Data, The New Currency
Data is being shared online at an alarming rate. From the subscriptions we have, emails we send, and the items we purchase online, there is a lot of Personally Identifiable Information (PII) that we surrender for the sake of our digital convenience.
Digital businesses are hungry for this data — data that paves the way for compelling customer behavioral analytics that can spur greater consumption of a business’ products or services.
But as businesses hanker for this growing repository of customer data, there is a rising sentiment that businesses are ill-equipped to properly secure and manage the data that they collect. This stems from a slew of data breaches and misappropriation of customer data. Parallel to this rising sentiment is the authorities educating the public on protecting their own customer data, and giving data up only when absolutely necessary to a service.
In Singapore, the Personal Data Privacy Commission (PDPC) implemented the Personal Data Privacy Act (PDPA) in 2012 to regulate the managing of personal data by organizations in Singapore.
What is PDPA?
The PDPA establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. It recognizes both the rights of individuals to protect their personal data, including the rights of access and correction, and the needs of organizations to collect, use or disclose personal data for legitimate and reasonable purposes.
Organizations, however, are still at a loss at how to comply with the PDPA. The number of organizations breaching Singapore’s Personal Data Protection Act (PDPA) has jumped to a new annual high, well before the year is over, based on findings published on Tuesday (Sept 17).
By the end of August 2019, 26 organizations had been fined or warned over PDPA breaches, up from 23 organizations recorded in all of last yearorganizations had been fined or warned over PDPA breaches, up from 23 organizations recorded in all of last year.
To help organizations in Singapore understand compliance with the PDPA a little better, we explore the main business areas that overlap with the sphere of governance of the PDPA.
As of October 5 2020, a company found guilty of a data breach can be fined up to 10 per cent of its annual turnover in Singapore.
This is particularly critical in the digital marketing ecosystem, where the temptation to collect as much customer data as possible can cause organizations to err. The Cambridge Analytica-Facebook scandal was one of the prominent cases that brought the spotlight onto personal data privacy. As such, organizations must thoroughly review the requirements in their online and offline forms to see if the information requested of consumers is critical or not.
Organizations are no longer allowed to call or email individuals without their explicit permission, otherwise, the organization is liable to a PDPA fine. The collection of National Registration Identity Card (NRIC) Numbers and other National Identification Numbers is also currently being regulated, and organizations are disallowed from physically holding on to these cards unless deemed absolutely necessary.
Cybersecurity — No Privacy Without Security
Inseparable from the competency to handle the data that an organization collects is the capability to secure the data collected. The PDPA governs not just how the data is stored, but also who has access to the data, a process that often involves third party organizations. Organizations in tightly regulated industries like financial services will see that, in fact, many of the security requirements in various compliance frameworks like ISO 27001 and PCI DSSvarious compliance frameworks like ISO 27001 and PCI DSS overlap with those of the PDPA.
It then makes sense for organizations to begin adopting robust security practicesrobust security practices early in order to get ahead of both the authorities as well as cyber attackers, who can, together, cost organizations a lot, as seen in the 2018 SingHealth and IHiS data breach.
One of the biggest fines in 2019 was doled out to Singapore-based Horizon Fast Ferry, which provides ferry services between Singapore and Batam. According to the PDPC, the company failed to appoint a data protection officer, develop and implement data protection policies and practices, and put in place reasonable security arrangements to protect its customers’ personal data.
Central to an organization’s efforts to comply with the PDPA is a Data Protection Officer (DPO), someone who drives organization buy-in and compliant processes across all departmentsdrives organization buy-in and compliant processes across all departments. Organizations will have to decide if it is critical to hire a dedicated DPO, or appoint an existing employee to double hat as a DPO.
Are You In Breach of PDPA?
Failing to put in place reasonable security arrangements to prevent unauthorized disclosure of personal data, exemplified in a $9,000 fine given to Singtel. In another case, the Central Depository (CDP) received a fine of $32,000 when it mailed dividend checks to outdated addresses and put over 200 customers at risk of having personal data disclosed.
Take a look at the checklist here to ensure your organization has covered your bases in order to avoid fines — and more importantly, prevent any damage to reputation.
Updates: Amendments to the PDPA and Spam Control Act
On 2 Nov 2020, the Personal Data Protection (Amendment) Bill was passed in Parliament. The Enhanced PDPA is an updated version aligned with international best practices and global frameworks in response to the rapid growth in data and changes in consumer behavior through social media, the adoption of Internet-of-Things (IoT) technologies, and the rise of personalized services that are based on data-driven technologies.
With organizations having access to more personal data, this was always a natural next step for the PDPA to safeguard the interests of consumers while maintaining its position as a leading privacy framework that other countries can follow. Large corporations can now easily adapt global practices to PDPA and achieve compliance in their Singapore offices.
Privacy laws like the PDPA and GDPR are setting a new standard for organizations to benchmark their practices against. While it may not be immediately intuitive how your organization can comply with privacy best practices, leveraging the expertise of third party privacy expertsexpertise of third party privacy experts can be a cost-effective solution to help you chart a roadmap for compliance.