Commentary

How Will PDPA Affect Your Business?

Privacy laws like PDPA and GDPR are changing the way that organizations approach and protect customer data. Do these regulations only apply to large organizations, or is every organization liable? We discuss in this article.

Yang JianGangBy: Yang JianGang, Nov 01, 2019
TwitterFacebookLinkedIn

Data, The New Currency

Data is being shared online at an alarming rate. From the subscriptions we have, emails we send, and the items we purchase online, there is a lot of Personally Identifiable Information (PII) that we surrender for the sake of our digital convenience.

Digital businesses are hungry for this data — data that paves the way for compelling customer behavioral analytics that can spur greater consumption of a business’ products or services.

But as businesses hanker for this growing repository of customer data, there is a rising sentiment that businesses are ill-equipped to properly secure and manage the data that they collect. This stems from a slew of data breaches and misappropriation of customer data. Parallel to this rising sentiment is the authorities educating the public on protecting their own customer data, and giving data up only when absolutely necessary to a service.

In Singapore, the Personal Data Privacy Commission (PDPC) implemented the Personal Data Privacy Act (PDPA) in 2012 to regulate the managing of personal data by organizations in Singapore.

What is PDPA?

The PDPA establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. It recognizes both the rights of individuals to protect their personal data, including the rights of access and correction, and the needs of organizations to collect, use or disclose personal data for legitimate and reasonable purposes.

Organizations, however, are still at a loss at how to comply with the PDPA. The number of organizations breaching Singapore’s Personal Data Protection Act (PDPA) has jumped to a new annual high, well before the year is over, based on findings published on Tuesday (Sept 17).

By the end of August 2019, 26 organizations had been fined or warned over PDPA breaches, up from 23 organizations recorded in all of last year.

To help organizations in Singapore understand compliance with the PDPA a little better, we explore the main business areas that overlap with the sphere of governance of the PDPA.

Data Collection

One big PDPA rule that organizations break is the failure to obtain consent from consumers to collect data. Thus, organizations must now be upfront with customers about how data is collected. For instance, they now need to draft out specific cookies and privacy policy on websites, explaining who gets to view and work with the data, and how long the data will be stored.

This is particularly critical in the digital marketing ecosystem, where the temptation to collect as much customer data as possible can cause organizations to err. The Cambridge Analytica-Facebook scandal was one of the prominent cases that brought the spotlight onto personal data privacy. As such, organizations must thoroughly review the requirements in their online and offline forms to see if the information requested of consumers is critical or not.

Organizations are no longer allowed to call or email individuals without their explicit permission, otherwise, the organization is liable to a PDPA fine. The collection of National Registration Identity Card (NRIC) Numbers and other National Identification Numbers is also currently being regulated, and organizations are disallowed from physically holding on to these cards unless deemed absolutely necessary.

Cybersecurity — No Privacy Without Security

Inseparable from the competency to handle the data that an organization collects is the capability to secure the data collected. The PDPA governs not just how the data is stored, but also who has access to the data, a process that often involves third party organizations. Organizations in tightly regulated industries like financial services will see that, in fact, many of the security requirements in various laws like ISO 27001 and PCI DSS overlap with those of the PDPA.

It then makes sense for organizations to begin adopting robust security practices early in order to get ahead of both the authorities as well as cyber attackers, who can, together, cost organizations a lot, as seen in the 2018 SingHealth and IHiS data breach.

One of the biggest fines in 2019 was doled out to Singapore-based Horizon Fast Ferry, which provides ferry services between Singapore and Batam. According to the PDPC, the company failed to appoint a data protection officer, develop and implement data protection policies and practices, and put in place reasonable security arrangements to protect its customers’ personal data.

Central to an organization’s efforts to comply with the PDPA is a Data Protection Officer (DPO), someone who drives organization buy-in and compliant processes across all departments. Organizations will have to decide if it is critical to hire a dedicated DPO, or appoint an existing employee to double hat as a DPO.

Closing Thoughts

Privacy laws like the PDPA and GDPR are setting a new standard for organizations to benchmark their practices against. While it may not be immediately intuitive how your organization can comply with privacy best practices, leveraging the expertise of third party privacy experts can be a cost-effective solution to help you chart a roadmap for compliance.

Yang JianGang
By: Yang JianGang, Nov 01, 2019

Jiangang is a CyberOps Consultant at Horangi and a Certified Information Privacy Technology specialist supporting customers from all industries in their privacy compliance program.

TwitterFacebookLinkedIn

Subscribe to the Horangi Newsletter.

Hear from our Horangi tech experts as we go deep into up-and-coming cyber threats, new solutions, and talk about the future of cybersecurity.