Personal data protection for startups in Singapore
7 minute read
The technology is evolving and improving our lives with every new day. However, thanks to these advances of the web, smart devices, and other gadgets, our personal data often gets compromised.
The world we live in is more and more connected and as a result, keeping personal information safe and secure is becoming incredibly complex. Cybercrime and data theft have paved the way for new laws, software solutions, and entire departments working to keep people and businesses safe online.
As one of the leading business hubs, Singapore is dedicated to protecting customers, intellectual property, and businesses. This article explains the PDPA (a data protection act) and concepts around it.
What is PDPA in Singapore?
Businesses in Singapore (and in most developed regions) are relying more and more on cloud services. This kind of storage raises questions for both businesses and governments regarding the issue of protection.
Singaporean businesses were among the first to spot the benefits of collecting, using, and storing personal data as part of their operations. However, the Singapore government was quick to examine and figure out ways to regulate the use of such data.
The government officials looked up to the EU and the UK particularly when they prepared to introduce new laws that deal with personal data protection. The authorities examined the OECD guidelines on the Protection of Privacy and Transborder Flow of Personal Data and the Asia-Pacific Economic Cooperation (APEC) Privacy Framework.
Taking all the best regulations and principles, Singapore passed the Personal Data Protection Act (PDPA) on 15th October 2012.
Once the president authorized this move, the PDPA law was introduced in four phases. This allowed some time for businesses to align their processes regarding data protection and comply with the law.
- During the first phase, the government set up a Personal Data Protection Commission (PDPC) to administer and enforce the data protection act as well as an Appeal Panel. The phase was completed and it entered into force on 2nd January 2013.
- The stage that followed started in December 2013. Organizations were able to create an online account with the DNC Registry (Do Not Call Registry).
- After that, the provisions relating to the DNC Registry came into effect on 2nd January 2014.
- Finally, the other related provisions came into force on 2nd July 2014.
The Personal Data Protection Singapore (PDPA Singapore) covers certain rules that are designed to control the collection, use, disclosure, and care of personal data.
It recognizes the rights of individuals to protect their personal data along with the rights of businesses to use personal data for legitimate purposes.
The concept behind this law was to provide a balance between these two sets of rights. With personal data regulation, the PDPA is there to make Singapore a leader in digital information management policies and reinforce its status as a top-notch business hub in the world.
What is personal data?
To better understand PDPA, let’s define personal data.
Personal data is data about an individual. This is not data about an organization. Hence, the PDPA does not apply to business contact information provided by an individual for business purposes only, such as a job title, a business telephone number, or a business address.
The essence is that the data has to be personal and include details such as the personal phone number or home phone number. Also, the data which is considered to be personal data has to identify a person. To be precise, when gathered, it has to be enough to identify a real-life person.
Other data that is considered personal may be:
- Number of your passport
- Date of birth
Two mechanisms of the PDPA
The PDPA in Singapore has two different mechanisms for the protection of personal data:
- DNC Registry
- Data Protection Provisions
The DNC registry is made of three different registers that deal with telephone calls, text messages, and faxes. If a person records a Singapore number with any of these registers, companies are not allowed to contact that individual for marketing purposes using that channel.
To work around this rule, the business has to acquire express consent from the individual that allows the business to contact the person over the channel that has been registered in the DNC Registry. The company has to provide regulators with evidence of such consent, such as a signed letter, should the need arise.
Various other provisions related to the PDPA are founded on the following principles:
Bear in mind that the regulations also cover some exceptions to the requirements of the PDPA. Data from a person’s family, personal, or domestic affairs, are exempted. Data collection done by employees as part of their work duties does not make them accountable for possible legal breaches (the employer is liable).
PDPA for startups
The authorities of Singapore have laid down eight PDPA obligations to be followed by businesses collecting and using personal data.
Let’s take a look at these PDPA principles.
Consent, Purpose Limitation, and Notification Obligation
According to the Act, organizations have to develop and implement policies and procedures that clearly notify customers that their personal data is being collected.
Also, companies have to notify customers regarding how the data may be used and where it may be disclosed. Finally, before any personal data is collected, the customer has to agree (offer their consent).
Access and Correction Obligation
If the authorities require, companies have to provide customers with their personal data that has been gathered and inform the customer on how the data has been used in the past year. On top of that, companies have to modify the personal data of a customer if requested.
In order to comply, you should provide customers with their personal data within 30 days and allow them to update, correct, and delete data.
Businesses have to take steps to verify that the gathered data on customers is accurate if they have intentions of using it to make decisions affecting the customers.
To comply, you should request verbal or written confirmation from the customer. Additionally, you need to take extra steps to verify data from a third party provider.
In order to prevent malicious or unauthorized access, use, collection, disposal, copying, modification, or disclosure of personal data, businesses have to take safety measures.
In order to comply, your business has to take cybersecurity measures to ensure that the data is protected. On top of that, you need to take physical security measures to safeguard data. Finally, your operation is responsible for taking administrative measures to ensure personal data security.
Retention Limitation Obligation
Businesses are required by law to dispose of personal data as fast as they can once it has fulfilled a legal or business purpose.
In order to comply, your business has to prepare an appropriate personal data retention policy and dispose of personal data and other information as soon as you can’t make any use of it.
