-compliance usually starts with a complaint lodge by affected individuals to the Personal Data Protection Commission.
Managing Risks of Breaching PDPA
Given that the consequences of non-compliance can be expensive, here are some of the ways you can use to reduce the risk of your organization breaching PDPA.
Review Existing Processes and Systems
The first step is to review your existing processes in personal data collection, using, sharing and destroying personal data. In your review, take extra note of the following:
Did you disclose the purpose of collecting the data?
Did the user give a clear consent that they allow you to collect the data?
Have you use the personal data for other purposes?
Is the data you asked for reasonable for the intent purpose?
Is it possible for someone to access the data without authority?
Do you have a policy of destroying the data?
Do you share the data with employees or external parties only when they need the data?
Set Up Processes, Procedures and Policies to Fulfill Obligations
You also have to determine some processes/procedures to fulfill your obligations under PDPA.
Procedures for Access and Correction
Establish procedures for individuals to request access or correction. Be sure to specify how many days is needed, and the costs involved (if any). If you are not able to provide or correct the data, make sure you inform requester the status and the reason.
Clear Retention Policy
Have a clear personal data retention policy as to how long you are going to keep the data. Make sure you take into account legal or regulatory requirements as well as business continuity.
Set up Complaint Channels
Set up channels for individuals to complain about PDPA non-compliant. You would rather know it before they bring it up to the Personal Data Protection Commission. Address the complaint in a professional manner and investigate the source of the breach.
With all these policies in place, make sure you communicate them to the public.
Train Your Staffs
Lastly, after setting up various processes and communications channels, you will have to train your staffs to ensure that they know the PDPA requirements.
PDPA helps individuals to protect the usage of their personal data. It is essential for organizations to comply with the PDPA requirements when collecting, using and disseminating personal data.
This article shows you what are the PDPA requirements that you need to comply, and how can you manage the risks of breaching.
If you want to learn more managing risks, please feel free to contact us. We love to talk to you!
Or call us at +65 6298-6222.