Transfer Limitation Obligation
This provision is very simple and it states that businesses cannot transfer data to another organization outside of Singapore.
Companies have to develop and implement policies to meet the obligations stipulated by the PDPA. To comply, you need to designate an individual responsible for compliance with the PDPA.
Bear in mind that fintech companies have to check the Do-not-call register and receive unambiguous consent from customers prior to sending out marketing material. To comply with this principle, you need to check the Do-not-call register before sending out marketing material.
However, you also need to check the Do-Not-Call registry to see if you have already received clear and unambiguous consent from customers to receive marketing messages through their Singapore phone number.
Practical steps for startups to comply
What follows is concise tips on what you need to do to remain compliant. Remember that your company has to adhere to various obligations if it collects, uses, or discloses personal data in Singapore.
First, you need to appoint a data protection officer
Your Singaporean business has to designate at least one individual as a Data Protection Officer (DPO).
This is the person responsible for ensuring that the business complies with the PDPA. The DPO functions can be delegated to:
- One or a group of employees whose range of work relates to data protection
- Employees who take on this role as one of their multiple work duties
- External service provider
The contact information of a DPO has to be available to the general public.
Notify purposes and seek consent
Never make individuals consent to the processing of their personal data beyond what is reasonable to provide the product or service. You should gather and use data only within the consensual limits.
When asking for any personal data, inform the customer of your purpose for processing it and seek the customer’s consent.
The consent clause may be included in any application form, for instance: “I agree that Your Business’s Name may collect, use and disclose my personal data, which I have provided in this form”.
Finally, you also have to allow the customer to withdraw such consent at any time.
Provide personal data when asked
Whenever a client requests to know what data you have gathered about them, you have to provide that information. This applies to data not older than one year.
You may charge a fee to cover the processing cost for the request.
If you are unable to provide a response within 30 days, you need to inform the individual within 30 days and let them know when you can respond.
Provide accurate information and allow corrections
It is your responsibility to ensure the personal data collected is accurate and complete. Also, when a person requires correction of an error or omission of their personal details, it is your duty to fulfill their wishes.
It would be wise to place an appropriate application form on your website through which the person can submit a description of the PD that needs to be corrected.
Secure the personal data
Do everything you can to protect the personal data your company holds and prevent malicious or unauthorized handling of that data. Minimize the risks at all costs.
What you should do is encrypt or password-protect any personal data held electronically that would cause harm if lost or stolen. You should also back up information regularly and install firewalls and antivirus software on your company computers.
Get rid of personal data that you don’t need any longer
Get rid of personal data once you no longer have any business or legal use for it. Determine a retention period for various types of PD.
Keep data only as long as there is a business or legal purpose. Then safely delete the information, shredding the paper documents, or use specialized software for electronic data.
The PDPA does not prescribe a specific retention period for personal data that organizations would need to comply with any legal or specific industry-standard requirements that may apply.
Ensure protection when transferring overseas
If your business transfers personal data overseas, it is up to you to ensure that the data remains in compliance with the PDPA even when it is outside of Singapore.
Make sure that the receiving company is bound by legally enforceable obligations to provide protection comparable to the standard under the PDPA. These legally enforceable obligations may be imposed by the data protection laws of that region.
Keep a close eye on service providers that handle personal data
If you are using the services of a third-party provider, you are not relieved of the PD protection duties.
Therefore, when entering into a service agreement with the service provider, make sure that you include the terms that require the provider to take measures which ensure compliance with PDPA requirements.
Check the Do Not Call Registry
Singapore businesses are not allowed to send various marketing messages to telephone numbers registered with the DNC Registry. The Do-Not-Call-Registry is a database where individuals can register their telephone numbers to opt out of receiving unsolicited marketing messages and calls.
Check the DNC registry before sending marketing materials. A subscriber has to give clear consent to receive marketing messages.
Communicate your policies, practices, and processes
Finally, you need to provide the business contact information of your DPO. This allows customers to contact the person for PDPA-related inquiries.
Show details about your Singapore data protection policies, practices, and compliant processes on your website and make them available upon request by customers. Also, the employees have to know and adhere to the processes for protecting personal data.
To ensure compliance, the Personal Data Protection Commission is allowed to enforce these measures by.
- Entering the office space to access information related to an investigation
- Compelling a business to stop gathering, using, or disclosing personal data
- Destroying personal data collected by a business
- Issuing a fine (the amount is chosen by the PDPC)
The PDPC has been rigorous in enforcing the PDPA since its adoption. In August 2014, a tuition agency and its director were both fined S$39,000 for sending unsolicited messages to people who had registered with the DNC registry.
Another huge company has been investigated recently. To be precise, Xiaomi has been reported due to suspicious activities. However, the verdict is not yet final, as the investigation is rather complex.
It is clear that the government of Singapore is well-aware of the importance of personal data protection. That is just one of the factors that make this country one of the world’s best business hubs where thousands of entrepreneurs flock every year to start a business and base their operations in Singapore.
If you too are doing business in Singapore, make sure to follow the requirements, protect the data you gather, and respect the right of customers who don’t want to be contacted.
If you have not already done so, the next step would be to appoint a DPO who can focus on making sure all the mandatory policies on data protection have been met with and stay compliant with PDPA at all times. To find out more about DPO, click here.